A SCEP profile silently installs certificates onto devices for use with device authentication.


  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Add Profile.
  2. Select Windows and then select Windows Desktop.
  3. Select User Profile or Device Profile.
  4. Configure the profile General settings.
  5. Select the SCEP profile.
  6. Configure the SCEP settings, including:
    Settings Descriptions
    Credential Source This drop-down menu is always set to defined certificate authority.
    Certificate Authority Select the certificate authority you want to use.
    Certificate Template Select the template available for the certificate.
    Key Location

    Select the location for the certificate private key:

    • TPM If Present – Select to store the private key on a Trusted Platform Module if one is present on the device, otherwise store it in the OS.
    • TPM Required – Select to store the private key on a Trusted Platform Module. If a TPM is not present, the certificate does not install and an error displays on the device.
    • Software – Select to store the private key in the device OS.
    • Passport – Select to save the private key within the Microsoft Passport. This option requires the Azure AD integration.
    Container Name

    Specify the Passport for Work (now called ‘Windows Hello for Business’) container name. This setting displays when you set Key Location to Passport.

  7. Configure the Wi-Fi, VPN, or EAS profile.
  8. Select Save & Publish when you are finished to push the profile to devices.