Trusted Root

Part 1: Edit your downloaded Server Certificate

Only relevant if you are bringing your own RADIUS server certificate or are using the Custom CA.
If you've uploaded your own certificate or created your Custom CA as Server Certificate, you will under most circumstances see the entire certificate chain as part of the downloaded Server Certificate file.
If you upload this to Intune, only the hierarchically last certificate will be pushed to your client, which is typically not the root certificate we intend to push to the client. To circumvent this, please open the downloaded file (it is a PEM-encoded *.cer file) with a standard text editor and remove all certificates except for the root certificate. If you have leveraged the Custom CA, please remove the blue part as shown in the sample below.

Part 2: Adding a Trusted Certificate Profile for your Clients

Ensure, you have reviewed Part 1.
  1. 1.
    Log in to your Azure portal
  2. 2.
    Navigate to Microsoft Intune and click Device and subsequently Configuration profiles
  3. 3.
    Then click Create profile
  4. 4.
    Select the correct Platform for your device
  5. 5.
    Search the Profile type templates for Trusted certificate and select it
  6. 6.
    Click Create and provide a descriptive name and optional Description
  7. 7.
    In the second step, upload the *.cer file containing the RADIUS server certificate/trusted root the server certificate was signed with.