Prerequisites for the Certificate Connector for Microsoft Intune
Before you install and configure the Certificate Connector for Microsoft Intune, review the prerequisites and infrastructure requirements, which can vary depending on the features you’ll configure a connector instance to support.
Requirements for the computer where you install the connector software:
Windows Server 2012 R2 or later.
The Server installation must include the Desktop Experience and support use of a browser. For more information, see Install Server with Desktop Experience in the Windows Server 2016 documentation.
Transport Layer Security (TLS) 1.2. For more information, see Enable support for TLS 1.2 in your environment in the Azure Active Directory documentation.
The server must meet the same network requirements as managed devices. See Network endpoints for Microsoft Intune, and Intune network configuration requirements and bandwidth
To support automatic updates of the connector software, the server must have access to the Azure update service:
- Port: 443
- Endpoint: autoupdate.msappproxy.net
The Enhanced Security Configuration must be deactivated.
Requirements for PKCS certificate templates:
- Certificate templates you’ll use for PKCS requests must be configured with permissions that allow the certificate connector service account to enroll the certificate.
- The certificate templates must be added to the Certification Authority (CA).
Any instance of the connector that supports PKCS can be used to retrieve pending PKCS requests from the Intune Service queue, process Imported certificates, and handle revocation requests. It's not possible to define which connector handles each request. Therefore, each connector that supports PKCS must have the same permissions and be able to connect with all the certification authorities defined later in the PKCS profiles.
PKCS imported certificates
To support PKCS imported certificates, the server that hosts the connector requires additional configurations, such as configuring a Key storage provider access to allow the Connector Service User to retrieve keys.
For information about support for PKCS imported certificates, see Configure and use imported PKCS certificates with Intune
- The Certification Authority must be configured to allow the connector service account to revoke certificates.
The Windows Server that hosts the connector must meet the following prerequisites that are in addition to the general prerequisites:
- IIS 7 or higher
- Network Device Enrollment Service (NDES) service, which is part of the Active Directory Certification Services role. The connector isn't supported on the same server as your issuing Certification Authority (CA). For more information,see Configure infrastructure to support SCEP with Intune
On the Windows Server, configure select the following Server Roles and Features:
- Active Directory Certificate Services
- Web Server (IIS)
- .NET Framework 4.7 Features
- .NET Framework 4.7
- ASP.NET 4.7
- WCF Services
- HTTP Activation
- .NET Framework 4.7 Features
AD CS > Role Services:
- Network Device Enrollment Service - For the connector SCEP when you use a Microsoft CA, install and configure the Network Device Enrollment Service (NDES) server role. When you configure NDES, you’ll need to assign a user account for use by the NDES application pool. NDES also has its own requirements.
Web Server Role (IIS) > Role Services:
- Request Filtering
- Application Development
- .NET Extensibility 4.7
- ASP.NET 4.7
- Management Tools
- IIS Management Console
- IIS 6 Management Compatibility
- IIS 6 Metabase Compatibility
- IIS 6 WMI Compatibility
In addition, NDES requires the following.NET Framework 3.5 Features:
- .NET Framework 3.5
- HTTP Activation
Requirements for SCEP certificate templates:
- Certificate templates you’ll use for SCEP requests must be configured with permissions that allow the Certificate Connector service account to auto enroll the certificate.
- The certificate templates must be added to the CA.
Prepare the following accounts before you install the certificate connector software.
You can use any user account that has local administrative permissions on the Windows Server to install the connector software. You can use this same account to configure the Windows Server with the NDES Windows server role should you use SCEP and a Microsoft CA.
Certificate connector service account
The certificate connector requires an account to use as a service account. This account is used by the connector to access the Windows Server, communicate with Intune, and access the Certification Authority to service PKI requests.
The connector service account must have the following permissions:
- Logon as Service
- Issue and Manage Certificates permissions on the Certification Authority (required only for revocation scenarios).
- Read and Enroll permissions on any certificate template that you’ll use to issue certificates.
- Permissions to the Key Storage Provider (KSP) that’s used by PFX Import. See Import PFX Certificates to Intune.
The following options are supported for use as the certificate connector service account:
- Domain user - Use any domain user account that is an administrator on the Windows Server.
For more information, see Install the Certificate Connector for Microsoft Intune.
NDES application pool user
To use SCEP with a Microsoft CA, you’ll need to add NDES to the server that hosts the connector before installing the connector. When you configure NDES, you’ll need to specify an account for use as the application pool user, which can also be referred to as the NDES service account. This account can be a local or domain user account and must have the following permissions:
- Read and Enroll permissions on each SCEP certificate template you’ll use to issue certificates.
- Member of the IIS_IUSRS group.
For guidance on configuring the NDES server role for the Certificate Connector for Microsoft Intune, see Set up NDES in Configure infrastructure to support SCEP with Intune.
Azure Active Directory User
When configuring the connector, you'll need to use a user account that: is either a Global Admin or Intune Admin, has an Intune license assigned, and must be a synchronized account from your local Active Directory.