Step 7.4. Deploy conditional access root certificates to on-premises AD

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10

In this step, you deploy the conditional access root certificate as trusted root certificate for VPN authentication to your on-premises AD.

  1. On the VPN connectivity page, select Download certificate.

    Note

    The Download base64 certificate option is available for some configurations that require base64 certificates for deployment.

  2. Log on to a domain-joined computer with Enterprise Admin rights and run these commands from an Administrator command prompt to add the cloud root certificate(s) into the Enterprise NTauth store:

    Note

    For environments where the VPN server is not joined to the Active Directory domain, the cloud root certificates must be added to the Trusted Root Certification Authorities store manually.

    Command Description
    certutil -dspublish -f VpnCert.cer RootCA Creates two Microsoft VPN root CA gen 1 containers under the CN=AIA and CN=Certification Authorities containers, and publishes each root certificate as a value on the cACertificate attribute of both Microsoft VPN root CA gen 1 containers.
    certutil -dspublish -f VpnCert.cer NTAuthCA Creates one CN=NTAuthCertificates container under the CN=AIA and CN=Certification Authorities containers, and publishes each root certificate as a value on the cACertificate attribute of the CN=NTAuthCertificates container.
    gpupdate /force Expedites adding the root certificates to the Windows server and client computers.
  3. Verify that the root certificates are present in the Enterprise NTauth store and show as trusted:

    1. Log on to a server with Enterprise Admin rights that has the Certificate Authority Management Tools installed.

    Note

    By default the Certificate Authority Management Tools are installed Certificate Authority servers. They can be installed on other members servers as part of the Role Administration Tools in Server Manager.

    1. On the VPN server, in the Start menu, enter pkiview.msc to open the Enterprise PKI dialog.
    2. From the Start menu, enter pkiview.msc to open the Enterprise PKI dialog.
    3. Right-click Enterprise PKI and select Manage AD Containers.
    4. Verify that each Microsoft VPN root CA gen 1 certificate is present under:
      • NTAuthCertificates
      • AIA Container
      • Certificate Authorities Container

Next steps

Step 7.5. Create OMA-DM based VPNv2 Profiles to Windows 10 devices: In this step, you can create OMA-DM based VPNv2 profiles using Intune to deploy a VPN Device Configuration policy. If you want to use Microsoft Endpoint Configuration Manager or PowerShell Script to create VPNv2 profiles, see VPNv2 CSP settings for more details.