Deploy certificate with Microsoft Intune

Deploy certificate with Microsoft Intune

How you need deploy certificate with Microsoft Intune?

Some company resources are accessible through a digital certificate. It’s therefore necessary for users to have a certificate to access VPN, Wifi,…

These certificates prevent the use a user name and password. Intune allows you to assign and manage these certificates. Two types of certificates can be used:

  • Simple Certificate Enrollment Protocol (SCEP)
  • PKCS#12 (or PFX)

Prerequisites

The following prerequisites are required to deploy a certificate

  • Have a certificate infrastructure
  • Installing a root or intermediate certificate
  • iOS 8.0 and later
  • macOS 10.11 and later
  • Android 4.0 and higher
  • Android Professional Profile
  • Windows 8.1 and later

Configuring the certificate infrastructure

The following operations allow the deployment of a PKCS certificate. An Active Directory infrastructure and a certification authority are required. The root certificate must also be exported.

Export the root certificate from the enterprise CA
The root or intermediate certificate must be deployed on all devices requiring a certificate. From the server with the CA role, run a command prompt. Run the command certutil -ca.cert certroot.cer

Deploy certificate with Microsoft Intune

Install and configure Microsoft Intune Certificate Connector

From the Intune portal, click Device Configuration and then click Certification Authority.

Deploy

Click on Add then use the link to download the tool.

Deploy certificate with Microsoft Intune

Run the tool on the desired server and select the desired installation option.

Deploy certificate with Microsoft Intune

At the end of the installation, check Launch Intune Connector and click to Finish.

Deploy certificate with Microsoft Intune

A new Windows Appear, click into Sign In.

Deploy certificate with Microsoft Intune

Log in by entering the username/password of the admin account. A new message appears, indicating that the registration has been successfully completed. Click to Close.

Deploy certificate with Microsoft Intune

Adding to Azure console is done correctly.

Deploy certificate with Microsoft Intune

Configuring certificate templates on the certification authority

Open the Certificate Authority console and right-click Certificate Templates. From the context menu, select the Manage.

Deploy certificate with Microsoft Intune

Right-click the user certificate Template and from the context menu, select Duplicate Template. A window will appear.

Deploy certificate with Microsoft Intune

Under the Compatibility tab, configure the drop-down lists as below:

  • Certificate Authority: Windows Server 2008 R2
  • Certificate recipient: Windows 7 / Server 2008 R2

Deploy certificate with Microsoft Intune

In the General tab, specify a Display name for the Template. Select Request Handling and check the box Allow private key to be experted.

Deploy

In Cryptography tab, verify that Minimum Key Size is 2048.

Deploy certificate with Microsoft Intune

Select the Subject Name tab and select Supply in the request.

Deploy certificate with Microsoft Intune

In Extensions tab, make sure you see Encrypting File System, Secure Email, and Client Authentication under Application Policies. Select the Security tab, add the computer account of the server where Microsoft Intune Certificate Connector is installed. Grant Read and Register permissions to this account.

Deploy certificate with Microsoft Intune

Click to OK and close Certificate Templates Console. Into the Authority console, right click on Certificate Templates and in the context menu select new / Certificate Template to Issue.

Deploy certificate with Microsoft Intune

Select the previously created Template and click ok. Certificates can now be deployed.

Deploy certificate with Microsoft Intune

Configuring Microsoft Intune

Create a device configuration
From the Intune console, click Device Configuration. In Profies, click Create Profile.

Deploy certificate with Microsoft Intune

Enter the name of the profile and select the desired platform. In Profile type, select Trusted Certificate and click to configure.

Deploy certificate with Microsoft Intune

In the certificate file, click on button to select certificate of root CA exported earlier in this article (Export the root certificate from the enterprise CA). Click to OK to import cer file.

Deploy certificate with Microsoft Intune

The assignment to a device group can now be performed.

Create a PKCS Certificate Profile
From the Intune console, click Device Configuration. In Profies, click Create Profile. Enter the name of the profile and select the desired platform. In Profile type, select Trusted Certificate and click to configure.

Deploy certificate with Microsoft Intune

Configure the window as below:

  • Renewal threshold (%): Indicates renewal threshold, recommended value is 20%.
  • Certificate validity period: Indicates the validity period of the certificate (to be configured according to the template).
  • Certification authority: Enter the internal FQDN of your certification authority
  • Certification authority name: Enter the name of the certification authority.
  • Certificate template name: Enter the name of the certificate Template.

Deploy certificate with Microsoft Intune

  • Subject name format: Select the desired value from the drop-down list.
  • Subject name format and Subject alternative name
    : Select the desired value from the drop-down list.

Click ok and Create to create profile. The assignment to a device group can now be performed.

Deploy certificate with Microsoft Intune

The profiles has been created.

Deploy certificate with Microsoft Intune

The certificate has been deployed on my Ipad.

Deploy certificate with Microsoft Intune

Deploy certificate with Microsoft Intune

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.