Setting up Certificate Services and Intune Certificate Connector - brian-anderson01/Capstone GitHub Wiki

Install the role

  • On your server, open server manager, click manage and then choose add roles and features
  • Click next, choose your desired server, then click next again
  • At the top of the list check the box next to "Active Directory Certificate Services" then click add features on the pop-up
  • Click next until you reach the install, then choose install
  • Once installed, click the notifications in the top left of server manager and choose Configure Active Directory certificate services
    • Click next and then check the box next to certification authority then click next
    • Click next again and either make a new key or import one
    • To make a new key, choose the option and click next
    • Select your cryptographic provider and key length, then the hash algorithm, I left mine as the defaults
    • Click next and then next again
    • Specify the validity period for the certificate and then click next
    • Click next again and then configure

Installing the Intune Certificate Connector

  • Sign in to Intune Endpoint Manager
  • Select Tenant administration -> Connectors and tokens -> Certificate connectors -> Add
  • Click the hyperlink in the message to download the certificate connector setup
  • Run the setup on an Intune enrolled computer that will be used as the connector and click install
  • Once installed, click Configure Now
    • Click next on the welcome page
    • Choose the features you would like to install, I will be using PKCS so I left the features default
    • For service account select whatever option you prefer, I went with SYSTEM account
    • Next, input any proxy information if applicable or click next to skip
    • The program will check prerequisites, once done click next
    • On the next page click Sign in and sign in with your Intune / Azure admin account
    • Once you see sign-in successful click next
    • Wait while the program configures
    • Once it finishes click exit
    • In Intune on the Certificate connectors page, the server should show up

Creating certificate templates and set up after installing the connector

  • After finishing the setup above, open cmd and run the following command:
    • certutil -ca.cert dc-cert.cer
  • Next, choose AD CS in server manager and open Certification Authority
    • Right-click Certificate Templates, and select Manage
    • Find the User certificate template, right-click it, and choose Duplicate Template
    • Set Certification Authority to Windows Server 2008 R2
    • Set Certificate recipient to Windows 7 / Server 2008 R2
    • In Request Handling, select Allow private key to be exported
    • In the General tab, set Template display name, you will need this later
    • In Cryptography, confirm that the Minimum key size is set to 2048
    • In Subject Name, choose Supply in the request
    • In Extensions, confirm that you see Encrypting File System, Secure Email, and Client Authentication under Application Policies.
    • In Security, add the Computer Account for the computer where you installed the Certificate Connector. Allow this account Read and Enroll permissions.
    • Click apply and ok to create the template
  • Reopen Certification Authority and right-click on Certificate Templates on the left
    • Choose New -> Certificate Template to Issue
    • Choose the template that you created in the previous steps and select OK
  • Next, click on Certification Authority in the top left of the window, then right-click on the DC in the list and choose properties
    • On the security tab, add the Computer account you used earlier
    • Grant Issue and Manage Certificates and Request Certificates permissions to the computer account

Creating the trusted certificate profile in Intune

  • In the Intune admin center, go to Devices -> Configuration profiles -> Create profile
  • Choose Windows 10 and later for the platform, then choose templates -> trusted certificate
  • Click create
    • Name the profile and input a description, then click next
    • Now, import the .cer file that we generated earlier on the server
    • Leave the destination store as Root, then click next
    • Add any users or devices that you want the certificate added to in assignments, then click next
    • Add applicability rules, or skip by clicking next
    • Finally, click create

Create a PKCS certificate profile

  • Return to Devices then go to Configuration profiles -> Create profile
  • Choose Windows 10 and later for the platform, then template for the profile
  • In the list choose PKCS certificate and click create
    • Name the profile and input a description then click next
    • Leave Renewal threshold default
    • Input the validity period you desire, or leave it as default
    • For KSP, choose Enroll to TPM KSP if present, otherwise Software KSP
    • In Certification authority, input the fully qualified domain name (FQDN) of your CA
    • For the CA name, input the name of your CA (can be found in the top left of the CA configuration window)
    • Input the template name of the template you made on the server
    • Set the certificate type to user or device
    • Click Next
    • Set assignments, then applicability, and then create the profile
  • This profile can now enable the ability to use the CA for certificate authentication and deployment with Intune deployed resources, such as a VPN

Resources

https://docs.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure https://docs.microsoft.com/en-us/mem/intune/protect/certificate-connector-install