Certificate authentication is a common and secure way of validating the identity of users and computers. There are many such situations where certificates are used for authentication and decryption tasks, from VPN Authentication to RADIUS to S/MIME. Microsoft has worked to modernize and secure legacy tools as well as implement new services and features to help make certificate deployment secure, scalable, and highly available. In this guide we will look at the Microsoft PFX Connector and it’s integration with Intune. Using the PFX Connector we will be able to issue certificates from our On-Premises ADCS PKI to client devices over the internet through Intune.
There are a few technologies that can handle certificate distribution through Intune. Please review the pros and cons when choosing between a PFX Connector or NDES/SCEP. Ronny de Jong wrote a great article about these considerations which you can read here.
It should also be noted that PFX Connectors support High Availability. It is possible to configure multiple connectors and internal Certification Authorities to continue to serve certificates in the event of a single device outage. Microsoft supports up to 100 certificate connectors per tenant and you can set up as many internal Issuing Certification authorities with the required templates as needed. As an example an enterprise client I worked with used two PFX Connectors at different physical locations in conjunction with two Certificate Authorities at different physical locations. This means as long as at least one PFX Connector and at least one Issuing Certification Authority are available certificate issuance will work as expected. For the purpose of this guide we will configure a single PFX Connector to a single Issuing Certification Authority.
Basic Diagram
Requirements
- Active Azure Tenant with valid Intune licenses for the account performing the PFX Connector enrollment as well as any users/devices that are to receive certificates
- An Azure account with Intune Administrator permissions
- On-Premises ADCS PKI Certification Authority
- Dedicated Windows Server for the PFX Connector
– At least server 2012 R2 or later, Desktop Experience
– .NET Framework 4.7.2 on PFX Connector Server
– Active Internet Connection - Devices enrolled in Intune [We will be testing a Windows 10 Client]
Initial PFX Connector Server Configuration
Deploy a fresh Windows Server installation with Desktop Experience. From this point forward we will refer to the PFX Connector Server as OL-PC-01. This server should have connectivity [what ports?] to your Issuing Certification Authority. It should also have the same level of connectivity to Azure as a typical managed device. Please reference the Microsoft documentation [Network endpoints for Microsoft Intune | Microsoft Docs] to ensure the required network connectivity is configured. Ensure all proper security updates are in place and that OL-PC-01 is properly secured in your AD Environment. This server has high security ramifications as it generates and handles private keys for client devices. If you are following the Tiered Administration Model consider this server and the accounts that manage it as Tier 0.
PFX Connector Download
Sign in to Azure and navigate to the Microsoft Endpoint Manager admin center.
Navigate to Tenant Administration > Connectors and Tokens > Certificate Connectors
Once on the Certificate Connectors page, click +Add
You will see the two options noted earlier in this article. As we are looking to deploy a PFX Connector, click Download the certificate connector software under PKCS #12 or imported PFX certificates
We should see the PfxCertificateConnectorBootstapper.exe download. Copy it to OL-PC-01.
The Certificate Connector application will need to make calls to Azure during installation and enrollment. If you are using Internet Explorer Enhanced Security Configuration you may need to temporarily disable it through Server Manager.
Once the installer is copied over to OL-PC-01, double click the PfxCertificateConnectorBootstapper.exe executable.
Accept the license agreement and click Install
If you are prompted by UAC click Yes
The installer will should automatically install and configure .NET 4.7.2. as well as the PFX Connector application itself.
Note: During my initial configuration the installer failed to install the .NET Framework. Simply manually downloading and installing the connector and relaunching the PFX Connector Installer resolved my issues.
One the application has finished installed you will be asked to configure the PFX Connector. Click Configure Now
We must now associate our PFX Connector with our Intune Tennant by signing in. Using an account with at Intune Administrator permissions with a valid Intune license.
Click Sign In and enter your administrator credentials.
Upon completion of sign in you will get a notification that enrollment was successful.
Note: If you are unable to sign in or a given an error double check your account Azure permissions, licenses, and Internet Explorer security configuration settings.
At this point you may choose to go to the CA Account tab and manually specify a Service Account to use for accessing the local Certification Authority. For this guide we will leave this as the Microsoft default of using the computers SYSTEM account.
Verifying the Connector in Endpoint Manager
After a few moments you should see the PFX Connector available in the Certificate Connectors pane. This is the same pane we visited before to download the PFX Connector installer.
We should see the connector with a green checkmark listed as Active
It would probably be a good idea to give the connector a useful name. You can click the connector name to be brought to the Edit Connector pane which will allow you to update the name. I will be listing it as it’s hostname for easy readability going forward.
Creating a Test Certificate Template in the Internal PKI
We need to configure a template on our local Issuing Certification Authority before we can issue certificates from it. While it is possible to map an existing certificate template for issuance with the PFX Connector, it usually makes more sense to have dedicated templates, especially while testing.
Log on to your Issuing Certification Authority, or another computer with the Certification Authority MMC able to connect to your Certification Authority.
Expand your Certification Authority name, select Certificate Templates, and click Manage.
In the Certificate Templates console find the default Computer template. Right click the Computer template and select Duplicate Template
Note: Your PKI may have specific settings or values that would require different options from what I am configuring. I will be showing a basic configuration but if you run into issues an investigation of your PKI may be required to resolve the problems.
In the Compatibility Tab change the Certification Authority to Windows Server 2003 and the Certificate Recipient to Windows XP / Server 2003.
Note: While this seems counterintuitive these are the recommendations from Sr. Microsoft Engineer Anzio Breeze and the Microsoft TechNet documentation. For further reading please see Support Tip: Configuring and Troubleshooting PFX/PKCS Certificates in Microsoft Intune – Microsoft Tech Community
In the Subject Name Tab ensure the Supply in the request radio button is selected. If you receive a warning that Certificate Manager approval is not required click OK.
In the Extensions Tab under Application Policies click Edit. Ensure only Client Authentication is added. You may add more extensions as needed for your specific use case but we will be following a simple Client Auth only policy for now.
In the Request Handling Tab ensure the Purpose is set to Signature and encryption. Make sure the Include symmetric algorithms allows by the subject checkbox is selected. Ensure the Allow private key to be exported option is selected. The private key must be allowed to be exported on the template settings due to how the PFX Connector generates the private keys and certificates for the client. This is one of the primary differences between PFX Connectors and NDES certificate deployment configurations in which the private key always resides on the client.
In the Security Tab configure SYSTEM to have Full Control of the template as shown.
In the Security Tab configure the computer account OL-PC-01 to have read and enroll permissions to the template. If you chose to use a service account instead of the computer object you will need to modify this setting.
In the General Tab give the template a meaningful name. You can also set the validy period here but it will be overridden by our eventual Intune profile. For most cases you will want to keep the Validity period of 1 years and the Renewal period of 6 weeks.
Once you are satisfied with the configuration click Apply and OK to close the dialog.
Navigate back to your Issuing Certification Authority and right click Certificate Templates and select New Certificate Template To Issue
Select the Template we have just created and click OK
Verify the new template is listed on the Issuing Certification Authority. We are now ready to move into Intune profile configuration.
Creating the Intune Profiles – Trusted Certificate Deployment of Root Certificate
As we will be deploying certificates from a private PKI we must ensure our dependent Root and Issuing CA certificates are deployed to the client devices as well. Make sure you have a valid copy of your Root and Issuing Certificate Authority public certificates handy.
Navigate to the Microsoft Endpoint Manager admin center and go to Devices > Configuration profiles. Click + Create Profile.
Under Platform select Windows 10 and later.
Under Profile type select Templates and look for Trusted certificate.
Click Create
Give the profile a meaningful name. In our case we will be calling it Deploy LabGrassa.com Root CA Public Certificate. A good description is always useful as well.
Click Next
We now need to upload the public certificate for the Root CA. As this is our Root we should be specifying the Destination store as Computer certificate store – Root.
Click Next
We now have the option to assign the profile immediately. You may do so if you choose but we will not be deploying to any devices immediately. Without modifying any settings click Next.
We now have the option to assign Applicability Rules. There is no need for us to define them in this scenario. Without changing any settings click Next.
Review the profile and ensure the settings are correct.
Click Create.
Creating the Intune Profiles – Trusted Certificate Deployment of Intermediate Certificate
We must now follow the same process again with a few minor changes to deploy our intermediary (Issuing) Certification Authority certificate. This should be the same Certification Authority you will be issuing your certificates from.
Follow the same process but under Configuration Settings upload the Issuing CA Certificate and specify the Destination Store as Computer certificate store – Intermediate.
Confirm both the Root and Issuing CA certificate profiles have been created in the Configuration profiles pane.
Creating the Intune Profiles – Deployment of PKCS Certificate
We are now ready to create a profile to distribute certificates using our PFX Connector.
In the Configuration profiles pane click + Create profile
In the Create a profile pane select Windows 10 and later as the platform, Templates as the Profile type, and search for PKCS Certificate.
Click Create.
We should again give a meaningful name for this profile. In this case I will name it Test PKCS Machine Certificate Deployment and specify the PFX Connector and CA I will be using in the description.
Click Next.
In the Configuration settings we will need to supply some information.
Leave the Renewal Threshold at the default value of 20%
Leave the Certificate Validity Period at the default value of 1 Years
Set the KSP to Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software Key Store
In the Certification authority field Specify the computer hostname of your Issuing Certification Authority
In the Certification authority name field give an informative name to your Issuing Certification Authority
In the Certificate template name field profile the Template Name.
Note: The template display name and template name are not the same thing. The template name is usually the display name without spaces.
Ensure Certificate type is set to Device.
Leave the default Subject name format of CN={{AAD_Device_ID}}
In the Extended key usage field use the Predefined value of Client Authentication.
Click Next
In the Assignments pane click Next. We will add assignments later.
In the Applicability Rules pane click next. We do not need to define applicability rules.
In the Review + Create Pane double check your configuration and once satisfied click Create.
Creating Security Group for Assignments
We are now ready to create a test deployment group for our certificate. Navigate to the Intune Endpoint Manager and select Groups.
Click + New group
In the New Group pane ensure the Group type is set to Security. Give a meaningful Group name and Group description. Leave Azure ad roles can be assigned to the group as No and set Membership type to assigned. An Owner is not necessary for the test group but make sure to add your test computer as a member of the group.
Once you are satisfied with the settings click Create
Deploying the Certificate Profile to your Test Group
Once the test group has been created and populated navigate to the Intune Endpoint Manager and select Devices > Configuration Profiles.
In each of the three profiles we have created (Deploy Root, Deploy Issuing CA, and Test PKCS Machine Certificate Deployment) update the assignments to include your test certificate deployment group. For each of these profiles this can be done navigating to the Configuration Profile > Properties > Assignments. In Assignments under Included groups select + Add groups and search for the group you created. When you are finished click Review + save.
In the Review + save pane confirm your settings and click Save.
Repeat this process for each of the created profiles.
Once you have completed updating the assignment groups the Configuration profiles pane should list your configuration profiles as Assigned.
Verifying Certificate Deployment – Intune
In the Configuration Profiles you have created you can navigate to Device status and see the devices that currently have the profile configured for them and what state the deployment is in. A successful result should show Deployment Status – Succeeded
Note: It can take a while for Intune to sync. For this example I was waiting about 25 minutes. To speed the process up on the client you may be able to navigate to Access work or School, select your account, click Info, then click Sync.
Verifying Certificate Deployment – Client
Sign in to a Windows client you have deployed the certificate to. We have issued a test machine certificate so we need to check the Local Computer store. Open the Run menu and enter certlm.msc, then press Enter. You will be presented with an MMC console for your local certificates. Navigate to Certificate – Local Computer > Personal > Certificates and we should see a certificate issued from our On-Prem Issuing Certification Authority.
If we examine the certificate and check the Certification Path Tab we can see the status is listed as OK and we have both our Root and Issuing Certification authorities trusted as well.
Verifying Certificate Deployment – Issuing Certification Authority
If we snap in to the Certification Authority MMC we can also see the request was sent through and issued.
Note that the requestor is the PFX Connector itself, not the client. We can see the proper template being utilized and common name for the client is the Azure AD Device ID, just like the variable we set in the configuration profile.
Final Thoughts
We have laid the ground work for certificate deployment from an On-Prem PKI to our Intune managed clients.
High Availability – From this point it would be a good idea to investigate high availability configurations, which thankfully are fairly easy to implement. We can simply add more PFX Connectors or Issuing CAs as required. A good first step would be to add at least two of each server if possible to remove the current setup which gives us two single points of failure in the PFX Connector and the Issuing CA itself.
Customized Attributes – It is easy to update the PFX configuration profiles such that you could craft certificates to meet your specific needs. Adding customized CN, SAN, and EKU values is as easy as updating the template.
User Certificates – Though we have created this test profile for device certificates the same process can be used to issue certificates directly to users. A useful configuration I have implemented in the past is to create profiles for both users and devices so that certificate based authentication can happen for both depending on the work flow.
Auditing – Any certificates issued should be available under the PKCS Configuration Profile > Certificates. If an in-depth audit of your CA is required check out my script on GitHub built for this purpose [ADCS-Scripts/Audit_Remote_CA_v0.1.ps1]. Simply filter the resulting report for the Templates created for each profile.
Great write-up and thanks for the mention! To make this blog even better perhaps it’s an idea to add the reference to the certificate monitoring section in the Intune/MEM console to keep track of the cert lifecycle (issuing/renewal/revocation)
Hello Ronny,
Thanks for the reply, and also thanks for writing your own articles to help my understanding. Certificate monitoring is a great idea and I will likely expand upon it in a future article.
Thanks for the feedback!