question

CEOofQuestions-5662 avatar image
0 Votes"
CEOofQuestions-5662 asked LuDaiMSFT-0289 commented

How are you PIN protecting individual private keys on TPM chips when they are generated via Intune SCEP Profile?

We are moving from on-premise Active Directory to Azure AD/Intune device management for our win10 fleet. As part of this migration, our PKI functionality is taking a beating. We have mitigated most of it by implementing a few SCEP instances to talk to our cloud hosted Microsoft CA, each with their own certificate template.

Two of the templates are user signature certificates that our staff uses to get signed certificates for document signing. As part of our regulatory requirements, the users must input a password each time they use these certificates. In the legacy system, we were enforcing this via Strong Private Key Protection in the legacy CryptoAPI (CAPI) framework. Private keys were stored in the Microsoft Enhanced Key Storage Provider which allowed us to force strong private key protection.

In the Intune environment, cybersecurity wishes us to store the private keys on the TPM chip via CNG's Microsoft Platform Crypto Provider. This is also specified in the Intune SCEP Certificate profiles where we have the following option set:

"Store private key in TPM, if no TPM, then request fails"

While this is working as expected, we have no way of prompting a user to set the private key password. As I understand it, this can be done during the certreq process that occurs between the device and the SCEP endpoint. That process, however, is defined by Intune, and we are not seeing where to set that in Intune. We have tried setting the registry flags to force strong private key protection but that will obviously not work because strong private key protection is a mechanism of CAPI, not CNG.

How are you folks handling this?

mem-intune-general
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@CEOofQuestions-5662 Thanks for posting in our Q&A.

From your description, I know that you want to do this via certreq. I have done sone research, I found that certreq can be used to set user password and I didn't find something about setting the privare key password in the following link:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1

For the setting "Store private key in TPM, if no TPM, then request fails", did you mean the setting "Enroll to Trusted Platform Module (TPM) KSP, otherwise fail" under SCEP profile?

If there is any update, feel free to let us know.

0 Votes 0 ·

@LuDaiMSFT-0289 thank you for your response.

I understand that this control can be implemented via manual certreqs, however, we have no visibility into this with Intune and that is the real core of the issue. Intune provides the instruction to the device on how to perform the certificate request. The only mechanisms we have in Intune are to specify the certificate information, validity period, key storage, and things like that. We have no way to configure Intune to tell the device to require a password to protect the private key and that is what we are trying to discover.

0 Votes 0 ·

@CEOofQuestions-5662 Thanks for your update.

I agree with you. Based on my research, there is no built-in settings can configure a password to protect the private key. Sorry, I'm not sure if there is any method can make it via intune. Given this situation, it is better to create an online support ticket to get more effective help. It is free. Here is the online support link:
https://docs.microsoft.com/en-us/mem/intune/fundamentals/get-support

Hope this issue will be solved as soon as possible.

0 Votes 0 ·

0 Answers