How are you PIN protecting individual private keys on TPM chips when they are generated via Intune SCEP Profile?

CEOofQuestions 1 Reputation point

We are moving from on-premise Active Directory to Azure AD/Intune device management for our win10 fleet. As part of this migration, our PKI functionality is taking a beating. We have mitigated most of it by implementing a few SCEP instances to talk to our cloud hosted Microsoft CA, each with their own certificate template.

Two of the templates are user signature certificates that our staff uses to get signed certificates for document signing. As part of our regulatory requirements, the users must input a password each time they use these certificates. In the legacy system, we were enforcing this via Strong Private Key Protection in the legacy CryptoAPI (CAPI) framework. Private keys were stored in the Microsoft Enhanced Key Storage Provider which allowed us to force strong private key protection.

In the Intune environment, cybersecurity wishes us to store the private keys on the TPM chip via CNG's Microsoft Platform Crypto Provider. This is also specified in the Intune SCEP Certificate profiles where we have the following option set:

"Store private key in TPM, if no TPM, then request fails"

While this is working as expected, we have no way of prompting a user to set the private key password. As I understand it, this can be done during the certreq process that occurs between the device and the SCEP endpoint. That process, however, is defined by Intune, and we are not seeing where to set that in Intune. We have tried setting the registry flags to force strong private key protection but that will obviously not work because strong private key protection is a mechanism of CAPI, not CNG.

How are you folks handling this?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,068 questions
{count} votes