To deploy a root CA certificate, an administrator must use a Configuration profile in Microsoft Intune. This policy type is used to configure settings and features on devices. Within the available templates for a configuration profile, the Trusted certificate profile is the specific type used to deploy a root or intermediate CA certificate. This action establishes trust in the certification authority on the managed devices, which is a necessary prerequisite before deploying other certificate types like SCEP or PKCS for user or device authentication.

1. Microsoft Learn | Create trusted certificate profiles in Microsoft Intune: This document

explicitly guides the user to create this profile by navigating to Devices > Configuration

profiles > Create profile, and then selecting Trusted certificate as the profile type. URL:

https://learn.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root 2. Microsoft

Learn | Use SCEP certificate profiles with Microsoft Intune: This source clarifies the

dependency, stating, "Before you create a SCEP certificate profile, you need a trusted

certificate profile to deploy the Trusted Root Certificate from your CA to devices." This

confirms that the "Trusted certificate" profile is the correct choice for the root CA. URL:

https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure (See

"Prerequisites" section).