How to Enable the Device Based Certificate with Microsoft EntraID Joined Device

Veera Ragavan 26 Reputation points
2024-03-04T07:31:04.06+00:00

Hello Experts,

Background :

  1. Devices are Enrolled with Microsoft Intune as "Microsoft Entra ID Joined Devices"
  2. Devices get the Policies via Microsoft Intune - Device Configuration
  3. Devices get the Certificate from the On Premise using Active Directory certificate authority + PKI Infrastructure + SCEP Based Enrollment
  4. Deployed Certificates with Properties as "Client Authentication" and "Server Authentication"
  5. Devices are reporting to Microsoft Tenant using "User Based Certificate"

As mentioned from 1 to 5 : There is no Objects Exist for the Devices with On Premise AD

Available Infra : Microsoft Intune, Windows 10/11, PKI Based CA, SCEP Based Enrollment, and NPS Server., Security Protocol with 802.1X Server Authentication

Not Available : Radius Server.. :)

Requirement:

  1. WLAN Usage with Device Certificate
  2. Expected to see the Device Certificate's can Authetnicate the WLAN usage

Expriement Done So far.. as Work Around

  1. Earlier We have Enabled the User Certificate only. It is extended to the Device Certificate
  2. Created a dummy Object in the AD with same name of the Microsoft Entra ID Device using Microsoft Entra ID (Not the Display Name or Host Name)
  3. Added the Attributes for the Dummy Objects to the altsecurityidentities, SPN, sAM AccountName
  4. The Dummy Objects are now visible in the AD, and as expected the Objects should be Identified with NPS. NPS Policy already have "All Computers" in Scope
  5. The Audit Failure NPS Event Log records "NPS Denied Access to User". In General the User Certificate always takes place here, which is unavoidable.

Questions?

  1. Is this approach is Possible to use ? or Under the warranty of Microsoft
  2. How to make the Device Certificate takes place in precedence which should be helpful to recongize the NPS Server to authenticate
  3. If (1) and (2) possible - Any Configuration settings can apply via Intune Policy
  4. What is the recommendation from Microsoft for Such cases with Microsoft Entra ID Scenarios

We also know some third party involvment here - RadiuSaas with our Without Microsoft Cloud PKI. If we know the limiations of NPS with Microsoft Entra ID can be helpful to prepare the Environment accordingly.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,575 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,608 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,055 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 48,591 Reputation points Microsoft Vendor
    2024-03-05T03:05:23.0133333+00:00

    @Veera Ragavan, Thanks for posting in Q&A. Based as I know, device certificate type in SCEP certificate profile can only support Format options for the Subject name format include the following variables for Microsoft Entra ID joined devices:

    {{AAD_Device_ID}} or {{AzureADDeviceId}} - Either variable can be used to identify a device by its Microsoft Entra ID.

    {{DeviceId}} - The Intune device ID

    {{Device_Serial}}

    {{Device_IMEI}}

    {{SerialNumber}}

    {{IMEINumber}}

    {{WiFiMacAddress}}

    {{IMEI}}

    {{DeviceName}}

    {{MEID}}

    https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep

    If NPS support to authenticate the device with one of the above. It can work for the shared devices joined into Microsoft Entra. If not, then I afraid it is not support on such devices.

    Thanks for your understanding.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.