
Recently, Microsoft introduced a new PKI-as-a-Service offering called Cloud PKI. This cloud-based PKI can issue and manage certificates to Intune-managed endpoints. Administrators can now deploy user and device authentication certificates using Intune Cloud PKI without deploying Active Directory Certificate Services (AD CS) on-premises. Numerous blog posts and YouTube videos show how to configure and deploy Intune Cloud PKI, so I won’t reinvent the wheel with a complete configuration guide here. This article will focus instead on integrating Microsoft Intune Cloud PKI with on-premises Active Directory (AD).
Note: Administrators must deploy certificates to all enterprise domain controllers and RADIUS servers to support certificate-based authentication with AD. However, Cloud PKI for Intune can only issue certificates to Intune-managed endpoints today. It cannot issue certificates to servers. Administrators must use another CA (AD CS or another Cloud PKI solution) to issue and manage domain controller and RADIUS server certificates on-premises to support this scenario.
AD Integration
While Intune Cloud PKI eliminates the need for on-premises AD CS infrastructure, there will be times when Cloud PKI-issued certificates will be used to authenticate to on-premises AD, either through a RADIUS server such as Windows Network Policy Server (NPS), which is common for VPN and Wi-Fi deployments, or other methods. Additional configuration is required to support this scenario.
Publish Root/Issuing CA Certificates
The Intune Cloud PKI root and issuing CA certificates must be published in AD to support on-premises AD authentication using Intune Cloud PKI-issued certificates. Follow the steps below to complete this task.
Note: Arguably, you could skip publishing the Intune Cloud PKI root and issuing CA certificates in on-premises AD because Cloud-PKI certificates can only be issued to Intune-managed endpoints, in which case you are likely already deploying the Cloud PKI root and issuing CA certificates using Intune. I’m including these steps for completeness. However, publishing the Intune Cloud PKI issuing CA certificate in the NtAuthCA certificate store in AD is required to support on-premises AD authentication using Intune Cloud PKI-issued certificates, so that step is mandatory.
RootCA Store
On a domain-joined computer on-premises, open an elevated PowerShell or command window and run the following command to publish the Intune Cloud PKI root CA certificate to the RootCA certificate store in AD.
certutil.exe -dspublish -f <path to Cloud PKI root CA certificate> RootCA
SubCA Store
Next, run the following command to publish the Cloud PKI issuing CA certificate to the SubCA certificate store in AD.
certutil.exe -dspublish -f <path to Cloud PKI issuing CA certificate> SubCA
NtAuthCA Store
Finally, run the following command to publish the Intune Cloud PKI issuing CA certificate to the NtAuthCA certificate store in AD. Publishing the Intune Cloud PKI issuing CA certificate in the NtAuthCA store in AD allows certificates issued by Intune Cloud PKI to be used to authenticate on-premises AD if required. Be sure to run this command even if you did not run the previous commands to publish the Intune Cloud PKI root and issuing CA certificates in AD.
certutil.exe -dspublish -f <path to Cloud PKI issuing CA certificate> NtAuthCa
GUI
If you have an existing on-premises AD CS deployment, you can use the Enterprise PKI management console to publish the Intune Cloud PKI certificates in AD as an alternative to the command line. First, open the Enterprise PKI tool (pkiview.msc) on an existing on-premises Certification Authority (CA) server. Right-click the Enterprise PKI root node and choose Manage AD Containers. Add the Intune Cloud PKI root CA certificate to the Certification Authorities container. Next, add the Intune Cloud PKI issuing CA certificate to the Enrollment Services container. Finally, add the Intune Cloud PKI issuing CA certificate to the NTAuthCertificatesContainer.
Summary
Administrators can use the Microsoft Intune Cloud PKI solution to issue and manage user and device authentication certificates for their Intune-managed endpoints. Using the commands above, administrators can also integrate their Intune Cloud PKI with on-premises Active Directory to support user and device authentication for common workloads such as Wi-Fi and VPN. Critically, when integrating Cloud PKI with on-premises Active Directory, your Intune administrators should be considered Tier-0 administrators, and appropriate security controls should be enforced.
Additional Information
Mastering Certificates with Microsoft Intune Training Course – May 14-16, 2024
Erin
/ March 5, 2024I’ve been waiting for this forever! Do you know if it’s available for GCC? And THANK YOU!!!!
Richard M. Hicks
/ March 5, 2024I have no idea. 🙂
Phil Ready
/ March 5, 2024Hi Richard
Does this mean we can do PKI straight from Azure without having to use SCEPman?
Richard M. Hicks
/ March 5, 2024You certainly can. However, have a close look at the licensing costs. Intune Cloud PKI requires the Intune Suite license, or you can use the individual add-on license. I’m not sure how those compare to SCEPman.
Laurie
/ December 28, 2024Thanks for the guide. To clarify, I want to use 802.1x certificate based authentication for my wireless clients using an on-premises NPS server. So this would mean I need to deploy the ‘bring-your-own-CA’ model with an on-prem AD CS server?
Richard M. Hicks
/ December 28, 2024Not necessarily. You could use native Cloud PKI (root and issuing CA in Intune) and still use those certificates for on-premises authentication. The important thing is that the accounts you are authenticating (user or device) must be in on-premises Active Directory, as NPS is not cloud aware. So, as long as your accounts originate in AD and are synchronized with Entra ID, you can use Cloud PKI native or BYOCA and both will work.
Laurie
/ December 28, 2024Thanks for the swift reply. I think the NPS server also needs a certificate as well though. So I would have either to create self signed certs or go with the BYOCA model, create a CA and add one cert to the clients trusted root store rather than multiple self signed certs.
Richard M. Hicks
/ December 29, 2024That’s correct. Since you can’t issue certificates to devices that aren’t managed by Intune, and Cloud PKI for Intune lacks an interface to submit CSRs directly for signing, you’ll have to enroll the NPS server certificate from somewhere else. In this case you can have your internal PKI issue the NPS server certificate and then use BYOCA issuing CA for endpoint certificates. Keep in mind that the NPS server certificate does not have to come from the same PKI, though. You could use a self-signed certificate (not recommended) or a public CA (Let’s Encrypt, DigiCert, etc.) as well.