question

KeithFenech-6685 avatar image
0 Votes"
KeithFenech-6685 asked Jason-MSFT commented

How do I deploy PKI Certificates via Intune instead of GPO

We currently have an on-premisses CA through which we deploy 802.1x certificates via GPO on the domain. We would like to migrate this certificate auto enrolment to be done via Endpoint Manager. Is there anyone that can guide me to the appropriate documentation required to do so?

windows-server-2019windows-10-securitymem-intune-general
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Your question is more related with Intune which our forum doesn't focus on. I will remove our win10 network tag and add the related Intune tag. Thank you!

1 Vote 1 ·

1 Answer

NickHogarth-MVP avatar image
2 Votes"
NickHogarth-MVP answered Jason-MSFT commented

You can use SCEP or PKCS to provision certificates. Official documentation is here https://docs.microsoft.com/en-us/mem/intune/protect/certificates-configure

Theres pro's and con's listed here on this link https://www.reddit.com/r/Intune/comments/hruiu8/scep_vs_pfx/

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So this means that with a PKCS connector I can deploy certificates automatically like when we deploy them via GPO.

I know I have to use the trusted certificate profile to deploy the certs for the root ca and intermediate ca's to the trusted root and trusted intermediate certificate deployment.

What I still do not understand is how to configure PKCS to deploy the certificate, as per best practices guidelines we switch off the root CA and leave the intermediate CAs online. So when creating the PKCS certificate deployment profile if i select the root ca certificate profile does this still work with the root ca switched off or do i need to select the intermediate ca?

0 Votes 0 ·

Deploying a trusted root cert and issuing certs using the PKCS connector or SCEP are two different things. Also, in a multi-tier PKI, only the issuing sub-CA is directly involved to issue certificates. If that were not the case, having an offline root CA would not be possible.

The docs for setting up the PKCS connector for Intune are at https://docs.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure.

0 Votes 0 ·