This article describes how to configure Microsoft Intune to distribute the SurePath AI proxy PAC URL and root CA certificate to Windows devices. Microsoft Intune offers multiple deployment methods, and this document covers both the recommended PowerShell script approach and the manual OMA-URI configuration method.
Supported platforms
Windows 10 version 1709 and later
About this document
This document provides two methods for deploying SurePath AI proxy configurations through Microsoft Intune. The recommended approach uses a PowerShell script that simplifies deployment, supports both single-user and shared devices, enables email-based user identification, and provides greater flexibility for managing configurations. The alternative manual method uses OMA-URI configuration profiles for organizations that prefer policy-based deployment or need to integrate with existing Intune policies.
Both methods deploy the SurePath AI PAC URL to configure proxy settings and the SurePath AI root CA certificate to enable traffic interception. This document does not cover how to enroll devices in Microsoft Intune or administer other aspects of the Microsoft Intune platform.
Background
The SurePath AI PAC file
SurePath AI distributes its proxy information via a Proxy Auto-Config (PAC) file. This PAC file contains all the information needed to direct only generative AI traffic to the SurePath AI proxy service while sending other traffic via their normal route.
The use of a PAC file also allows SurePath AI to update the list of generative AI domains. Most operating systems and browsers will request the PAC file every 1-2 hours and if a new file can't be retrieved the current one will continue to be used.
The SurePath AI root CA certificate
Just like other network security and SASE vendors, certificate trust allows SurePath AI to intercept and apply policy to connections to generative AI websites. The SurePath AI root CA certificate needs to be trusted by all devices that need to be governed by SurePath AI.
Configuring Microsoft Intune
All configuration in this section takes place within the Microsoft Intune admin center. Unless otherwise stated, all instructions start from the Microsoft Intune admin center.
Prerequisites
The following items are needed before deploying SurePath AI through Microsoft Intune:
Acquire the SurePath AI root CA certificate
Click Organization in the CONFIGURE section
Select the Integration tab
The SurePath AI Root CA Certificate is available in the File Downloads section
Download the certificate using the CER option
Create a Proxy connector and acquire the PAC URL
Click Connectors in the CONFIGURE section
Click ADD CONNECTOR in the upper right
Provide a descriptive name for the connector (for example, "Windows Intune Deployment")
Select Proxy as the connector type
Click SAVE to generate the unique PAC file URL
Copy the PAC file URL from the connector details page for use in the deployment steps below
Download the PowerShell deployment script
The PowerShell deployment script provides a flexible and automated way to configure proxy settings on Windows devices. To download the script:
From the Proxy connector details page, locate the MDM Files section
Click the DOWNLOAD button to download the MDM deployment files
Extract the ZIP file to access
SurePath.AI.deploy.ps1for Windows deployment
Method 1: PowerShell script deployment (recommended)
The PowerShell deployment script provides the most flexible and streamlined approach for deploying SurePath AI proxy configurations to Windows devices through Microsoft Intune. This method is recommended for most deployments because it simplifies configuration management, supports both single-user and shared device scenarios, enables email-based user identification for improved reporting, and allows for easier updates to proxy settings compared to managing multiple individual policies.
Benefits and flexibility
The PowerShell script offers several advantages over manual OMA-URI configuration:
Simplified deployment: A single script manages all proxy settings, certificate installation, and security policies rather than creating multiple separate configuration profiles
User identification: The script can detect and include user email addresses in the PAC URL, which enables SurePath AI to associate native application traffic with specific users rather than just the connector, improving visibility in User Activity logs and enabling user-specific policy application
Flexible configuration: The script supports multiple deployment scenarios through configurable parameters, including single-user devices, shared computers with multiple users, and optional features like email detection
Easier maintenance: Updating proxy configurations requires only modifying the script parameters rather than recreating multiple configuration profiles
Built-in intelligence: The script includes automatic detection of deployment context, intelligent removal capabilities, and fallback mechanisms for maximum reliability
Understanding script assignments in Intune
When deploying PowerShell scripts through Intune, admins need to understand how the assignment target and execution context work together to determine the script behavior:
For single-user devices, assign scripts to device groups and run in system context (Run this script using the logged on credentials = No). Since each device has only one primary user, the script can install the certificate, configure the PAC URL, and apply all settings in a single deployment with administrative privileges. This provides a complete system-wide configuration in one step.
For shared/multi-user devices, use a two-step approach:
Machine setup: Assign to device groups, run in system context (Run this script using the logged on credentials = No) to install certificates and security policies once per device
User-level PAC configuration: Assign to device groups, run in user context (Run this script using the logged on credentials = Yes) so the script executes for every new user who signs into the device, providing each user with their own personalized PAC URL
The Run this script using the logged on credentials setting is critical and controls the execution context:
No (system context): The script runs with system privileges and can modify machine-wide settings in HKLM registry and install certificates to the Local Machine store. Use this for single-user device deployments and for machine setup in shared device scenarios.
Yes (user context): The script runs as the logged-on user and can modify user-specific settings in HKCU registry. When assigned to device groups with this setting, the Intune Management Extension runs the script for every new user who signs into that device. Use this for user-level PAC configuration in shared device scenarios.
Important: 64-bit PowerShell requirement
The SurePath AI deployment script must run in 64-bit PowerShell on 64-bit Windows systems. When configuring the script in Intune, always set Run script in 64-bit PowerShell to Yes for standard Windows 10/11 deployments. This ensures proper script execution and compatibility with modern Windows environments. Only select No if deploying to 32-bit Windows systems, which are rare in enterprise environments.
Single-user device deployment
For devices where only one user regularly signs in, the PowerShell script can be configured to deploy a complete system-wide configuration in a single deployment. This approach is ideal for personal work devices, dedicated workstations, or scenarios where each device is assigned to a specific user. Since there is only one user per device, the script can run with system privileges to install the certificate, configure the PAC URL, and apply security policies all at once.
Configure the script for single-user deployment
Before deploying the script through Intune, admins need to configure the argumentOverride variable to specify the deployment parameters. Since Intune's Scripts feature does not support passing command-line parameters, the script uses an embedded configuration variable that controls its behavior.
Recommended configuration (default with GUID identifier):
By default, the script includes a unique GUID identifier in the PAC URL for user identification. This approach is recommended because it works reliably in all environments without requiring email address detection, which can vary in availability across different identity configurations. The GUID provides consistent user tracking in SurePath AI's User Activity logs and enables user-specific policy application.
To use the default GUID-based identification, leave the argumentOverride variable empty or do not modify the script:
$argumentOverride = ""
The script will automatically:
Install the SurePath AI root CA certificate to the Local Machine trusted certificate store
Deploy proxy settings system-wide that apply to all users on the device
Generate and include a unique GUID identifier in the PAC URL for user tracking
Optional: Email-based identification
Alternatively, admins can configure the script to detect and use the user's email address for identification. Email-based identification eliminates the need for users to authenticate when accessing GenAI services through SurePath AI, as the platform can automatically identify users based on their email address passed in the PAC URL. However, this approach depends on the availability of email information from identity sources (Active Directory, Entra ID, Intune, or user environment variables).
To enable email-based identification:
Open the
SurePath.AI.deploy.ps1file in a text editorLocate the
$argumentOverride = ""line near the top of the scriptSet the override to configure email detection:
$argumentOverride = "-Email"
Save the modified script file
With this configuration, the script attempts to detect the user's email address from multiple sources in this order:
Active Directory - Queries on-premises Active Directory for the user's email attribute
Entra ID - Uses the
whoamicommand to query Azure AD (Entra ID) user informationEntra ID Registry - Checks the device registry for Azure AD join information
Intune - Queries Intune MDM enrollment data for user email
User Environment - Checks user session environment variables for email information
If email detection fails, the script automatically falls back to using a GUID identifier. Organizations that require email-based identification without fallback can add the -NoGUID flag (e.g., $argumentOverride = "-Email -NoGUID"), though this causes deployment to fail if email cannot be detected.
Deploy the script through Intune
After configuring the argumentOverride variable, admins can deploy the script to target devices through Intune's Scripts feature:
Click Devices in the left navigation
Click Scripts and remediations under the Devices section
Click Platform scripts at the top of the page
Click Add and select Windows 10 and later
On the Basics step:
Enter a descriptive Name such as "SurePath AI Proxy - Single User Devices"
Add an optional Description
Click Next
On the Script settings step:
Click the folder icon and select the modified
SurePath.AI.deploy.ps1fileFor Run this script using the logged on credentials, select No (this ensures the script runs with system privileges to install the certificate and configure system-wide settings)
For Enforce script signature check, select No
For Run script in 64-bit PowerShell, select Yes
Click Next
On the Assignments step:
Click Add groups and select the device groups that contain single-user devices
Assigning to device groups ensures the configuration is applied to the device itself, which is appropriate for single-user scenarios where the device has a dedicated user
Click Next
On the Review + add step, verify the configuration and click Add
The script will deploy automatically to assigned devices during the next Intune sync cycle. The complete configuration (certificate, PAC URL, and security policies) will be applied to each device.
Shared/multi-user device deployment
For devices where multiple users sign in, such as shared workstations, kiosks, or terminal servers, the deployment requires a two-step approach. The first step installs the root CA certificate and configures security policies at the machine level, while the second step deploys user-specific proxy settings when each user signs in.
Overview of the two-step approach
Step 1: Machine setup (one-time per device)
The machine setup configures components that apply to all users on the device:
Installs the SurePath AI root CA certificate to the Local Machine trusted certificate store
Configures policies that prevent users from changing proxy settings
Admins can perform this step using either OMA-URI configuration profiles or a PowerShell script with the -NoProxy flag. Both approaches achieve the same result, and organizations can choose based on their existing Intune policies and preferences.
Step 2: User-level proxy configuration (runs at each user's first login)
After the machine is set up, each user who signs in needs their own proxy configuration. This step deploys the PAC URL with user-specific identifiers (GUID by default, or optionally email addresses) to each user's registry (HKCU), enabling SurePath AI to track activity by individual users rather than just by device.
Step 1: Machine setup options
Option A: Use OMA-URI policies for certificate and lockdown
Admins can deploy the root CA certificate and proxy lockdown policies using standard Intune configuration profiles. This approach integrates well with existing certificate and policy management workflows.
For certificate deployment, follow the steps in the "Policy for distributing the SurePath AI root CA" section under Method 2 (Manual OMA-URI configuration) below.
For proxy lockdown policies, follow the steps in the "Policy for preventing users from changing the configuration" section under Method 2 (Manual OMA-URI configuration) below.
Option B: Use PowerShell script with -NoProxy flag
Alternatively, admins can use the PowerShell deployment script to install the certificate and configure security policies without setting the PAC URL. This approach is useful for organizations that prefer a single script-based approach for all components.
To configure the script for machine setup:
Open the
SurePath.AI.deploy.ps1file in a text editorLocate the
$argumentOverride = ""lineSet the override to configure machine setup without proxy:
$argumentOverride = "-NoProxy"
Save the modified script file
Deploy this version of the script using Intune's Scripts feature with the following configuration:
Click Devices in the left navigation
Click Scripts and remediations under the Devices section
Click Platform scripts at the top of the page
Click Add and select Windows 10 and later
On the Basics step, enter a descriptive Name such as "SurePath AI - Machine Setup (Shared Devices)" and click Next
On the Script settings step:
Click the folder icon and select the modified
SurePath.AI.deploy.ps1fileFor Run this script using the logged on credentials, select No (this ensures the script runs with system privileges to install the certificate to the Local Machine store)
For Enforce script signature check, select No
For Run script in 64-bit PowerShell, select Yes
Click Next
On the Assignments step:
Click Add groups and select the device groups that contain shared/multi-user computers
Click Next
On the Review + add step, verify the configuration and click Add
The script will install the certificate and configure lockdown policies without setting the PAC URL.
Step 2: User-level PAC configuration
After completing the machine setup, deploy a second instance of the PowerShell script configured for user-level proxy settings. This script should run when each user signs in to ensure every user receives the proper proxy configuration with their own unique identifier.
Recommended configuration (default with GUID identifier):
By default, the script includes a unique GUID identifier in the PAC URL for each user. This approach is recommended because it works reliably in all environments and provides consistent per-user tracking in SurePath AI without requiring email address detection. Each user who signs into the shared device receives their own unique identifier in the PAC URL.
To configure the script with default GUID-based identification:
Open a new copy of
SurePath.AI.deploy.ps1in a text editor (or use the same file if Option B was not used)Locate the
$argumentOverride = ""lineSet the override to configure user-level proxy:
$argumentOverride = "-User"
Save the modified script file with a different name to distinguish it from the machine setup script (for example,
SurePath.AI.deploy.user.ps1)
Optional: Email-based identification
Alternatively, admins can enable email-based identification, which eliminates the need for users to authenticate when accessing GenAI services. The script will detect each user's email address from identity sources (Active Directory, Entra ID, Intune) and include it in the PAC URL. If email detection fails for a particular user, the script automatically falls back to GUID.
To enable email-based identification, use:
$argumentOverride = "-User -Email"
When configured with the -Email flag, the script attempts to detect the user's email address from multiple sources including Active Directory, Entra ID, Entra ID Registry, Intune, and user environment variables. The first successfully detected email address is included in the PAC URL.
Deploy this version through Intune:
Click Devices in the left navigation
Click Scripts and remediations under the Devices section
Click Platform scripts at the top of the page
Click Add and select Windows 10 and later
On the Basics step, enter a descriptive Name such as "SurePath AI Proxy - User Level (Shared Devices)" and click Next
On the Script settings step:
Click the folder icon and select the modified script file (e.g.,
SurePath.AI.deploy.user.ps1)For Run this script using the logged on credentials, select Yes (this allows the script to modify each user's registry settings in HKCU)
For Enforce script signature check, select No
For Run script in 64-bit PowerShell, select Yes
Click Next
On the Assignments step:
Click Add groups and select the same device groups used for the machine setup script
Assigning to device groups ensures the script runs for every new user who signs into these shared devices, providing per-user proxy configuration with unique identifiers
Click Next
On the Review + add step, verify the configuration and click Add
This configuration sets the PAC URL in each user's registry (HKCU) with their unique identifier (GUID by default, or email address if the -Email flag was configured). Because the machine setup already installed the certificate, this script completes quickly for each user. The Intune Management Extension ensures that every user who signs into the shared device receives their own personalized proxy configuration the first time they log in, enabling SurePath AI to track activity and apply policies on a per-user basis rather than just by connector or device.
Method 2: Manual OMA-URI configuration (alternative)
The manual OMA-URI configuration method provides an alternative approach for deploying SurePath AI proxy settings through standard Intune configuration profiles. This method may be preferred by organizations that use policy-based management exclusively, need to integrate SurePath AI settings with existing configuration profiles, or prefer not to deploy custom scripts.
The manual method requires creating three separate configuration profiles: one for the PAC URL and proxy settings, one for preventing users from changing proxy settings, and one for distributing the root CA certificate. While this approach provides fine-grained control over each component, it requires more administrative effort to create and maintain compared to the PowerShell script method.
Policy for PAC URL distribution
This configuration profile sets the three registry keys needed to configure the proxy PAC URL on Windows devices:
Click Devices in the left navigation, then click Configuration
Click Create and select New Policy
For Platform select Windows 10 and later
For Profile type select Templates
From the Template name menu select Custom and click Create
On the Basics step, enter a Name (and Description if desired) and click Next
On the Configuration settings step, click Add
For Name, type AutoDetect
For OMA-URI type
./Vendor/MSFT/NetworkProxy/AutoDetectFor Data Type select Integer
For Value type 0
Click Save
Click Add again
For Name, type SetupScriptUrl
For OMA-URI type
./Vendor/MSFT/NetworkProxy/SetupScriptUrlFor Data Type select String
For Value enter the Proxy PAC URL obtained in the Prerequisites section
Click Save
Click Add again
For Name, type ProxySettingsPerUser
For OMA-URI type
./Vendor/MSFT/NetworkProxy/ProxySettingsPerUserFor Data Type select Integer
For Value type 0
Click Save
Click Next
On the Assignments step, add the device groups that should receive the proxy policy and click Next
This is a device-based policy, so assignment should be done via groups of devices
On the Applicability Rules step, optionally create a rule that will affect the desired Windows devices and click Next
As an example, for Rule select Assign profile if and for Property select OS Edition then for Value select all editions of Windows within the organization
On the Review + create step confirm the configuration is correct and click Create
Policy for preventing users from changing the configuration (optional)
Optionally, admins can deploy an additional policy that prevents users from changing the proxy settings. This policy is recommended to ensure users cannot bypass SurePath AI governance.
Click Devices in the left navigation, then click Configuration
Click Create and select New Policy
For Platform select Windows 10 and later
For Profile type select Settings catalog
Click Create
On the Basics step, enter a Name (and Description if desired) and click Next
On the Configuration settings step, click Add settings
In the Settings picker side panel in the Browse by category section, browse to Administrative Templates > Windows Components > Internet Explorer
In the Setting name section, enable the Prevent changing proxy settings (User) setting
Close the Settings picker side panel
Click the slider to enable the setting
Click Next
On the Scope tags step, select any applicable scope tags and click Next
On the Assignments step, add the users and/or device groups that should receive the policy and click Next
On the Review + create step confirm the configuration is correct and click Create
Policy for distributing the SurePath AI root CA
This configuration profile deploys the SurePath AI root CA certificate to the Local Machine trusted certificate store on Windows devices:
Click Devices in the left navigation, then click Configuration
Click Create and select New Policy
For Platform select Windows 10 and later
For Profile type select Templates
From the Template name menu select Trusted certificate and click Create
On the Basics step, enter a Name (and Description if desired) and click Next
On the Configuration settings step, click the text box that says Select a valid .cer file and then browse to and select the SurePath AI Root CA Certificate retrieved in the Prerequisites section then click Next
On the Assignments step, add the device groups that should receive the certificate policy and click Next
This is a device-based policy so the assignment should be done via groups of devices rather than users
On the Applicability Rules step, optionally create a rule that will affect the desired Windows devices and click Next
As an example, for Rule select Assign profile if and for Property select OS Edition then for Value select all editions of Windows within the organization
On the Review + create step confirm the configuration is correct and click Create
Verifying the SurePath AI integration
After deploying SurePath AI configurations through either the PowerShell script method or the manual OMA-URI method, admins can verify that endpoints are properly configured by using the Ready tool at https://ready.surepath.ai. The Ready tool checks both certificate trust and network configuration to ensure that GenAI traffic will be properly routed through and governed by the SurePath AI platform.
To verify the integration, navigate to https://ready.surepath.ai from a configured endpoint. The tool automatically runs tests when the page loads and displays validation results.
Interpreting results
If both the Certificate Trust and Network Configuration tests show green Valid results, the endpoint is properly integrated and GenAI traffic originating from that endpoint will be processed by SurePath AI.
If the Certificate Trust test shows a red Invalid result, the SurePath AI root certificate is not trusted by the device or browser. This could indicate that the certificate has not been deployed to the device yet, or that the device needs to be restarted for the browser to recognize the newly installed certificate. Admins should check the device's local certificate trust store for the SurePath AI Root CA certificate.
If the Network Configuration test shows a red Invalid result, the SurePath AI platform is not receiving traffic from the endpoint. This is most likely because the proxy configuration has not been pushed to the device, or because the Intune script has not yet executed. Some browsers or applications, like Firefox, ignore system-level proxy settings and have internal proxy settings that will need to be configured separately from the system-level settings documented in this guide.
Admins should reach out to their SurePath AI account team if they have questions or issues with the SurePath AI integration.