How To Manage Certificates with Intune

Kainoa Lee Education

How To Manage Certificates with Intune

Certificate management has its own challenges, one such challenge is finding the right PKI for certificate deployment. Administrators often believe that they only have two options; paying for a pricey PKI that has all the small features that they need, or a hard to manage, custom PKI, which requires manpower and expertise to run. Intune is commonly used alongside  AD CS, an on-prem PKI that can be expensive, makes certificate management difficult in the long run, and limits your organization from operating in the cloud.

SecureW2 is vendor-neutral and can easily support Intune with all APs and RADIUS servers. Organizations won’t be stuck using on-prem PKIs with AD CS and can focus moving their certificate management to the cloud.

This guide will tell you how to deploy certificates through Intune and SecureW2, as well as how to manage your certificates.

 

Prerequisites

The following are the prerequisites for setting up Intune to allow devices to enroll for digital certificates using Simple Certificate Enrollment Protocol (SCEP):

  • A Microsoft Online Services account with Intune subscription.
  • Users are assigned Intune licenses before they can enroll their devices in Intune.
  • JoinNow Cloud Management Portal has been set up for TLS (Root and Intermediate Device CAs are present).

Device Profiles in Microsoft Intune

Devices profiles allow you to add and configure settings and then push those settings to devices in your organization. The following profiles need to be created for end user devices to successfully connect to the secured network using user certificates.

  • Step 1. Trusted certificate profile for RADIUS server Root and Intermediate CA certificates.
  • Step 2. Trusted certificate profile for SecureW2 Issuing C.
  • Step 3. SCEP certificate profile for SecureW2 SCEP certificate requests.
  • Step 4. Wi-Fi profile for secure SSID configuration.

Note: You must create a separate profile for each platform.

Prerequisite: Generate SCEP URL, Policies, and Attributes

  1. Navigate to API Tokens under Identity Management
  2. Click Add API Token
  3. Enter in a Name and Vendor and click Update
  4. A CSV file will be downloaded that contains a shared secret and a SCEP URL.

 

User Role and Enrollment Policies

Setting up Intune requires two separate policies in the SecureW2 management portal: a User Role Policy and an Enrollment Policy. Intune does not need a dedicated Device Role policy. You can use the Default Device Role policy if the settings are default.

Configuring the Role Policy:
  1. Navigate to Policy Management
  2. Click Add Role
  3. Navigate to the Conditions tab
  4. Select Intune as your Identity Provider
  5. Click Update
Configuring the Enrollment Policy:
  1. Navigate to Policy Management
  2. Click Enrollment Policy
  3. Add Enrollment Policy
  4. Create a Name
  5. Click Save
  6. Navigate to the Conditions tab
  7. Select the User Role (whatever you named your Role Policy) that was just created in Role Policy
  8. Leave Device Role as DEFAULT DEVICE ROLE
  9. Click Update
  10. Navigate to the Settings tab
  11. Select the Intermediate CA that will be used
  12. Select the Certificate Template we created earlier under Use Certificate Template
  13. Leave Revoke Certificate as Automatically
  14. Click Update

 

Step 1. Trusted Certificate Profile for RADIUS Certificate

This profile should be configured with a certificate from your RADIUS server certificate’s issuing authority. This ensures that devices trust your RADIUS server by validating the RADIUS server certificate. We achieve this server validation in the profile configuration by adding the Root and/or Intermediate Certificate Authority certificates that issued the RADIUS server certificate. When you assign this profile, the Intune managed devices receive the trusted certificates.

You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

1.1 Export RADIUS Server Root CA

First you need to obtain the RADIUS Server Root CA. In this guide, we will be configuring Intune with the SecureW2 RADIUS Server, so we will export the RADIUS Server Root CA from the SecureW2 management portal.

To Export the SecureW2 RADIUS Server Certificate:

    1. Click Network Profiles
    2. Click Edit on the Network Profile you configured earlier
    3. Click Add/Remove Certificate in the Certificates section
    4. Check the box next to DigiCert Global Root CA (Mon Nov 10 00:00:00 UTC 2031)

 

  1. Click Update
  2. The CA will appear in the Certificates section
  3. Click Download

1.2 Create a Trusted Certificate Profile

Now that we’ve downloaded the RADIUS Server certificate, we need to create a Trusted Certificate Profile in Azure to push this certificate to our devices.

  1. Sign-in to the Azure portal
  2. Select All services, filter on Intune, and select Microsoft Intune
  3. Select Device configuration—> Manage—> Profiles—> Create profile

  1. Enter a Name and Description for the trusted certificate profile
  2. From the Platform drop-down list, select the device platform for this trusted certificate
    • Android
    • iOS
    • macOS
    • Windows 10 and later
      • Note: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  3. From the Profile type drop-down list, choose Trusted certificate

  1. Navigate to the certificate you saved in 1.1 Export your trusted Root and Intermediate CA certificates, then select OK
    • For Windows 8.1 and Windows 10 devices only, select the Destination Store for the trusted certificate from: Computer certificate store – Root

  1. When you’re done, choose OK, go back to the Create profile pane, and select Create
  2. The profile is created and appears on the list
    1. To assign this profile, see Assign device profiles

Step 2. Trusted Certificate Profile for SecureW2 Issuing CA Certificate

This profile is required to map the SecureW2 Issuing CA certificate to the SCEP certificate profile. This CA certificate must be the certificate that issues the end user certificates.

You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

2.1 Export Your SecureW2 Issuing CA certificate

Export the SecureW2 Issuing Certification Authority (CA) certificate as a public certificate (.cer) from the SecureW2 management portal.

  1. Log in to SecureW2 management portal
  2. Navigate to PKI Management—> Certificate Authorities
  3. Under the Certificate Authorities section, beside the Issuing Intermediate CA certificate, click Download

This certificate is imported when you set up the trusted certificate profile below.

2.2 Create Trusted Certificate Profile

Please follow all the steps from previous section 1.2 Create trusted certificate profile except for the following step, which is mentioned below:

  1. Locate the certificate you saved in 2.1 Export your SecureW2 Issuing CA certificate, then select OK.

Note: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

Step 3. SCEP Certificate Profile for SecureW2 SCEP Certificate Requests

This profile is required for end user devices to communicate with the SecureW2 Issuing CA certificate for the enrollment of end user certificates. Once the end user certificate is enrolled successfully, the certificate is used to connect to the Wi-Fi network.

You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.

3.1 Create a SCEP Certificate Profile

  1. In the Azure portal, select All services, filter on Intune, and select Microsoft Intune
  2. Select Device configuration—> Profiles—> Create profile
  3. Enter a Name and Description for the SCEP certificate profile
  4. From the Platform drop-down list, select the device platform for this SCEP certificate. Currently, you can select one of the following platforms for device restriction settings:
    1. Android
    2. iOS
    3. macOS
    4. Windows 10 and later
      • Note: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  5. From the Profile type drop-down list, select SCEP certificate. Enter the following settings:
    1. Certificate type: Choose User for user certificates. Choose Device for scenarios such as userless devices (device kiosks), or for Windows devices, which places the certificate in the Local Computer certificate store.
      • Note: Certificate Type is not a setting on Android SCEP Profiles
    2. Subject name format: Select how Intune automatically creates the subject name in the certificate request. The options change if you choose a User certificate type or Device certificate type. Choose from:
      • Common name
      • Common name including email
      • Common name as email
    3. Subject alternative name: Select how Intune automatically creates the subject alternative name (SAN) in the certificate request. The options change if you choose a User certificate type or Device certificate type. The following attributes are selected:
      • Email address
      • User principal name (UPN)
    4. Key storage provider (KSP) (Windows Phone 8.1, Windows 8.1, Windows 10): Enter where the key to the certificate is stored. Choose the following value:
      • Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP
    5. Key usage: Enter the key usage options for the certificate. Select both options:
      • Key encipherment: Allow key exchange only when the key is encrypted
      • Digital signature: Allow key exchange only when a digital signature helps protect the key
    6. Key size (bits): Select the number of bits contained in the key and select the largest bit size
    7. Hash algorithm (Android, Windows Phone 8.1, Windows 8.1, Windows 10): Select the strongest level of security that the connecting devices support
    8. Root Certificate: Choose the profile created in 2.2 Create Trusted Certificate Profile. The Root CA certificate profile you previously configured and assigned to the user and/or device.
    9. Extended key usage: Add values for the certificate’s intended purpose. In most cases, the certificate requires Client Authentication so that the user or device can authenticate to a server.
    10. Enrollment Settings
      • Renewal threshold (%): Enter the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
      • SCEP Server URLs: Enter the SCEP URL that we created in the Prerequisite section.
    11. Select OK, and Create your profile
    12. The profile is created and appears on the profiles list pane. Next, Assign a device profile.

Step 4. Wi-Fi Profile for Secured SSID Configuration

Microsoft Intune includes built-in Wi-Fi settings that can be deployed to users and devices in your organization. This group of settings is called a “profile” and can be assigned to different users and groups. Once assigned, users obtain access to the network without configuring it themselves.

4.1 Create a Wi-Fi Profile

  1. In the Azure portal, select All services
    1. Filter on Intune
    2. Select Microsoft Intune.
  2. Select Device configuration—> Profiles—> Create profile
  3. Enter a Name and Description for the Wi-Fi profile
  4. In the Platform drop-down list, select the device platform to apply the Wi-Fi profile from the following options:
    1. Android
    2. iOS
    3. macOS
    4. Windows 10 and later
      1. Note: You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  5. In Profile Type, chooseWi-Fi
  6. The Wi-Fi profile is different for each platform. To see the profile for a specific platform, choose:
    1. Android
    2. iOS
    3. macOS
    4. Windows 10 and later
  7. When finished adding your Wi-Fi profile, select Create Profile—>Create to add the configuration profile. The profile is created and is shown in the profiles list (Device configuration—> Profiles).
  8. Next, Assign a device profile

4.2 Assigning a Device Profile

  1. In the Azure portal, select All Services—> filter on Intune—> select Intune
  2. Select Device configuration—> Profiles where all the profiles are listed
  3. Select the profile you want to assign—> Assignments
  4. Choose to Include groups or Exclude groups, and then select your groups. When you select your groups, you’re choosing an Azure AD group. To select multiple groups, hold down the Ctrl key, and select your groups.
  5. Save your changes

4.3 Add Wi-Fi Profile for Devices Running Android

You can create a profile with specific settings as per the image below, then deploy this profile to your Android devices.

4.4 Add Wi-Fi Profile for iOS Devices

You can create a profile with specific settings as per the image below, then deploy this profile to your iOS devices.

4.5 Add Wi-Fi Profile for macOS Devices

You can create a profile with specific settings as per the image below, then deploy this profile to your macOS devices.

4.6 Add Wi-Fi Profile for Windows 10 and Later Devices

You can create a profile with specific settings as per the image below, then deploy this profile to your Windows devices.

Once this is completed, the network is ready to authenticate managed devices using digital certificates. Now we can talk about how you can manage those certificates.

Automating Certificate Generation for Managed Devices with Intune

After setting up Intune to deploy certificates, let’s talk about why the setup was necessary and how it can help you out in the long run.

SCEP (Simple Certificate Enrollment Protocol) can simplify the enrollment process so administrators can automatically enroll any device for a certificate without any end user actions necessary. This is great because you don’t have to go to each device individually and enroll for a certificate, all the devices will automatically enroll and configure themselves.

SCEP is a protocol that allows devices to easily enroll for a certificate by using a URL and a shared secret with the CA to communicate with a PKI. Mobile Device Management (MDM) software commonly uses SCEP for devices by pushing a payload containing the SCEP URL and shared secret to managed devices.

The SecureW2 Management Portal has the necessary components to deploy a SCEP Gateway with any major MDM, like Intune, in less than an hour. You can easily:

  • Create a Custom Private Intermediate CA
  • Create a Signing CA, signed by the Intermediate CA
  • Generate the SCEP Gateway API URL and Shared Secret
  • Optional: Configure Custom Certificate Templates and Enrollment Policies

Using SecureW2 to Easily Manage Certificates With Intune

SecureW2 allows you to easily manage the entire certificate lifecycle, from issuance to revocation. And our SCEP solutions allow MDM providers like Intune to be equipped with certificates with no end user interaction.

Historically, organizations that used credential-based authentication with LDAP were able to check the identity provider to make sure those with malicious intentions who had access could not harm your network. SecureW2 uses industry-first technology that allows a RADIUS to dynamically check your identity provider while using certificate-based authentication, providing twice the security. You can check out our pricing here and see what else we have to offer.


Learn About This Author

Kainoa Lee

Kainoa Lee is a recent graduate of Central Washington University that majored in Marketing. He works at SecureW2 as part of the marketing team and helps us with our analytics and website design. He was an accomplished sportsman and won state champion for his soccer league and enjoys cooking, drawing and video games in his freetime.