I’m excited to announce that I’ll be speaking at the Arizona Systems Management User Group (AZSMUG) at their next user group meeting on Friday, March 7, at 9:00 AM MST. I am presenting on the topic of Certificate Deployment Strategies with Microsoft Intune.
Intune and Certificates
My session at AZSMUG will provide an overview of issuing and managing certificates with Microsoft Intune. We’ll begin by examining common scenarios for certificate authentication and explore various delivery methods, including PKCS and SCEP. Additionally, we’ll discuss supporting technologies such as the Network Device Enrollment Service (NDES) and review deployment strategies and high availability options for the Intune Certificate Connector. The session will also cover Cloud PKI for Intune, integration with on-premises Active Directory, and best practices for securing certificate lifecycles and key management in enterprise environments.
Register Now
If you are in the Phoenix area and would like to attend the user group meeting on Friday, March 7, you will find the registration link here. Hope to see you there!
Microsoft recently introduced Entra Private Access, an identity-centric Zero Trust Network Access (ZTNA) solution to provide secure remote access to on-premises resources. With Entra Private Access, administrators can leverage Entra Conditional Access to enforce policy-based access control for network access. However, Entra Private Access isn’t for everyone. It does not provide full feature parity with Always On VPN, and there are also licensing considerations. However, for those organizations using Always On VPN, the good news is that you can integrate Entra Conditional Access with Always On VPN today to gain some of the security benefits it provides.
Conditional Access
Microsoft Entra Conditional Access is a security feature that enables administrators to create and enforce policies that specify how users can access resources. In the specific case of Always On VPN, conditional access is critical to ensuring legitimate access to authenticated users on authorized devices.
Signals
Conditional access policies use a wide variety of signals for policy enforcement, such as:
User Identity: Who is making this access request?
User Properties: Is this user a member of a specific group?
Location: Where is this access request originating?
Device Management: Is this device joined to Entra ID?
Device State: Is this device compliant with security policies?
Device Platform: Is this a Windows device?
Risk Level: Is this login considered risky?
Access Control
Based on these signals, administrators can design a conditional access policy to enforce granular access control, such as:
Enforce specific authentication types (e.g., phishing-resistant credentials)
Allow access only from specific device platforms (e.g., Windows only)
Require Entra hybrid-joined device
Block access when a device is not compliant with security policies
Always On VPN
Entra Conditional Access works with Always On VPN by issuing a special, short-lived user authentication certificate once the user has been authorized. The Always On VPN infrastructure can be configured to use this certificate to grant access to the VPN. Integrating conditional access with Always On VPN can significantly improve the security posture of organizations using this feature.
Since Microsoft recently announced support for strong certificate mapping for Intune PKCS and SCEP certificates, identifying a user or computer’s security identifier (SID) is critical for troubleshooting. There are a few different ways to retrieve this information. Finding the user’s SID is easy enough (whoami.exe /user). However, finding the computer’s SID is a little more challenging.
PowerShell Script
To simplify the task of retrieving the SID for a user or computer, I’ve created and published a PowerShell script called Get-Sid. Administrators can install this script from the PowerShell gallery using the following command.
Install-Script -Name Get-Sid
Get-SID
After installing the PowerShell script, running it will return the SID of the current logged on user or the machine.
User
To retrieve the user’s SID, run the command without additional parameters.
Get-Sid
Computer
Run the command with the -Machine parameter to retrieve the computer’s SID.
