MSEndpointMgr

Certificate deployment for mobile devices using Microsoft Intune – Part 2 – Certificate templates

This part of the blog series will go into details about the required certificate templates and other prerequisites in terms of user and group configuration required.

Blog series overview

Prerequisites

Before we get started with creating any certificate templates, we need to perform a few different tasks. We need to:

  • Create an Active Directory service account that the NDES service will run as
  • Create an Active Directory group named e.g. NDES Servers (optional, but recommended)

NDES service account

The service account is fundamentally important, since the NDES service will have to run under that identity. Create a new user in your Active Directory and name it e.g. SVC_NDES_Intune or better yet, follow your internal naming convention. This service account does not require any delegated permissions at this point. Make sure the user has the default rights, Logon Locally, Logon as a Service and Logon as a batch job rights. In some organizations, hardened policies may disable those rights.

NDES Server group

Create a new group named e.g. NDES Servers and add the member server that will have the NDES server role and Intune Certificate Connector installed to that group. Make sure that you remember to restart the member server after adding it to this group. Additionally from creating a group, we also need a NDES service account. This group will be given permissions on the certificate templates so that the member server meant for NDES will have certificate enrollment permissions. This group is not a requirement thought, I should point out. But if you’re going to deploy NDES in a High-Availability setup, it’d make it easier to simply add a new server to a group than edit permissions on a certificate template.

Certificate templates overview

Distributing certificates from an internal PKI requires certificate templates to be made available for identities to enroll. It’s not an absolute requirement that you follow the following certificate template configuration outlined in this blog post, in fact I’d recommend that you follow your internal organization policies around the topic of certificate template management. However, I must point out that it’s important that you ensure that you’ve configured the certificate templates accordingly with what’s presented in this part of the series, otherwise it could lead to issues in the next parts of the series that’s hard to troubleshoot.

As for the validity period on certificate templates, iOS and macOS will always use what’s configured in the certificate template. However it’s possible to configure your Certificate Authority to honor what’s specified within the request for a certificate. Microsoft Intune supports specifying this when creating the SCEP Certificate profile.

On your Certificate Authority, run the following command in the given sequence to enable this capability:

  • certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
  • net stop certsvc
  • net start certsvc

NDES Server certificate template

This certificate template serves two purposes. It’ll be used for issuing a SSL certificate for binding in IIS to enable HTTPS on the NDES server. Secondly, we require another certificate for the Intune Certificate Connector setup. More about the two certificates will be covered in the next part of this series. Below you’ll find the required configuration of this certificate template.

  • In the Certificate Authority management console, right-click on Certificate Templates and select Manage.
  • Right-click and duplicate the Web Server certificate template in the Certificate Templates console that just opened.
  • Name the certificate template NDES Server.
  • For the Compatibility tab, ensure the following configuration is made:
  • On the Request Handling tab, ensure that the Allow private key to be exported setting is not selected.
  • For Cryptography ensure the minimum key size is set to 2048.
  • Ensure that the Subject Name is supplied within the request.
  • Add the Client Authentication application policy as shown below. This additional application policy is required for the certificate that’ll be used when setting up the Intune Certificate Connector later in this blog series.
  • On the Security tab, remove Enroll permissions for Domain Admins and Enterprise Admins. Also remove any other unnecessary identity that should not be able to enroll a certificate from this template. Add the group created earlier in this post containing the NDES member server and give it Read and Enroll permissions.

You should now have the first required certificate template configured properly. Continue with the other certificate template as outlined below.

NDES Intune certificate template

Apart from the previously created certificate template, this one will be used when the NDES service account is requesting certificates on behalf of mobile devices. This certificate template is basically the blueprint of how a certificate deployed to a mobile device will end up.

  • In the Certificate Authority management console, right-click on Certificate Templates and select Manage.
  • Right-click and duplicate the User certificate template in the Certificate Templates console that just opened.
  • Name the certificate template e.g. NDES Intune. Make a note of the Template name (not the template display name), as we’ll be using this in the next part of this series.
  • As for the Compatibility tab, ensure the following configuration.
  • Ensure the following configuration is made on the Request Handling tab.
  • Ensure the following configuration is made on the Cryptography tab.
  • As for Extensions, ensure the following three application policies are present.
  • Still on the Extensions tab, ensure that the following configuration is made. Click Edit and make sure that Signature is proof of origin (nonrepudiation) is not selected. This is required for iOS devices.

  • Select Supply in the request as the option on the Subject Name tab.
  • On the Security tab, remove Enroll permissions for Domain Admins and Enterprise Admins. Also remove any other unnecessary identity that should not be able to enroll a certificate from this template. Add the NDES service account created earlier in this post.

That covers the final certificate template configuration required. Double check that you’ve configured them accordingly, I can’t stress how important this is as it may lead to issues deploying certificates to your mobile devices.

Issue certificate templates

As the final section of this part in the series, we need to publish the two newly created certificate templates so they’re available and can be used to issue certificates.

  • In the Certificate Authority management console, right-click on Certificate Templates, select New and then Certificate Template to Issue.
  • Publish both the NDES Intune and NDES Server certificate templates.

In the next part of this series, we will issue two different certificates based of NDES Server certificate templates, setup Azure AD Application Proxy and install NDES.

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

3 comments

  • Hi Nickolaj!

    Thanks for writing this series of posts! I’m trying to use a gMSA to run the NDES service, but it looks like the SCEP requests never make it to the CA. I’m getting this error on Windows 10:

    SCEP Certificate enrollment for CONTOSO\dan via https://ndes.contoso.com/certsrv/mscep/mscep.dll/pkiclient.exe failed:

    PkiStatus(2): SCEPDispositionFailure
    FailInfo(1): SCEPFailBadMessageCheck
    EnrollStatus(256): EnrollDenied
    The client certificate credentials were not recognized. 0x2f9a (WinHttp: 12186 ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY)
    ProcessResponseMessage
    Submit(Request): OK
    HTTP/1.1 200 OK
    Date: Thu, 30 May 2019 07:10:14 GMT
    Content-Length: 731
    Content-Type: application/x-pki-message
    Server: Microsoft-IIS/10.0 Microsoft-HTTPAPI/2.0

    Do you have any troubleshooting recommendations of where to start? Should I remove the gMSA and see if the configuration works with a normal user account or do you have any other thoughts of where to start?

    Thanks,
    Dan

  • Hi Nickolaj

    Thanks for a great blog post!
    One thought, in the section on creating the NDES Intune Certificate template you write:
    “On the Security tab, remove Enroll permissions for Domain Admins and Enterprise Admins. Also remove any other unnecessary identity that should not be able to enroll a certificate from this template. Add the NDES service account created earlier in this post.”

    Shouldn’t that also be the NDES server group as in the NDES server certificate template?

    • Hi Jonas,

      If I understand your question right, no. The NDES Intune certificate template only requires the NDES Service account to have enrollment permissions as this template is used for the enrolling certificates to the mobile devices via NDES and essentially by the service account.

      Regards,
      Nickolaj

Sponsors