Recently, Microsoft introduced a new PKI-as-a-Service offering called Cloud PKI. This cloud-based PKI can issue and manage certificates to Intune-managed endpoints. Administrators can now deploy user and device authentication certificates using Intune Cloud PKI without deploying Active Directory Certificate Services (AD CS) on-premises. Numerous blog posts and YouTube videos show how to configure and deploy Intune Cloud PKI, so I won’t reinvent the wheel with a complete configuration guide here. This article will focus instead on integrating Microsoft Intune Cloud PKI with on-premises Active Directory (AD).
Note: Administrators must deploy certificates to all enterprise domain controllers and RADIUS servers to support certificate-based authentication with AD. However, Cloud PKI for Intune can only issue certificates to Intune-managed endpoints today. It cannot issue certificates to servers. Administrators must use another CA (AD CS or another Cloud PKI solution) to issue and manage domain controller and RADIUS server certificates on-premises to support this scenario.
AD Integration
While Intune Cloud PKI eliminates the need for on-premises AD CS infrastructure, there will be times when Cloud PKI-issued certificates will be used to authenticate to on-premises AD, either through a RADIUS server such as Windows Network Policy Server (NPS), which is common for VPN and Wi-Fi deployments, or other methods. Additional configuration is required to support this scenario.
Publish Root/Issuing CA Certificates
The Intune Cloud PKI root and issuing CA certificates must be published in AD to support on-premises AD authentication using Intune Cloud PKI-issued certificates. Follow the steps below to complete this task.
Note: Arguably, you could skip publishing the Intune Cloud PKI root and issuing CA certificates in on-premises AD because Cloud-PKI certificates can only be issued to Intune-managed endpoints, in which case you are likely already deploying the Cloud PKI root and issuing CA certificates using Intune. I’m including these steps for completeness. However, publishing the Intune Cloud PKI issuing CA certificate in the NtAuthCA certificate store in AD is required to support on-premises AD authentication using Intune Cloud PKI-issued certificates, so that step is mandatory.
RootCA Store
On a domain-joined computer on-premises, open an elevated PowerShell or command window and run the following command to publish the Intune Cloud PKI root CA certificate to the RootCA certificate store in AD.
certutil.exe -dspublish -f <path to Cloud PKI root CA certificate> RootCA
SubCA Store
Next, run the following command to publish the Cloud PKI issuing CA certificate to the SubCA certificate store in AD.
certutil.exe -dspublish -f <path to Cloud PKI issuing CA certificate> SubCA
NtAuthCA Store
Finally, run the following command to publish the Intune Cloud PKI issuing CA certificate to the NtAuthCA certificate store in AD. Publishing the Intune Cloud PKI issuing CA certificate in the NtAuthCA store in AD allows certificates issued by Intune Cloud PKI to be used to authenticate on-premises AD if required. Be sure to run this command even if you did not run the previous commands to publish the Intune Cloud PKI root and issuing CA certificates in AD.
certutil.exe -dspublish -f <path to Cloud PKI issuing CA certificate> NtAuthCa
GUI
If you have an existing on-premises AD CS deployment, you can use the Enterprise PKI management console to publish the Intune Cloud PKI certificates in AD as an alternative to the command line. First, open the Enterprise PKI tool (pkiview.msc) on an existing on-premises Certification Authority (CA) server. Right-click the Enterprise PKI root node and choose Manage AD Containers. Add the Intune Cloud PKI root CA certificate to the Certification Authorities container. Next, add the Intune Cloud PKI issuing CA certificate to the Enrollment Services container. Finally, add the Intune Cloud PKI issuing CA certificate to the NTAuthCertificatesContainer.
Summary
Administrators can use the Microsoft Intune Cloud PKI solution to issue and manage user and device authentication certificates for their Intune-managed endpoints. Using the commands above, administrators can also integrate their Intune Cloud PKI with on-premises Active Directory to support user and device authentication for common workloads such as Wi-Fi and VPN. Critically, when integrating Cloud PKI with on-premises Active Directory, your Intune administrators should be considered Tier-0 administrators, and appropriate security controls should be enforced.
Additional Information
Mastering Certificates with Microsoft Intune Training Course – May 14-16, 2024