All posts in category Active Directory

Mastering Certificates with Microsoft Intune August 2025

I’m excited to announce that I will be delivering another edition of the Mastering Certificates with Microsoft Intune course, hosted by ViaMonstra Online Academy. This is a three-day live online training course that takes place August 26-28, 2025. This course dives deep into issuing and managing certificates using Microsoft Intune, covering both on-premises and cloud-based solutions.

Course Overview

This interactive training equips IT professionals with the skills to provision and manage enterprise PKI certificates using Microsoft Intune. It explores Active Directory Certificate Services (AD CS), Microsoft Cloud PKI for Intune, and non-Microsoft solutions, with live demonstrations featuring real-world scenarios.

Key Learning Objectives

Those taking the online training course will learn the following.

  • Certificate Basics: Understand certificate roles and enterprise use cases.
  • Deployment Options: Master Intune certificate deployment (Intune policies, revocation, security) and Microsoft Cloud PKI (licensing, benefits, limitations, BYOCA).
  • Intune Deployment: Learn PKCS and SCEP deployment, security best practices, and troubleshooting.
  • High Availability: Explore strategies for reliable certificate management.

Course Highlights

Here are some key highlights for attendees of the training.

  • Expert-Led: Learn from a veteran IT professional, a Microsoft MVP, with deep PKI and Intune expertise.
  • Interactive Demonstrations: The course includes numerous practical exercises in real-world scenarios.
  • Resources: Access to security best practices and sample scripts for automated configuration.
  • Community: Join a private Facebook group for peer collaboration.
  • Live Q&A: Engage directly with the instructor for a clearer understanding.

Who Should Attend?

This training event is ideal for IT administrators, security professionals, and systems engineers working with Intune, AD CS, or Microsoft Cloud PKI for Intune.

Prerequisites

Those attending the online training course should be familiar with the following.

  • Basic networking knowledge (TCP/IP, DNS).
  • Familiarity with Active Directory, Windows OS, and Intune.
  • Access to an AD CS setup and an Azure subscription with Intune Suite licenses.

Why It Matters

Certificates are vital for secure authentication and communication. This course bridges theory and practice, equipping you to deploy and manage digital certificates effectively in cloud-native environments.

Details

Here is some additional information about the training event.

  • When: August 26-28, 2025 (sessions begin at 9:00 AM CDT).
  • Where: Live online via ViaMonstra Online Academy.
  • Cost: $2,395.00 (Sold separately – not included in All-Access Pass).

Why ViaMonstra?

ViaMonstra delivers top-tier IT training from Microsoft MVPs, focusing on practical, up-to-date skills and fostering a collaborative community.

Take the Next Step

Ready to master certificate management with Microsoft Intune? Register at ViaMonstra Online Academy for the August 2025 Mastering Certificates with Microsoft Intune training course today!

Leave a comment
by Richard M. Hicks on June 27, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, administration, authentication, Azure Active Directory, Azure AD, CBA, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, Certificate-Based Authentication, certificates, cloud, Cloud PKI, Cloud Service, Cryptography, Deployment, Device Management, education, Encryption, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra CBA, Entra Certificate-Based Authentication, Entra ID, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, learning, MDM, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, NDES, Network Device Enrollment Service, Network Device Enrollment Services, Operational Support, PFX Connector, PKCS, PKI, public cloud, public key infrastructure, SCEP, Security, Simple Certificate Enrollment Protocol, systems management, Training, troubleshooting, Trusted Platform Module, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 27, 2025

https://directaccess.richardhicks.com/2025/06/27/mastering-certificates-with-microsoft-intune-august-2025/

The Case for Short-Lived Certificates in Enterprise Environments

Digital certificates, issued by an internal, private Certification Authority (CA) like Microsoft Active Directory Certificate Services (AD CS), are commonly used in enterprise environments for user and device authentication for workloads such as VPN, Wi-Fi (802.1x), System Center Configuration Manager (SCCM), IPsec, and more. But how long should a user or device authentication certificate be valid? This question is increasingly critical as organizations strive to balance security and operational efficiency. Short-lived certificates, typically valid for weeks or months rather than years, are gaining traction as a powerful tool to enhance security. By reducing the window of opportunity for attackers to exploit compromised credentials, short-lived certificates offer a proactive approach to mitigating risks while aligning with evolving security best practices and the needs of modern IT infrastructures.

What is a Certificate?

A digital certificate is a document that binds an identity to an asymmetric key pair (public key and private key). Certificates offer strong, phishing-resistant authentication that improves security and assurance for users and devices authenticating to Microsoft Active Directory (AD). When a certificate is issued, an administrator decides how long the certificate will be valid. The criticality of this setting is often overlooked.

Certificate Lifetime

Administrators must define the certificate’s validity period when creating a certificate template in AD CS or an Intune PKCS or SCEP device configuration policy. Most commonly, administrators select the default one-year validity period. However, public CAs are trending toward shorter certificate lifetimes, and strong consideration should be given to their use in private enterprise deployments.

Current Standards

Today, the maximum certificate lifetime for a publicly issued TLS certificate is 398 days (approximately 13 months). This standard is imposed by the CA/Browser Forum, a voluntary consortium of public CAs, browser vendors, and other industry stakeholders that develop and promote security standards and best practices for digital certificates and Public Key Infrastructure (PKI). They established the 398-day certificate lifetime mainly in response to the previous decade’s plethora of SSL/TLS vulnerabilities.

Challenges

Having certificates with long lifetimes poses significant challenges for administrators when responding to key compromise events or zero-day vulnerabilities. This may necessitate urgent certificate replacement, often involving manual intervention. To address these challenges and promote automation, some public CAs like Let’s Encrypt issue certificates with much shorter lifetimes than one year.

Public CA Certificates

Shorter lifetimes for public SSL/TLS certificates have numerous positive security benefits. Short-lived certificates provide agility to update cryptography settings more rapidly than long-lived certificates. Also, the short lifetime of the certificate is beneficial if the private key is compromised because it limits the amount of time an attacker can exploit the stolen key, limiting exposure and reducing potential damage. These security benefits have driven significant changes in public CA practices, as seen in today’s standards.

47 Days

Recently, I wrote about a new directive from the CA/Browser Forum, which adopted a measure reducing the current maximum lifetime of public TLS certificates to 47 days. The maximum lifetime for public TLS certificates will be gradually reduced to allow the industry to adopt short-lived certificates.

Enterprise CA Certificates

Private enterprise PKI deployments like AD CS are not required to adhere to CA/Browser Forum mandates. Organizations are free to manage their internal PKI however they choose. However, examining industry trends and ensuring that security best practices are aligned as much as possible is crucial. While public CAs set the pace, private enterprise PKI can adopt similar strategies to bolster security.

AD Authentication

As stated previously, many positive security benefits are associated with short-lived certificates, especially for authentication to Active Directory.

PKINIT

PKINIT is an extension to the Kerberos protocol that enables certificate-based authentication with Active Directory (AD). You can read about the details here, but PKINIT allows a principal (user or device) to authenticate to AD by simply demonstrating control of the private key. Thus, protecting the private key is vital.

TPM

Enrolling certificates in a Trusted Platform Module (TPM) is the best way to ensure private keys remain private. No one, including administrators, can export private keys protected by TPM. Administrators should ensure TPM enrollment for client authentication certificates whenever possible.

Guidance

Today, I recommend that my customers issue end entity user and device authentication certificates with a lifetime of no more than one year for 2048-bit RSA certificates with private keys stored on TPM. However, there are important considerations and compelling advantages to using much shorter lifetime certificates.

Best Practice

General use client authentication certificates should be enrolled to TPM without exception and have a valid lifetime of no more than one year. However, there is still value in using shorter lifetime certificates, even with TPM. For example, short-lived certificates ensure timely renewal, which can be helpful when implementing changes to certificate templates. A perfect example of this is the changes required to support KB5014754. Administrators may wish to use certificates with validity periods of less than one year to ensure timely replication of certificate settings changes and to provide more frequent key rotation.

Non-TPM

There may be scenarios where a client authentication certificate must be issued to a device without a TPM. Examples include virtual machines without TPM, VDI deployments, and legacy devices. These cases should be treated as exceptions and managed accordingly. Consider shortening the lifetime of non-TPM certificates to 90 days or less.

Privileged Users

Administrators or other privileged accounts enrolling for certificates can benefit from even shorter validity periods. Consider issuing client authentication certificates to these users with certificate lifetimes of 30 days or less.

Considerations

Short-lived certificates aren’t always ideal in all cases. For example, consider a scenario where a user or device is offline for a prolonged period, such as extended vacations, maternity or paternity leave, or sabbaticals. Users may experience issues accessing resources after returning from an extended absence. Of course, if they can re-enroll for certificates, this shouldn’t be a problem. For AD CS, it means connectivity to an enterprise issuing CA server. Intune-managed endpoints simply need Internet access to obtain a new certificate.

Automation

Working with short-lived certificates manually is infeasible. Automation is the key to success with short-lived certificates. For client authentication certificates issued on-premises, enabling certificate autoenrollment via group policy ensures that all domain-joined devices enroll and renew their certificates automatically. Certificates deployed and managed using Microsoft Intune are automated by default.

Summary

The next time you create a certificate template in AD CS or Intune, consider the certificate lifetime. Recommended best practice is no more than one year validity period for 2048-bit RSA end-entity certificates with hardware-backed key storage. However, consider shorter validity periods for those cases where it makes sense. Prioritize TPM enrollment and put additional controls in place for exceptions. Ensure automated enrollment and renewal are in place to reduce administrative overhead. Following the guidance outlined above, your organization will reduce its attack surface and limit exposure to compromised certificates.

More Information

If you’d like to learn more about implementing short-lived certificates in your organization, fill out the form below, and I’ll provide more information.

References

Digital Certificates for Strong Authentication

Digital Certificates and TPM

Drawbacks of Multifactor Authentication

Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol

Leave a comment
by Richard M. Hicks on April 28, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, Always On VPN, AOVPN, authentication, CBA, Certificate Authentication, Certificate Authority, Certificate Services, Certificate-Based Authentication, certificates, Cloud PKI, Compliance, Cryptography, Enterprise, enterprise mobility, Group Policy, Infrastructure, InTune, Kerberos, Microsoft, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, PKCS, PKI, Professional Services, Remote Access, SCCM, Security, SSL, SSL and TLS, System Center Configuration Manager, TLS, TPM, Trusted Platform Module, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 28, 2025

https://directaccess.richardhicks.com/2025/04/28/the-case-for-short-lived-certificates-in-enterprise-environments/

Enable TLS in Microsoft SQL Server 2022

In a recent post, I described some of the security benefits of using Transport Layer Security (TLS) with Microsoft SQL Server. Configuration changes are required to take full advantage of these capabilities. By default, SQL Server uses an unmanaged, self-signed certificate, which provides little security value. The best practice is to use a certificate issued by the organization’s enterprise PKI. In this guide, I’ll demonstrate how to prepare and deploy a certificate template for SQL server using Active Directory Certificate Services (AD CS), enroll for the certificate, and configure SQL server to use the new certificate for TLS connections.

Note: I have recorded a video demonstration for enabling TLS in Microsoft SQL Server 2022 on my YouTube channel here. Enjoy!

Certificate Requirements

The minimum recommended requirements for a TLS certificate for SQL Server 2022 are:

  • Subject Name = Server’s fully qualified domain name or the alias name of the cluster
  • 2048-bit RSA key with SHA256
  • Server Authentication EKU (1.3.6.1.5.5.7.3.1)

Certificate Template

Administrators must prepare a certificate template in Active Directory (AD) adhering to the requirements listed above. On an issuing certification authority (CA) or an administrative workstation with the Remote Server Administration Tools (RSAT) installed, open the Certificate Templates management console (certtmpl.msc) and perform the following steps.

  1. Right-click the default Web Server template and choose Duplicate Template.
  2. Select the Compatibility tab.
    1. In the Compatibility Settings section, select the latest version of Windows Server supported by your issuing CA servers from the Certification Authority drop-down list.
    1. Select Windows 10/Windows Server 2016 from the Certificate recipient drop-down list.
  3. Select the General tab.
    1. Enter a descriptive name in the Template display name field.
    1. Select a validity period of 1 year with a renewal period of 6 weeks.
  4. Select the Cryptography tab.
    1. Select Key Storage Provider from the Provider Category drop-down list.
    1. Select RSA from the Algorithm name drop-down list.
    1. Enter 2048 in the Minimum key size field.
    1. Select SHA256 from the Request hash drop-down list.
  5. Select the Issuance Requirements tab.
    1. Check the box next to CA certificate manager approval.
  6. Select the Subject Name tab.
    1. Select Supply in the request.
  7. Select the Extensions tab.
    1. Select Application Policies.
    1. Ensure that Server Authentication is the only application policy listed.
  8. Select the Security tab.
    1. Click Add.
    1. Grant Read and Enroll permissions to the SQL Server security group or the SQL server’s computer account.
    1. Ensure no other users/groups have enroll permission.

Once complete, publish the certificate template on all issuing CA servers in the organization.

Enroll Certificate

The certificate enrollment process involves several steps.

Request Certificate

To enroll for a new TLS certificate, open the computer certificate management console (certlm.msc) on the SQL server and perform the following steps.

  1. Right-click on the Personal folder and choose All Tasks > Request New Certificate.
  2. Click Next.
  3. Click Next.
  4. Check the box next to the SQL server certificate template.
  5. Click the More information is required to enroll for this certificate. Click here to configure settings link.
  6. Select the Subject tab.
  7. In the Subject Name section, select Common Name from the Type drop-down list.
  8. Enter the SQL server’s fully qualified domain name (FQDN) or the alias name of the SQL cluster in the Value field.
  9. Click Add.
  10. In the Alternative name section, select DNS from the Type drop-down list.
  11. Enter the SQL server’s fully qualified domain name (FQDN) or the alias name of the SQL cluster in the Value field.
  12. Click Add.
  13. [OPTIONAL] Enter the SQL server’s single-label hostname in the Value field.

Note: Adding the single-label hostname to the Subject Alternative Name list allows administrators or applications to connect to the SQL server using its short name (NetBIOS name) without resulting in a subject name mismatch error.

  1. Click Add.
  2. Click Ok.
  3. Click Enroll. The status should indicate that enrollment is pending.
  4. Click Finish.

Approve Certificate

Once the certificate request is made, the request must now be approved. On an issuing certification authority (CA), or an administrative workstation with the Remote Server Administration Tools (RSAT) installed, open the Certification Authority management console (certsrv.msc) and perform the following steps.

  1. Expand the CA.
  2. Select Pending Requests.
  3. Note the request ID for the pending request. After approval, the request ID will be required later to retrieve the certificate.
  4. Right-click the pending request and choose All Tasks > Issue.

Important Note: I am performing the above tasks in a test lab environment. On a properly configured CA in a production environment, the requestor should not be able to approve their own request. In your environment, you may need to request that a CA administrator review and approve your request.

Install Certificate

Once the certificate has been approved and issued, open an elevated PowerShell or command window on the SQL server and perform the following steps.

  1. Enter certreq.exe -retrieve <request ID>.
  2. Select the CA where the certificate was issued.
  3. Click Ok.
  4. Select a location and enter a name for the file in the File name field.
  5. Click Save.
  6. Enter certreq.exe -accept <path to certificate file>.

Configure Certificate

Once the certificate has been enrolled on the SQL server, expand Personal > Certificates and refresh the view to confirm certificate enrollment. Next, perform the following steps.

  1. Right-click the SQL server certificate and choose All Tasks > Manage Private Keys.
  2. Click Add.
  3. Enter the name of the SQL server domain service account and click Check Names.
  4. If using the default SQL server service account, perform the following steps.
    1. Click on Locations.
      1. Select the local server.
      1. Click Ok.
      1. Enter NT Service\MSSQLSERVER and click Check Names.
  5. Click Ok.
  6. Uncheck Full control. The only permission required is Read.
  7. Click Ok.

SQL Configuration

Next, the new certificate must be assigned to the SQL Server service. Open the SQL Server Configuration Manager (sqlservermanager16.msc) and perform the following steps.

  1. Expand SQL Server Network Configuration.
  2. Right-click Protocols for MSSQLSERVER and choose Properties.
  3. Select the Certificate tab.
    1. Select the new certificate from the Certificate drop-down list.
  4. Select the Flags tab.
    1. Select Yes next to Force Strict Encryption.
  5. Click Ok.

Restart the SQL Server service for the changes to take effect.

Important Note: Selecting Force Strict Encryption will force encryption and certificate validation for all clients connecting to the SQL server. It will override any settings to bypass encryption or certificate checks. Force Strict Encryption may not be compatible with older applications or drivers. Please test thoroughly before enabling this setting.

Video

I’ve published a demonstration video for configuring TLS on Microsoft SQL Server 2022 on YouTube. You can find the video here.

Summary

After completing the configuration steps above, administrators can be assured that all communication between clients and the SQL server is fully protected with TLS using modern cryptography and their enterprise-managed certificate. With TLS enabled for SQL server communication, security is enhanced by encrypting data in transit, ensuring authentication, and protecting sensitive information from interception. In addition, this configuration helps meet compliance requirements.

Additional Information

TLS and Microsoft SQL Server 2022

Always On VPN and SQL Target Principal Name Incorrect

Leave a comment
by Richard M. Hicks on March 3, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, authentication, Certificate Authentication, Certificate Authority, Certificate Services, certificates, Compliance, Cryptography, Encryption, Enterprise, Infrastructure, Microsoft, Operational Support, PKI, public key infrastructure, Security, SQL, SQL Server, SQL Server 2022, SQL Server Management Studio, SSL, SSL and TLS, SSMS, TLS, Transport Layer Security, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 3, 2025

https://directaccess.richardhicks.com/2025/03/03/enable-tls-in-microsoft-sql-server-2022/

« Older Posts