Note: This post has been updated and republished to reflect the return to the Microsoft Intune product name and to include updated learning resources for Always On VPN administrators.
Microsoft Intune is the recommended solution for deploying and managing Windows Always On VPN client configuration settings. Always On VPN is designed for Mobile Device Management (MDM), with configuration settings deployed specifically to the VPNv2 Configuration Service Provider (CSP) interface.
Resources
Getting up to speed on all things MEM isn’t difficult at all. I’ve found the MEM community to be exceedingly helpful, and there are many available training resources in various formats from which to choose.
Books
The following is a list of Microsoft Endpoint Manager books Always On VPN administrators will find most helpful for learning about MEM.
The Midwest Management Summit (MMS) is the premier event for systems management professionals. Their annual conference takes place each spring in the U.S. (Minneapolis, MN). The event is the best place to learn about Microsoft Endpoint Manager and network with systems management professionals worldwide.
ViaMonstra Online Academy
I will be delivering the Mastering Certificates with Microsoft Intune training course at the ViaMonstra online training academy May 14-16, 2024. This three-day live, interactive training course provides a comprehensive deep dive into all aspects of deploying and managing digital certificates using Microsoft Intune. Microsoft Cloud PKI will also be covered. Space is limited, so register today!
Recently, Microsoft introduced the general availability of its new PKI-as-a-service solution called Microsoft Intune Cloud PKI. Cloud PKI allows administrators to issue and manage user and device authentication certificates for Intune-managed endpoints without deploying Active Directory Certificate Services (AD CS) on-premises. Cloud PKI frees administrators from the burdens of deploying and managing AD CS, including the complicated Network Device Enrollment Service (NDES) server configuration required for Simple Certificate Enrollment Protocol (SCEP) certificate deployment with Intune.
Advantages
Microsoft Intune Cloud PKI offers many significant advantages over traditional on-premises AD CS deployments.
No Infrastructure
The most obvious advantage of using Cloud PKI is that you do not have to deploy and manage your own Certification Authority (CA). Although implementing AD CS isn’t that difficult, managing and operating a CA infrastructure securely can be quite challenging. In addition, a high-security AD CS deployment utilizes hardware secure modules (HSMs) to protect CA private keys, which are quite expensive and sometimes difficult to support.
Cloud-Hosted SCEP
Removing the requirement to configure and deploy your own NDES server to support SCEP certificates is certainly a welcome advantage. NDES is notoriously difficult to configure, secure, and troubleshoot when it doesn’t work correctly. Cloud PKI includes cloud hosted SCEP services that are highly available and redundant within the Microsoft Azure infrastructure.
Automatic Revocation
Cloud PKI automates the deployment of certificates to Intune-managed users and devices and automatically revokes certificates when they fall out of scope. Administrators can also manually revoke certificates using the Intune management console.
Reporting
Administrators can easily view the status of Cloud PKI-issued certificates in Intune. The UI shows the active, expired, and revoked certificates for the issuing CA.
Clicking View all certificates shows a detailed list of all certificates.
BYOCA
Another compelling feature of Cloud PKI is Bring Your Own CA (BYOCA). This feature enables administrators to deploy a cloud-hosted CA that is chained to their existing on-premises AD CS root CA. This is helpful for scenarios where AD CS is already in place and used to issue and manage certificates to existing domain-joined clients and servers. BYOCA effectively allows you to extend your existing CA infrastructure to the cloud and use Cloud PKI to issue and manage certificates for your Intune-managed endpoints while maintaining the full functionality and feature set of on-premises AD CS for non-Intune-managed devices.
Limitations
Although there are many advantages to Cloud PKI, there are some limiting factors to consider.
RSA Only
Today, Cloud PKI is limited to RSA keys only. Administrators can create CAs using RSA 2048, 3072, or 4096-bit keys. Elliptic Curve (EC) keys are not currently supported in Cloud PKI.
Intune Devices Only
Cloud PKI is limited to issuing certificates to Intune-managed devices only. Endpoints must be Entra-joined, or hybrid Entra-joined to enroll for certificates using Cloud PKI.
Inflexible Configuration
The Cloud PKI root and issuing CAs cannot be reconfigured after deployment. Since Cloud PKI root and issuing CAs don’t support the Any Purpose EKU (2.5.29.37.0), all EKUs must be defined when the CA is created. If, in the future, an administrator requires an EKU that was not present when the CA was deployed, an entirely new hierarchy (root and issuing CA) must be deployed.
There’s been much discussion about the cost associated with Cloud PKI. Cloud PKI can be licensed as part of the Intune Suite, which is $10.00 per user per month. Cloud PKI licenses will also be available as a standalone add-on for $2.00 per user per month. For large organizations, this might be cost-prohibitive.
Summary
Overall, Microsoft Intune Cloud PKI is a welcome addition to the Microsoft suite of cloud services. Certificates are excellent phishing-resistant credentials that can be used to improve security for organizations of all sizes. However, managing a CA can be tedious and time-consuming. Leveraging the cloud for PKI and certificate management will be helpful in many scenarios. However, Cloud PKI has some potential drawbacks, and many may not fit everyone.
More Information
Want to learn more about Microsoft Intune Cloud PKI and how it can benefit your organization? Take the first step towards streamlined certificate management and enhanced security for your organization. Fill out the form below, and I’ll provide more information about using Intune Cloud PKI to safeguard your digital assets confidently.
Do you have questions about Always On VPN? Are you having a specific issue you can’t figure out? Would you like more information about configuration options? Here’s your chance to get your questions answered! Join me on Tuesday, March 26, at 10:00 AM PDT (UTC -7) for an opportunity to ask me anything (AMA!) about Microsoft Windows Always On VPN and related technologies.
The AMA will be an open forum session where we can all talk shop about Always On VPN. It’s a great chance to learn new things and share experiences with your peers. We’ll discuss known issues and limitations, best practices, and more.
Everyone is welcome. Don’t miss out on this excellent opportunity to connect and learn. Register now!
Can’t make the session? Register anyway, and I’ll send you the link to the recording as soon as it is available!
