Digital certificates are excellent, phishing-resistant credentials that can significantly improve the security posture for on-premises and cloud-based resources. Organizations can leverage certificates natively for workloads such as VPN and Wi-Fi authentication to prevent rogue access using stolen usernames and passwords. In addition, administrators can deploy certificates for use with Entra Certificate-Based Authentication (CBA), enabling strong authentication to cloud-native applications and services. Further, integrating certificates with Entra Conditional Access allows administrators to enforce high assurance authentication to critical resources on-premises or in the cloud.
AD CS
Traditionally, organizations deploy Active Directory Certificate Services (AD CS) on-premises to issue and manage digital certificates to users and devices for strong authentication. However, as companies migrate applications, data, and infrastructure to the cloud, issuing certificates to cloud-native users and endpoints is problematic when certificates originate from AD CS hosted privately.
AD CS and Intune
Microsoft supports integrating on-premises AD CS with Microsoft Intune via the Certificate Connector for Intune. This connector allows Intune-managed users and devices to enroll for enterprise PKI certificates as they were on the internal network. With Intune, certificates can be issued and, if necessary, revoked automatically.
Cloud PKI
Cloud PKI for Intune is a cloud-hosted PKI that enables administrators to consume certificates without hosting any infrastructure. Microsoft manages security and maintenance tasks entirely. However, Cloud PKI presents its unique challenges and has many critical limitations.
Training
Deploying and managing digital certificates in the enterprise can be challenging, especially with hybrid deployments. To address these challenges, Richard M. Hicks Consulting, Inc. offers comprehensive training courses for administrators learning about certificate provisioning and management with Microsoft Intune. Those attending our deep-dive classes will learn the following.
- Infrastructure requirements for deploying enterprise PKI certificates with Intune
- Key differences between PKCS and SCEP
- Configure Network Device Enrollment Service (NDES)
- Intune certificate deployment
- High availability and redundancy strategies
- Security and implementation best practices
- Cloud PKI deployment and integration with on-premises AD
Upcoming Events
The following Intune and Certificates training events are available for enrollment.
Online/Virtual
- March 10-12, 2026 (Register here)
In-Person
- TBA – Suggest a location using the form below!
Register Today
Classes are forming now. Enter the desired date and location in the form below, and I’ll contact you with registration details.
