All posts in category MEMCM

Troubleshooting Intune Failed PKCS Request

Always On VPN administrators deploying on-premises enterprise PKI certificates using Microsoft Intune with PKCS may encounter a scenario where a certificate fails to be issued to a user or device. In this post, I’ll share some things to investigate when troubleshooting this issue.

Event 1001

To begin, open the Event Log and navigate to Applications and Services > Microsoft > Intune > CertificateConnectors > Admin. You will likely find an event ID 1001 from the CertificateConnectors source with the following error message.

Failed to process PKCS request.

Prerequisites

Validate the following prerequisites have been met on the issuing Certification Authority (CA) server.

Certificate Template

Ensure the certificate template used for PKCS has the correct permissions and is published on an issuing CA server. Open the Certificate Templates management console (certtmpl.msc), right-click the certificate template, choose Properties, and then click on the Security tab. The certificate template must grant the Intune Certificate connector server’s computer account (or the PKCS connector’s service account if running as a service and not SYSTEM) the Read and Enroll permissions on the template.

CA Permissions

In addition to the permissions on the certificate template, ensure the correct permissions have been configured on the issuing CA itself. Right-click on the CA in the Certification Authority management console (certsrv.msc) and choose Security. Ensure the Intune Certificate connector server’s computer account (or the PKCS connector’s service account, if running as a service and not SYSTEM) is granted The Issue and Manage Certificates and Request Certificates permissions.

Intune Policy

Ensure the Intune device configuration policy is configured correctly. These three fields are critical and can result in failed PKCS certificate deployment if misconfigured.

Certification Authority

Enter the fully qualified domain name (FQDN) of the on-premises issuing CA server in this field.

Certification Authority Name

Enter the common name of the issuing CA in this field. You will find this information by running the following command on any domain-joined Windows system.

certutil.exe -dump

Certificate Template Name

Enter the name of the certificate template in Active Directory. Be aware that the template name and template display name are two different things. The template name is usually the template display name without spaces. However, that’s not a guarantee. On the General tab of the certificate template, look at the template name field on the certificate template to confirm.

Summary

This article is not a comprehensive troubleshooting guide for problems associated with failed PKCS certificate deployment using the Microsoft Intune Certificate connector and PKCS. However, it covers some of the more common problems administrators will likely encounter. If you cannot provision PKCS certificates correctly, drop me a note and I’ll provide further guidance.

Additional Information

Troubleshooting Failed Intune Certificate Connector Configuration – Part 1

Troubleshooting Failed Intune Certificate Connector Configuration – Part 2

Intune Certificate Connector Service Account and PKCS

Microsoft Intune Cloud PKI

Microsoft Intune Cloud PKI and Certificate Templates

Microsoft Intune Cloud PKI and Active Directory

2 Comments
by Richard M. Hicks on June 24, 2024  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, Always On VPN, AOVPN, authentication, Azure, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, cloud, Cloud PKI, Cloud Service, Cryptography, Deployment, Device Management, Encryption, Endpoint Manager, Enterprise, enterprise mobility, extensible authentication protocol, Hybrid Azure AD Join, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PFX Connector, PKCS, PKI, public key infrastructure, Remote Access, Security, systems management, troubleshooting, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 24, 2024

https://directaccess.richardhicks.com/2024/06/24/troubleshooting-intune-failed-pkcs-request/

Microsoft Intune Learning Resources for Always On VPN Administrators

Note: This post has been updated and republished to reflect the return to the Microsoft Intune product name and to include updated learning resources for Always On VPN administrators.

Microsoft Intune is the recommended solution for deploying and managing Windows Always On VPN client configuration settings. Always On VPN is designed for Mobile Device Management (MDM), with configuration settings deployed specifically to the VPNv2 Configuration Service Provider (CSP) interface.

Resources

Getting up to speed on all things MEM isn’t difficult at all. I’ve found the MEM community to be exceedingly helpful, and there are many available training resources in various formats from which to choose.

Books

The following is a list of Microsoft Endpoint Manager books Always On VPN administrators will find most helpful for learning about MEM.

YouTube

The Intune Training channel on YouTube is an incredibly valuable resource for Always On VPN administrators learning MEM. Hosted by Steven Hosking, Adam Gross, and Ben Reader, there are countless videos covering important MEM configuration tasks.

Pluralsight

Pluralsight offers video training courses for a wide variety of IT-related topics. Recently I published the  Implementing Always On VPN video training course. There are several Microsoft Endpoint Manager video training courses available as well. Pluralsight is available via subscription. You can sign up for a free trial here if you don’t have a subscription.

Conferences

The Midwest Management Summit (MMS) is the premier event for systems management professionals. Their annual conference takes place each spring in the U.S. (Minneapolis, MN). The event is the best place to learn about Microsoft Endpoint Manager and network with systems management professionals worldwide.

ViaMonstra Online Academy

I will be delivering the Mastering Certificates with Microsoft Intune training course at the ViaMonstra online training academy May 14-16, 2024. This three-day live, interactive training course provides a comprehensive deep dive into all aspects of deploying and managing digital certificates using Microsoft Intune. Microsoft Cloud PKI will also be covered. Space is limited, so register today!

Additional Resources

As a reminder, Microsoft Intune topics such as certificate deployment and Always On VPN profile deployment and management are covered in detail in both my Implementing Always On VPN book and the Implementing Always On VPN video training course on Pluralsight. 😁

Leave a comment
by Richard M. Hicks on March 21, 2024  •  Permalink
Posted in Active Directory Certificate Services, AD CS, ADCS, Always On VPN, Always On VPN Book, AOVPN, AOVPN Book, authentication, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, cloud, Cloud PKI, Cloud Service, Conditional Access, Deployment, Device Management, device tunnel, DirectAccess Book, education, Endpoint Manager, Enterprise, Important Links, InTune, Intune Certificate Connector, Intune PFX Connector, learning, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, NDES, Network Device Enrollment Service, Network Device Enrollment Services, OMA-DM, PFX Connector, public cloud, Recommended Reading, Remote Access, SCCM, SCEP, Security, Simple Certificate Enrollment Protocol, System Center 2012, System Center Configuration Manager, systems management, VPN, Windows 10, Windows 11, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 21, 2024

https://directaccess.richardhicks.com/2024/03/21/microsoft-intune-learning-resources-for-always-on-vpn-administrators/

Microsoft Intune Cloud PKI and Active Directory

Recently, Microsoft introduced a new PKI-as-a-Service offering called Cloud PKI. This cloud-based PKI can issue and manage certificates to Intune-managed endpoints. Administrators can now deploy user and device authentication certificates using Intune Cloud PKI without deploying Active Directory Certificate Services (AD CS) on-premises. Numerous blog posts and YouTube videos show how to configure and deploy Intune Cloud PKI, so I won’t reinvent the wheel with a complete configuration guide here. This article will focus instead on integrating Microsoft Intune Cloud PKI with on-premises Active Directory (AD).

Note: Administrators must deploy certificates to all enterprise domain controllers and RADIUS servers to support certificate-based authentication with AD. However, Cloud PKI for Intune can only issue certificates to Intune-managed endpoints today. It cannot issue certificates to servers. Administrators must use another CA (AD CS or another Cloud PKI solution) to issue and manage domain controller and RADIUS server certificates on-premises to support this scenario.

AD Integration

While Intune Cloud PKI eliminates the need for on-premises AD CS infrastructure, there will be times when Cloud PKI-issued certificates will be used to authenticate to on-premises AD, either through a RADIUS server such as Windows Network Policy Server (NPS), which is common for VPN and Wi-Fi deployments, or other methods. Additional configuration is required to support this scenario.

Publish Root/Issuing CA Certificates

The Intune Cloud PKI root and issuing CA certificates must be published in AD to support on-premises AD authentication using Intune Cloud PKI-issued certificates. Follow the steps below to complete this task.

Note: Arguably, you could skip publishing the Intune Cloud PKI root and issuing CA certificates in on-premises AD because Cloud-PKI certificates can only be issued to Intune-managed endpoints, in which case you are likely already deploying the Cloud PKI root and issuing CA certificates using Intune. I’m including these steps for completeness. However, publishing the Intune Cloud PKI issuing CA certificate in the NtAuthCA certificate store in AD is required to support on-premises AD authentication using Intune Cloud PKI-issued certificates, so that step is mandatory.

RootCA Store

On a domain-joined computer on-premises, open an elevated PowerShell or command window and run the following command to publish the Intune Cloud PKI root CA certificate to the RootCA certificate store in AD.

certutil.exe -dspublish -f <path to Cloud PKI root CA certificate> RootCA

SubCA Store

Next, run the following command to publish the Cloud PKI issuing CA certificate to the SubCA certificate store in AD.

certutil.exe -dspublish -f <path to Cloud PKI issuing CA certificate> SubCA

NtAuthCA Store

Finally, run the following command to publish the Intune Cloud PKI issuing CA certificate to the NtAuthCA certificate store in AD. Publishing the Intune Cloud PKI issuing CA certificate in the NtAuthCA store in AD allows certificates issued by Intune Cloud PKI to be used to authenticate on-premises AD if required. Be sure to run this command even if you did not run the previous commands to publish the Intune Cloud PKI root and issuing CA certificates in AD.

certutil.exe -dspublish -f <path to Cloud PKI issuing CA certificate> NtAuthCa

GUI

If you have an existing on-premises AD CS deployment, you can use the Enterprise PKI management console to publish the Intune Cloud PKI certificates in AD as an alternative to the command line. First, open the Enterprise PKI tool (pkiview.msc) on an existing on-premises Certification Authority (CA) server. Right-click the Enterprise PKI root node and choose Manage AD Containers. Add the Intune Cloud PKI root CA certificate to the Certification Authorities container. Next, add the Intune Cloud PKI issuing CA certificate to the Enrollment Services container. Finally, add the Intune Cloud PKI issuing CA certificate to the NTAuthCertificatesContainer.

Summary

Administrators can use the Microsoft Intune Cloud PKI solution to issue and manage user and device authentication certificates for their Intune-managed endpoints. Using the commands above, administrators can also integrate their Intune Cloud PKI with on-premises Active Directory to support user and device authentication for common workloads such as Wi-Fi and VPN. Critically, when integrating Cloud PKI with on-premises Active Directory, your Intune administrators should be considered Tier-0 administrators, and appropriate security controls should be enforced.

Additional Information

Microsoft Intune Cloud PKI

Mastering Certificates with Microsoft Intune Training Course – May 14-16, 2024

8 Comments
by Richard M. Hicks on March 5, 2024  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, Always On VPN, AOVPN, authentication, Azure, Azure Active Directory, Azure AD, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, cloud, Cloud PKI, Cloud Service, Device Management, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra ID, Infrastructure, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, NDES, PKCS, PKI, public cloud, public key infrastructure, SCEP, Simple Certificate Enrollment Protocol, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 5, 2024

https://directaccess.richardhicks.com/2024/03/05/microsoft-intune-cloud-pki-and-active-directory/

« Older Posts
Newer Posts »