Richard M. Hicks Consulting, Inc.

Enterprise Mobility and Security Infrastructure | Microsoft Entra Private Access, Always On VPN and DirectAccess, Absolute Secure Access, Certificates and PKI
  • Consulting
  • Always On VPN Book
  • DirectAccess Book
  • Training
  • About Me
  • Contact
  • Awards

    Microsoft Most Valuable Professional (MVP)

    Enterprise Mobility Consulting Services
    • X
    • Facebook
    • LinkedIn
    • GitHub
    • YouTube
    • Reddit
  • Consulting

    Richard M. Hicks Consulting, Inc.
  • Pluralsight

    Video training courses on Pluralsight
  • Newsletter

    Richard M. Hicks Consulting, Inc. Enterprise Mobility Newsletter
    • 6to4
    • AADJ
    • Absolute
    • Absolute Secure Access
    • Absolute Software
    • Active Directory
    • Active Directory Certificate Services
    • AD CS
    • ADC
    • ADCS
    • Admin Center
    • administration
    • Always On VPN
    • Always On VPN Book
    • Always On VPN DPC
    • AMA
    • Amazon EC2
    • Amazon Web Services
    • AOVPN
    • AOVPN Book
    • AovpnDPC
    • application delivery controller
    • Application Filter
    • authentication
    • AWS
    • Azure
    • Azure Active Directory
    • Azure AD
    • Azure AD Join
    • Azure App Proxy
    • Azure Application Gateway
    • Azure Application Proxy
    • Azure Conditional Access
    • Azure Load Balancer
    • Azure MF
    • Azure MFA
    • Azure Traffic Manager
    • Azure Virtual WAN
    • Azure VPN
    • Azure VPN Gateway
    • BIG-IP
    • CBA
    • Certificate Authentication
    • Certificate Authority
    • Certificate Connector for Intune
    • Certificate Services
    • Certificate-Based Authentication
    • certificates
    • Cisco
    • Cisco Umbrella
    • Cisco Umbrella Roaming Client
    • Citrix ADC
    • cloud
    • Cloud PKI
    • Cloud Service
    • Cloudflare
    • Community
    • Compliance
    • Conditional Access
    • Conference
    • Consulting Services
    • Cryptography
    • CVE
    • Deployment
    • Device Management
    • device tunnel
    • DirectAccess
    • DirectAccess Book
    • DirectAccess Deprecated
    • DirectAccess End of Life
    • DirectAccess EOL
    • Discord
    • DNS
    • DNS Policies
    • DPC
    • Dynamic Profile Configurator
    • EAP
    • EC2
    • ECC
    • education
    • Elliptic Curve Cryptography
    • encapsulation
    • Encryption
    • end of life
    • Endpoint Manager
    • Enterprise
    • enterprise mobility
    • Entra
    • Entra CBA
    • Entra Certificate-Based Authentication
    • Entra Conditional Access
    • Entra Global Secure Access
    • Entra ID
    • Entra Internet Access
    • Entra Private Access
    • Entra Private Network Connector
    • EOL
    • Event
    • extensible authentication protocol
    • F5
    • force tunnel
    • force tunneling
    • Forefront TMG 2010
    • Forefront UAG 2010
    • Forum
    • General
    • Geographic Redundnacy
    • GitHub
    • Global Secure Access
    • global server load balancer
    • Group Policy
    • GSA
    • GSLB
    • HAADJ
    • High Availability
    • Hotfix
    • Hybrid Azure AD Join
    • Hybrid Entra ID Join
    • Hybrid Entra Join
    • IKEv2
    • iManage
    • Important Links
    • Infrastructure
    • InTune
    • Intune Certificate Connector
    • Intune PFX Connector
    • IP-HTTPS
    • IPv6
    • IPv6 Transition
    • ISATAP
    • KDC Proxy
    • Kemp
    • Kerberos
    • L2TP
    • learning
    • Load Balancing
    • LoadMaster
    • local traffic manager
    • LTM
    • Manage Out
    • MDM
    • MEM
    • MEMCM
    • MFA
    • Microsoft
    • Microsoft Endpoint Manager
    • Microsoft Entra
    • Microsoft Entra Global Secure Access
    • Microsoft Entra ID
    • Microsoft Entra Internet Access
    • Microsoft Entra Private Access
    • Microsoft Ignite
    • Microsoft Intune
    • Mobile Device Management
    • Mobility
    • Multifactor Authentiction
    • multisite
    • MVP
    • NAC
    • Name Resolution
    • name resolution policy table
    • NAP
    • NCA
    • NCSI
    • NDES
    • NetMotion
    • NetMotion Mobility
    • NetMotion Software
    • Netscaler
    • Network Access Control
    • network connectivity assistant
    • network connectivity status indicator
    • Network Device Enrollment Service
    • Network Device Enrollment Services
    • network policy server
    • nmap
    • NPS
    • NRPT
    • Offline Domain Join
    • OMA-DM
    • OMA-URI
    • Open Source
    • OpenDNS
    • OpenSSL
    • OpenVPN
    • Operational Support
    • OTP
    • PEAP
    • PFX Connector
    • PKCS
    • PKI
    • Pluralsight
    • PointSharp
    • PowerShell
    • PPTP
    • Private Network Connector
    • Professional Services
    • ProfileXML
    • Protected EAP
    • Proxy
    • Proxy Server
    • public cloud
    • public key infrastructure
    • Quad9
    • RasMan
    • RDP
    • Recommended Reading
    • Reddit
    • Remote Access
    • Remote Administration
    • Remote Desktop Protocol
    • reporting
    • routing
    • routing and remote access service
    • RRAS
    • RSAT
    • SASE
    • SCCM
    • SCEP
    • Secure Access Service Edge
    • Secure Service Edge
    • Secure Socket Tunneling Protocol
    • Secure Web Gateway
    • Security
    • Security Service Edge
    • Security Update
    • Server Core
    • Simple Certificate Enrollment Protocol
    • SMSS
    • Split DNS
    • split tunnel
    • split tunneling
    • SQL
    • SQL Server
    • SQL Server 2022
    • SQL Server Management Studio
    • SSE
    • SSL
    • SSL and TLS
    • SSMS
    • SSTP
    • Surface Pro
    • Surface Pro 4
    • SWG
    • System Center 2012
    • System Center Configuration Manager
    • systems management
    • Teredo
    • TLS
    • TLS 1.3
    • TND
    • TPM
    • Traffic Filter
    • Training
    • transition technology
    • Transport Layer Security
    • troubleshooting
    • Trusted Network Detection
    • Trusted Platform Module
    • Uncategorized
    • Update
    • user tunnel
    • video
    • Visual Studio
    • Visual Studio Code
    • VPN
    • VPN Proxy
    • VS Code
    • Vulnerability
    • Web Application Proxy
    • Web Proxy
    • Web Proxy Server
    • webinar
    • Windows 10
    • Windows 11
    • Windows 7
    • Windows 8
    • Windows 8.1
    • Windows Admin Center
    • Windows Server 2008 R2
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
    • Windows Server 2022
    • Windows Server 2025
    • Workshop
    • WorkSite
    • XML
    • Zero Trust
    • Zero Trust Network Access
    • Zscaler
    • ZTNA

All posts tagged certificate connector for Intune

Intune Certificate Connector Service Account and PKCS

Microsoft Always On VPN administrators have two choices when deploying enterprise PKI certificates using Intune; PKCS and SCEP. I prefer using PKCS because it is easier to configure and manage. Also, PKCS requires no inbound connectivity, simplifying the deployment and reducing the organization’s public attack surface. Provisioning certificates using Intune is inherently risky. However, there are some steps administrators can take to mitigate much of this risk.

Note: The techniques described in this article also apply to the NDES server when using SCEP certificate deployment in Intune, with one exception noted below.

PKCS Security

The service account is the most critical aspect of configuring the Intune Certificate Connector for PKCS securely. The service account has permission to enroll for an exceedingly dangerous published certificate template. Specifically, the PKCS certificate template has the deadly combination of supplying the subject information in the request, and the Client Authentication enhanced key usage (EKU). Further, the scenario does not allow administrative approval to be enabled on the certificate template. If an attacker were to gain access to this certificate template, they could enroll as any principal they chose, including a domain administrator, and their request would be processed automatically. Subsequently, they could authenticate to Active Directory using only the certificate without knowing the account’s password.

Service Account

Using a Group Managed Service Account (GMSA) would be ideal in this scenario. However, the Intune Certificate Connector does not support using GMSA when using PKCS. With that, administrators must use a regular domain service account instead, which introduces additional risk. To enhance the overall security of the solution, consider performing the following PKCS service account hardening tasks when using the Intune Certificate Connector to issue PKCS certificates with Intune.

Standard User

The service account should be a standard domain user with no special privileges. The service should be dedicated to PKCS and not shared with other services in the enterprise. Create the account from scratch (do not duplicate another account!), and use a long, complex password. Document this password securely. In addition, ensure the PKCS service account is not a member of any other security groups. Although the service account doesn’t require administrative access to operate, the account must be a member of the local administrator’s group to ensure the connector certificate is updated automatically.

Account Hardening

After creating the service account, click the Log On To button on the Account tab and ensure the account can only log on to the server(s) where you have installed the Intune Certificate Connector.

Next, check the box next to Account is sensitive and cannot be delegated in the Account options section.

In addition, select the option Deny access in the Network Access Permission section of the Dial-In properties page.

Finally, uncheck Enable remote control on the Remote control properties page.

Local Access Rights

Open the Local Group Policy Editor (gpedit.msc) on each server where you installed the Intune Certificate Connector. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Enable the following policy settings for the PKCS service account.

  • Deny access to this computer from the network
  • Deny log on as a batch job
  • Deny log on locally
  • Deny log on through Remote Desktop Services

Optionally these settings can be enforced on the Intune Certificate Connector server using Active Directory group policy.

Important Note: When implementing these settings for hardening an NDES server do not specify the Deny log on as a batch job user rights assignment.

Disclaimer

I am not an Active Directory security expert! The guidance provided here is based on my many years of Windows administrative experience, conversations with Identity and Access security professionals, and published guidance found on the Internet. If you have suggestions to further improve service account security, don’t hesitate to let me know! Please share in the comments, below.

Additional Information

Overview of the Certificate Connector for Microsoft Intune

Configure and use PKCS Certificates with Microsoft Intune

Microsoft Intune Certificate Connector Service Account Requirements

9 Tips for Preventing Active Directory Servie Accounts Misuse

How to Manage and Secure Service Accounts

Share this:

  • Click to email a link to a friend (Opens in new window) Email
  • Click to print (Opens in new window) Print
  • Click to share on X (Opens in new window) X
  • Click to share on Facebook (Opens in new window) Facebook
  • Click to share on LinkedIn (Opens in new window) LinkedIn
  • Click to share on Reddit (Opens in new window) Reddit
  • Click to share on Tumblr (Opens in new window) Tumblr
  • Click to share on Pinterest (Opens in new window) Pinterest

Like this:

Like Loading...
10 Comments
by Richard M. Hicks on January 30, 2023  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, Azure, Azure Active Directory, Azure AD, certificates, Cryptography, Deployment, Device Management, Encryption, Endpoint Manager, Enterprise, enterprise mobility, Group Policy, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PFX Connector, PKI, public cloud, public key infrastructure, Remote Access, Security, System Center Configuration Manager, systems management, TPM, Trusted Platform Module, user tunnel, VPN, Windows 10, Windows 11
Tagged Always On VPN, AOVPN, certificate, certificate connector, certificate connector for Intune, certificate template, certificates, Certification Authority, domain account, enterprise mobility, InTune, Intune certificate connector, Microsoft, Microsoft Intune, Mobility, PKCS, PKCS security, Remote Access, security, security hardening, service account, service account hardening, VPN, Windows

Posted by Richard M. Hicks on January 30, 2023

https://directaccess.richardhicks.com/2023/01/30/intune-certificate-connector-service-account-and-pkcs/

  • Always On VPN Book

    Always On VPN book available now on Amazon!
  • DirectAccess Book

    Order my DirectAccess book on Amazon now!
  • Recent Posts

    • Always On VPN Security Updates June 2025
    • Always On VPN Security Updates May 2025
    • Always On VPN Ask Me Anything (AMA) May 2025
    • The Case for Short-Lived Certificates in Enterprise Environments
    • Always On VPN SSTP and 47-Day TLS Certificates
  • Resources

    • About Me
    • Absolute Secure Access
    • Absolute Secure Access Enterprise VPN
    • Absolute Secure Access Purpose-Built Enterprise VPN Advanced Features In Depth
    • Absolute Secure Access Zero Trust Network Access
    • Absolute Secure Access ZTNA
    • Always On VPN
    • Always On VPN and Multifactor Authentication
    • Always On VPN Book
    • Always On VPN DPC
    • Always On VPN DPC
    • Always On VPN DPC Advanced Features
    • Always On VPN DPC with Intune
    • Always On VPN Training
    • Choosing an Enterprise VPN
    • Citrix NetScaler ADC Load Balancing
    • Consulting
    • Consulting Services
    • Contact
    • Digital Certificates and TPM
    • Digital Certificates for Strong Authentication
    • DirectAccess
    • DirectAccess Consulting and Troubleshooting Services
    • DirectAccess Consulting Services
    • DirectAccess End of Life (EOL)
    • DirectAccess is now Always On VPN
    • DirectAccess Training
    • Drawbacks of Multifactor Authentication
    • Enterprise Mobility
    • Enterprise PKI
    • Enterprise VPN
    • Entra Global Secure Access
    • Entra Private Access
    • F5-BIG-IP Load Balancing
    • How Do VPNs Protect You From Cyber Threats?
    • Implementing Always On VPN
    • Implementing DirectAccess with Windows Server 2016
    • Intune and Certificates Training
    • IPv6
    • Kemp LoadMaster Load Balancing
    • Microsoft Entra Global Secure Access
    • Multifactor Authentication (MFA)
    • NetMotion Mobility
    • NetMotion Mobility Enterprise VPN
    • NetMotion Mobility Purpose-Built Enterprise VPN
    • NetMotion Mobility Purpose-Built Enterprise VPN Advanced Features In Depth
    • Network Security and Virtual Private Networks (VPNs)
    • Newsletter
    • PKI
    • Richard M. Hicks Consulting Named in Enterprise Networking Magazine’s Top 10 VPN Consulting Services for 2020
    • Secure Access Service Edge (SASE)
    • Secure Service Edge (SSE)
    • Secure Web Gateway
    • Security Service Edge (SSE)
    • SSE vs. SASE
    • Training
    • Virtual Private Network (VPN)
    • Virtual Private Networking (VPN) and the Cloud
    • What Is a Secure Web Gateway?
    • What is a VPN?
    • What Is Always On VPN
    • What's The Difference Between SSE and SASE?
    • Zero Trust
    • Zero Trust Network Access (ZTNA)
    • ZTNA
  • Always On VPN Resources

    • Always On VPN Advanced Features
    • Always On VPN Enhancements
    • Always On VPN Features
    • Always On VPN Remote Access
    • Always On VPN Technology Overview
    • Always On VPN Troubleshooting
    • Deploy Always On VPN
  • DirectAccess Resources

    • DirectAccess Book
    • DirectAccess Consulting Services
    • DirectAccess Kemp Load Balancer Deployment Guide
    • DirectAccess Mailing List
    • DirectAccess on Microsoft TechNet
    • DirectAccess Play-by-Play Video
    • DirectAccess Video Training
    • DirectAccess Videos on YouTube
    • Remote Access on Microsoft TechNet
  • Active Directory ADC AD CS Always On VPN AOVPN application delivery controller authentication Azure bug CA certificate certificates Certification Authority cloud configuration device tunnel DirectAccess DNS DPC EAP education encryption endpoint manager enterprise mobility error F5 firewall Forefront UAG GPO group policy high availability hotfix IKEv2 Important Links InTune IP-HTTPS IPsec IPv6 IPv6 transition technology Kemp learning load balancer load balancing LoadMaster management Manage Out MDM MEM Microsoft Microsoft Endpoint Manager Microsoft Intune Mobility multisite Networking network location server network policy server NLB NLS NPS PEAP performance PKCS PKI PowerShell ProfileXML public cloud RADIUS RAS RasClient redundancy Remote Access routing routing and remote access service RRAS SCCM SCEP security SSL SSTP System Center Configuration Manager TLS training troubleshooting update user tunnel VPN vulnerability warning Windows Windows 7 Windows 8 Windows 10 Windows 11 Windows Server Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 XML

 

Loading Comments...
 

    %d