Up until now in this blog series we’ve covered the certificate templates creation, issuing of certificates for the NDES server including automating the installation of NDES server role including all of the post configurations required. In this part we’ll cover how to install the Intune Certificate Connector and connect the NDES server with your tenant and Microsoft Intune.

Blog series overview

Download the Intune Certificate Connector

The Intune Certificate Connector is an on-premise application containing a NDES policy module referred to as NDES Connector. It also includes the Certificate Registration Service (likewise as the CRP in a ConfigMgr hybrid setup with Intune) that is installed and running in IIS on the NDES server. The Intune Certificate Connector setup file can be downloaded from within the Azure portal in the Intune blades.

  • Sign in to the Azure portal (portal.azure.com).
  • Locate the Intune blade and select Device Configuration.

  • From within the Device Configuration blade, select Certificate Authority.

  • Click on the Add button in the top menu.
  • In the new blade that opens, click on the link that says Download the certificate connector software under the SCEP section.

  • This will start the download of NDESConnectorSetup.exe.
  • Copy this file to the NDES server.

Install the Intune Certificate Connector

Installing the Intune Certificate Connector software is like installing any other software. There’s however one specific thing you need to know about, that will cause the installation to fail, and it is that you need to elevate the NDESConnectorSetup.exe right from the start.

  • Right-click on the NDESConnectorSetup.exe file and select Run as administrator.

  • Click Next when the setup wizard appears.

  • Accept the license terms and click Next.

  • Accept the default installation path or choose a different one and click Next.

  • Select SCEP and PFX Profile Distribution and click Next.

  • Click on the Select button.

  • Locate the NDES Client Certificate and click OK.

  • Click Next.

  • Click Next again.

  • Click Install.

  • Select to launch the Intune Connector and click Finish. If you forgot to tick the check box, you can manually launch the NDESConnectorUI.exe from the following location:
    C:\Program Files\Microsoft Intune\NDESConnectorUI

  • Click Sign In. If you an IE prompt, turn off Internet Explorer Enhanced Security Configuration for the time being on the NDES server, before you click on Sign In. The NDES installation script should have taken care of this, but I’ve had various experiences with that unfortunately. Re-launch the Intune Connector manually, if you need to turn it off.

  • Enter valid Intune Service Administrator or Global Admin credentials and complete the sign in. Ensure that the credentials specified has a Intune licensed assigned, otherwise you’ll see an error with a message like user not found.

  • Click OK in the prompt that appears if the enrollment completed successfully.

  • On the Advanced tab you can configure the identity that will be used for handling certificate revocation. By default, it’s the computer account of where you’ve installed the Intune Certificate Connector, in this case it’s the NDES server. For this to work properly you’d also require to give the same identity you specify here Issue and Manage Certificates permission on your issuing Certificate Authority. You delegate that permission by opening the Certificate Authority management console and right-click on the Certificate Authority name. Under the Security tab you add the identity and give it the proper permissions.

  • Finally click the Apply button in the NDES Connector window and then Close.

For troubleshooting or general knowledge purposes, the Intune Certificate Connector gets installed in the following default location:

  • C:\Program Files\Microsoft Intune

Here’s a few good log locations to be aware of as well:

  • C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs (that’s right, two Logs folders)
  • C:\Program Files\Microsoft Intune\NDESPolicyModule\Logs
  • C:\inetpub\logs\LogFiles\W3SVC1

Rename connector

One last thing we’ll cover in this part of the series is how to rename the connector that gets created in the Intune portal once the enrollment of the Intune Certificate Connector has completed. By default this has a randomized name of something like certificate_connector_<date/time>. It’s recommended that you change the name to show the server name that connector is running on, especially for future reference if you’re going to look into High Availability and NDES certificate distribution.

  • Sign in to the Azure portal (portal.azure.com)
  • Locate the Intune blade and go to the Device Configuration blade.
  • Select Certification Authority and locate the newly added connector.
  • Click on it and in the new blade that opens up, edit the name field.

  • Click Save.

In the next part of this series we’ll cover how to configure and assign a SCEP Certificate Profile to users and distribute a certificate to a mobile device.

(379)

Nickolaj Andersen

Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.

There are no comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.