question

RASHMAAR-2635 avatar image
0 Votes"
RASHMAAR-2635 asked vipulsparsh-MSFT answered

AAD / Intune Certificate Authority

Hi,

We have multiple internal systems that used authentication by Certificate (Client & Machines).

We need a procedure of how to deployed/request to all windows 10 machines those certifications:

All windows 10 machines need to receive our RootCA cert and installed under " trusted root certification authorities " .

All windows 10machines need To request Client Cert and Machines Cert singe by our RootCA and installed under Personal.

What is the right way to do it? We manage the computers using Intune.

Thanks

windows-10-generalwindows-10-securitymem-intune-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CiciWu-MSFT avatar image
0 Votes"
CiciWu-MSFT answered

Certificates provide authenticated access without delay through the following two phases:
• Authentication phase: The user’s authenticity is checked to confirm the user is who they claim to be.
• Authorization phase: The user is subjected to conditions for which a determination is made on whether the user should be given access.
Typical use scenarios for certificates include:
• Network authentication (for example, 802.1x) with device or user certs
• Authenticating with VPN servers using device or user certs
• Signing e-mail based on user certs
Intune supports Simple Certificate Enrollment Protocol (SCEP), Public Key Cryptography Standards (PKCS), and imported PKCS certificates as methods to provision certificates on devices. The different provisioning methods have different requirements, and results. For example:
• SCEP provisions certificates that are unique to each request for the certificate.
• With PKCS, a user can have the same certificate provisioned on each device they use.
• With Imported PKCS, you can deploy the same certificate that you’ve exported from a source, like an email server, to multiple recipients. This shared certificate is useful to ensure all your users or devices can then decrypt emails that were encrypted by that certificate.
To provision a user or device with a specific type of certificate, Intune uses a certificate profile.
In addition to the three certificate types and provisioning methods, you’ll need a trusted root certificate from a trusted Certification Authority (CA). The CA can be an on-premises Microsoft Certification Authority, or a third-party Certification Authority. The trusted root certificate establishes a trust from the device to your root or intermediate (issuing) CA from which the other certificates are issued. To deploy this certificate, you use the trusted certificate profile, and deploy it to the same devices and users that will receive the certificate profiles for SCEP, PKCS, and imported PKCS.
Reference: https://docs.microsoft.com/en-us/mem/intune/protect/certificates-configure

Here is the configuration guide:

Configure a trusted certificate profile
Configure infrastructure to support SCEP certificates with Intune
Configure and manage PKCS certificates with Intune
Create a PKCS imported certificate profile


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
1 Vote"
vipulsparsh-MSFT answered

@RASHMAAR-2635 Intune can deliver the certificates to your Windows 10 devices.

You can have 2 different certificate profile from Intune Service To Devices.
1) Trusted Certificate profile
2) SCEP profile for Device/user Auth



If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.