This part of the blog series will go into details about the required certificate templates and other prerequisites in terms of user and group configuration required.

Blog series overview

Prerequisites

Before we get started with creating any certificate templates, we need to perform a few different tasks. We need to:

  • Create an Active Directory service account that the NDES service will run as
  • Create an Active Directory group named e.g. NDES Servers (optional, but recommended)
NDES service account

The service account is fundamentally important, since the NDES service will have to run under that identity. Create a new user in your Active Directory and name it e.g. SVC_NDES_Intune or better yet, follow your internal naming convention. This service account does not require any delegated permissions at this point. Make sure the user has the default rights, Logon Locally, Logon as a Service and Logon as a batch job rights. In some organizations, hardened policies may disable those rights.

NDES Server group

Create a new group named e.g. NDES Servers and add the member server that will have the NDES server role and Intune Certificate Connector installed to that group. Make sure that you remember to restart the member server after adding it to this group. Additionally from creating a group, we also need a NDES service account. This group will be given permissions on the certificate templates so that the member server meant for NDES will have certificate enrollment permissions. This group is not a requirement thought, I should point out. But if you’re going to deploy NDES in a High-Availability setup, it’d make it easier to simply add a new server to a group than edit permissions on a certificate template.

Certificate templates overview

Distributing certificates from an internal PKI requires certificate templates to be made available for identities to enroll. It’s not an absolute requirement that you follow the following certificate template configuration outlined in this blog post, in fact I’d recommend that you follow your internal organization policies around the topic of certificate template management. However, I must point out that it’s important that you ensure that you’ve configured the certificate templates accordingly with what’s presented in this part of the series, otherwise it could lead to issues in the next parts of the series that’s hard to troubleshoot.

As for the validity period on certificate templates, iOS and macOS will always use what’s configured in the certificate template. However it’s possible to configure your Certificate Authority to honor what’s specified within the request for a certificate. Microsoft Intune supports specifying this when creating the SCEP Certificate profile.

On your Certificate Authority, run the following command in the given sequence to enable this capability:

  • certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
  • net stop certsvc
  • net start certsvc

NDES Server certificate template

This certificate template serves two purposes. It’ll be used for issuing a SSL certificate for binding in IIS to enable HTTPS on the NDES server. Secondly, we require another certificate for the Intune Certificate Connector setup. More about the two certificates will be covered in the next part of this series. Below you’ll find the required configuration of this certificate template.

  • In the Certificate Authority management console, right-click on Certificate Templates and select Manage.
  • Right-click and duplicate the Web Server certificate template in the Certificate Templates console that just opened.
  • Name the certificate template NDES Server.
  • For the Compatibility tab, ensure the following configuration is made:
  • On the Request Handling tab, ensure that the Allow private key to be exported setting is not selected.
  • For Cryptography ensure the minimum key size is set to 2048.
  • Ensure that the Subject Name is supplied within the request.
  • Add the Client Authentication application policy as shown below. This additional application policy is required for the certificate that’ll be used when setting up the Intune Certificate Connector later in this blog series.
  • On the Security tab, remove Enroll permissions for Domain Admins and Enterprise Admins. Also remove any other unnecessary identity that should not be able to enroll a certificate from this template. Add the group created earlier in this post containing the NDES member server and give it Read and Enroll permissions.

You should now have the first required certificate template configured properly. Continue with the other certificate template as outlined below.

NDES Intune certificate template

Apart from the previously created certificate template, this one will be used when the NDES service account is requesting certificates on behalf of mobile devices. This certificate template is basically the blueprint of how a certificate deployed to a mobile device will end up.

  • In the Certificate Authority management console, right-click on Certificate Templates and select Manage.
  • Right-click and duplicate the User certificate template in the Certificate Templates console that just opened.
  • Name the certificate template e.g. NDES Intune. Make a note of the Template name (not the template display name), as we’ll be using this in the next part of this series.
  • As for the Compatibility tab, ensure the following configuration.
  • Ensure the following configuration is made on the Request Handling tab.
  • Ensure the following configuration is made on the Cryptography tab.
  • As for Extensions, ensure the following three application policies are present.
  • Still on the Extensions tab, ensure that the following configuration is made. Click Edit and make sure that Signature is proof of origin (nonrepudiation) is not selected. This is required for iOS devices.

  • Select Supply in the request as the option on the Subject Name tab.
  • On the Security tab, remove Enroll permissions for Domain Admins and Enterprise Admins. Also remove any other unnecessary identity that should not be able to enroll a certificate from this template. Add the NDES service account created earlier in this post.

That covers the final certificate template configuration required. Double check that you’ve configured them accordingly, I can’t stress how important this is as it may lead to issues deploying certificates to your mobile devices.

Issue certificate templates

As the final section of this part in the series, we need to publish the two newly created certificate templates so they’re available and can be used to issue certificates.

  • In the Certificate Authority management console, right-click on Certificate Templates, select New and then Certificate Template to Issue.
  • Publish both the NDES Intune and NDES Server certificate templates.

In the next part of this series, we will issue two different certificates based of NDES Server certificate templates, setup Azure AD Application Proxy and install NDES.

(406)

Nickolaj Andersen

Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.

There are no comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.