Step 7.4. Deploy conditional access root certificates to on-premises AD
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10
In this step, you deploy the conditional access root certificate as trusted root certificate for VPN authentication to your on-premises AD.
- Previous: Step 7.3. Configure the Conditional Access policy
- Next: Step 7.5. Create OMA-DM based VPNv2 Profiles to Windows 10 devices
On the VPN connectivity page, select Download certificate.
The Download base64 certificate option is available for some configurations that require base64 certificates for deployment.
Log on to a domain-joined computer with Enterprise Admin rights and run these commands from an Administrator command prompt to add the cloud root certificate(s) into the Enterprise NTauth store:
For environments where the VPN server is not joined to the Active Directory domain, the cloud root certificates must be added to the Trusted Root Certification Authorities store manually.
certutil -dspublish -f VpnCert.cer RootCA
Creates two Microsoft VPN root CA gen 1 containers under the CN=AIA and CN=Certification Authorities containers, and publishes each root certificate as a value on the cACertificate attribute of both Microsoft VPN root CA gen 1 containers.
certutil -dspublish -f VpnCert.cer NTAuthCA
Creates one CN=NTAuthCertificates container under the CN=AIA and CN=Certification Authorities containers, and publishes each root certificate as a value on the cACertificate attribute of the CN=NTAuthCertificates container.
Expedites adding the root certificates to the Windows server and client computers.
Verify that the root certificates are present in the Enterprise NTauth store and show as trusted:
- Log on to a server with Enterprise Admin rights that has the Certificate Authority Management Tools installed.
By default the Certificate Authority Management Tools are installed Certificate Authority servers. They can be installed on other members servers as part of the Role Administration Tools in Server Manager.
- On the VPN server, in the Start menu, enter pkiview.msc to open the Enterprise PKI dialog.
- From the Start menu, enter pkiview.msc to open the Enterprise PKI dialog.
- Right-click Enterprise PKI and select Manage AD Containers.
- Verify that each Microsoft VPN root CA gen 1 certificate is present under:
- AIA Container
- Certificate Authorities Container
Step 7.5. Create OMA-DM based VPNv2 Profiles to Windows 10 devices: In this step, you can create OMA-DM based VPNv2 profiles using Intune to deploy a VPN Device Configuration policy. If you want to use Microsoft Endpoint Configuration Manager or PowerShell Script to create VPNv2 profiles, see VPNv2 CSP settings for more details.
Submit and view feedback for