Redeploy PKCS certificate to Intune managed device

Copper Contributor



How to force a new PKCS certificate request, with Endpoint Manager (Intune) managed devices, resulting in the old certificate being removed and a new certificate being issued?


We use PKCS certificates for an Always On VPN connection for end users, these are user based certificates which are configured with an configuration profile in Endpoint Manager, to be requested at an on-premise PKI infrastructure.
This article states the follwing:
   A PKCS certificate is revoked and removed when:
      A user unenrolls.
      An administrator runs the wipe action.
      An administrator runs the retire action.


Now I find a device wipe very cumbersome, to only get a new user certificate on the device. Is there any other way to get this done, without a device wipe?

This topic is also raised in the uservoice of Microsoft, in 2018, but without any solution provided.


Rik Pasman

3 Replies
I'm intrigued to solutions for this also.
Two common scenarios: device rename (post build, rename for re-purpose, vanity) and user name change (change of personal circumstance).

Also, say, someone letting clients enrol with an incorrectly named cert initially by adding computers to an enrol template before the service etc is fully configured and ending up with devices and users being provisioned certificates with the PFX connector computer name as their subject.
You can delete the unwanted user cert off of the machine manually and then run certutil -user -pulse to receive a new certificate.

This works for when a user's username has changed.

@JF9928 , I tried your suggestion with no success.
I don't know how certutil can trigger an intune policy reapply ...
Do you have more information about this ?