Use a PKCS certificate profile to provision devices with certificates in Microsoft Intune (2023)

Microsoft Intune supports the use of PKCS (Public Private Key Pair) certificates. This article describes what's required to use PKCS certificates with Intune, including exporting a PKCS certificate and adding it to an Intune device configuration profile.

Microsoft Intune includes built-in settings for using PKCS certificates to access and authenticate your organization's resources. Certificates authenticate and protect access to your corporate resources like VPN or WiFi network. These settings are deployed to devices using device configuration profiles in Intune.

For information on using imported PKCS certificates, seeImported PFX certificates.

Requirements

To use PKCS certificates with Intune, you need the following infrastructure:

• Dominio de Active Directory:
  All servers listed in this section must be joined to your Active Directory domain.

  For more information about installing and configuring Active Directory Domain Services (AD DS), seeAD DS Design and Planning.

• certification authority:
  An enterprise certificate authority (CA).

  For information about installing and configuring Active Directory Certificate Services (AD CS), seeActive Directory Certificate Services: Step-by-Step Guide.

  Notice

  Intune requires that you run AD CS with an enterprise certificate authority (CA), not a standalone certificate authority.

• A client:
  To connect to the corporate certificate authority.

• Root Certificate:
  An exported copy of your root certificate from your corporate CA.

  (Video) Microsoft Endpoint Manager Intune Configuration Profiles Part V Working with Certificates

• Certificate connector for Microsoft Intune:

  For information about the certificate connector, see:

  • overview ofCertificate connector for Microsoft Intune.
  • requirements.
  • installation and configuration.

Export Enterprise CA Root Certificate

To authenticate a device using VPN, Wi-Fi, or other resources, a device needs a root or intermediate CA certificate. The following steps explain how to obtain the required certificate from your corporate CA.

Use a command line:

1. Log in to the root CA server with the administrator account.

2. GonnaTo start>Runand then writebeforeto open the command prompt.

3. Indicatecertutil -ca.cert ca_name.certo export the root certificate as a file namedca_name.cer.

Configure certificate templates on the CA

1. Log in to the enterprise CA with an account that has administrative privileges.

2. open thiscertification authorityConsole, right clickcertificate templatesand selectAdministrator.

3. Find themof the userCertificate template, right click on it and selectduplicate modelOpenNew model properties.

   observation

   For S/MIME scenarios for email signing and encryption, many administrators use separate certificates for signing and encryption. If you use Microsoft Active Directory Certificate Services, you can use thisExchange Subscription OnlyTemplate for S/MIME email signature certificates and theChange userS/MIME encryption certificate template. If you are using a third-party certificate authority, it is recommended that you read the instructions on how to configure the signing and encryption models.

4. NocompatibilityAba:

   • Phrasecertification authorityForWindows Server 2008 R2
   • Phrasecertificate recipientForWindows 7/Servidor 2008 R2

5. NoGenerallyguide, defineModel display namefor something meaningful to you.

   Notice

   model namepattern is the same asModel display namecomnowhere. Write down the model name, you will need it later.

6. emquery processing, chooseAllow private key export.

   observation

   Unlike SCEP, PKCS generates the certificate's private key on the server where the certificate connector is installed, not on the device. The certificate template must allow the export of private keys so that the connector can export the PFX certificate and send it to the device.

   If the certificates are installed on the device itself, the private key will be marked as non-exportable.

7. emCryptography, confirm that theminimum key sizeis set to 2048.

8. emtheme name, chooseunordered delivery.

9. emextensions, make sure that Encrypting File System displays Secure Email and Client AuthenticationApplication Guidelines.

   Important

   For iOS/iPadOS certificate templates, go to theextensionstab updatekey usage, and confirm thatThe signature is proof of origin.is not selected.

   (Video) The Best way to deploy root certificates to devices using Microsoft Intune - Endpoint Manager

10. emSecurity:

    1. (Required): Add the computer account for the server where you are installing the Certificate Connector for Microsoft Intune. allow this accountLermiregistered emailpermissions
    2. (Optional but recommended): Remove the Domain Users group from the list of groups or user names that have permissions for this template by selecting thedomain usergroup and selectremote. Check the other entries ingroups or usernamesfor permissions and applicability to your environment.

11. ChooseTo use>OKto save the certificate template. closeCertificate Template Console.

12. I amcertification authorityConsole, right clickcertificate templates>nuevo>Model of certificate to be issued. Choose the template you created in the previous steps. ChooseOK.

13. For the server to manage certificates for registered users and devices, complete the following steps:

    1. Right-click the certificate authority, selectCharacteristics.
    2. On the Security tab, add the computer account of the server on which you are running the connector.
    3. GrantIssue and manage certificatesmirequest certificatesGrant permissions to the computer account.

14. Exit the corporate CA.

Download, install, and configure the Certificate Connector for Microsoft Intune

For instructions, seeInstall and configure the certificate connector for Microsoft Intune.

Create a trusted certificate profile

1. get connectedMicrosoft Intune admin center.

2. Choose and go toDevices>configuration profiles>create profile.

3. Enter the following properties:

   • platform: Choose the platform of the devices that should receive this profile.
     • Android Device Manager
     • Android company:
       • completely administered
       • dedicated
       • company job profile
       • personal work profile
     • iOS/iPad OS
     • MacOS
     • windows 10/11
   • Profile: Choosetrust certificate. Oh dearmodels>trust certificate.

4. ChooseCreate.

5. emFundamentals, enter the following properties:

   • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. A good profile name is for exampleTrusted certificate profile for the entire company.
   • Description: Enter a description for the profile. This setting is optional but recommended.

6. ChooseNext.

7. emconfiguration settings, specify the .cer file for the CA root certificate exported above.

   observation

   Depending on the chosen platformstage 3, you may have the option to select thisdestination storagefor the certificate.

   

8. ChooseNext.

9. emassignments, select the users or device groups to which the profile will be assigned. For more granularity, seeCreate filters in Microsoft Intuneand apply them by selecting themedit filters.

   Plan to deploy this certificate profile to the same groups that will receive the PKCS certificate profile and a configuration profile, such as a Wi-Fi profile that uses the certificate. For more information on mapping profiles, seeAssign user and device profiles.

   ChooseNext.

10. (Only applies to Windows 10/11) Emapplicability rules, specify applicability rules to refine the assignment of this profile. You can assign or unassign the profile based on the device edition or operating system version.

    For more information, seeapplicability rulesemCreate a device profile in Microsoft Intune.

11. emcheck + create, check your settings. if you chooseCreate, your changes will be saved and the profile will be assigned to you. The policy also appears in the list of profiles.

Create a PKCS certificate profile

1. get connectedMicrosoft Intune admin center.

   (Video) Deploy Device Certificates From Internal CA During Autopilot to Hybrid AD Joined Machines using PKCS

2. Choose and go toDevices>configuration profiles>create profile.

3. Enter the following properties:

   • platform: Select the platform of your devices. Your options:
     • Android Device Manager
     • Android company:
       • completely administered
       • dedicated
       • company job profile
       • personal work profile
     • iOS/iPad OS
     • MacOS
     • windows 10/11
   • Profile: ChoosePKCS certificate. Oh dearmodels>PKCS certificate.

   observation

   On devices with an Android Enterprise profile, certificates installed using a PKCS certificate profile are not visible on the device. To confirm the successful deployment of the certificate, check the status of the profile in the Intune admin center.

4. ChooseCreate.

5. emFundamentals, enter the following properties:

   • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. A good profile name is for examplePKCS profile for the whole company.
   • Description: Enter a description for the profile. This setting is optional but recommended.

6. ChooseNext.

7. emconfiguration settings, depending on the selected platform, the configurable settings are different. Choose your platform for detailed settings:

   • Android Device Manager
   • android company
   • iOS/iPad OS
   • windows 10/11

   Attitude	platform	details
   Renewal limit (%)	No	20% is recommended
   Certificate validity period	No	If you have not changed the certificate template, this option can be set to one year. Use a validity period of five days or up to 24 months. If the validity period is less than five days, there is a high probability that the certificate is about to expire or has expired, which can cause the MDM agent on the devices to reject the certificate before installing it.
   Key Store Provider (KSP)	windows 10/11	In Windows, choose where to store the keys on your device.
   certification authority	No	Displays the internal fully qualified domain name (FQDN) of your company's certificate authority.
   Certificate Authority Name	No	Displays the name of your company's CA, for example B. "Contoso Certificate Authority".
   Certificate template name	No	Displays the name of your certificate template.
   certificate type	Android Company (Personal and company-specific job profile) iOS MacOS windows 10/11	Choose a type: of the userCertificates can include user and device attributes in the subject and the subject alternative name (SAN) of the certificate. DeviceCertificates can only contain device attributes in the subject and SAN of the certificate. Use the device for scenarios such as userless devices, such as kiosks or other shared devices. This selection affects the format of the subject name.
   subject name format	No	For details on setting the subject name format, seesubject name formatlater in this article. For the following platforms, the subject name format is determined by the certificate type: Android Company (job profile) iOS MacOS windows 10/11
   Alternate Subject Name	No	ForAttribute, chooseUser Principal Name (UPN)Unless necessary, set up aWertand then selectadd. You can use variables or static text for the SAN of both types of certificates. It is not necessary to use a variable. For more information, seesubject name formatlater in this article.
   Extended key usage	Android Device Manager Android Company (device owner,Personal and company-specific job profile) windows 10/11	Commonly required certificatesclient authenticationto allow the user or device to authenticate with a server.
   Allow all apps to access the private key	MacOS	DefineMake it possibleto grant access to applications configured for Mac devices associated with the private key of the PKCS certificate. For more information about this setting, seeAllow access to all appsCertificate payload sectionConfiguration Profile Referencein Apple's developer documentation.
   Root Certificate	Android Device Manager Android Company (device owner,Personal and company-specific job profile)	Select a previously assigned root CA certificate profile.

8. This step only applies toandroid companydevice profiles forFully managed, dedicated, and owner job profile.

   emforms, to configureAccess to Certificatesto manage how applications are granted access to certificates. Choose:

   • Require user approval for apps (Standard)- Users must approve the use of a certificate by all applications.
   • Grant silently for certain apps (requires user approval for other apps)– Select this optionadd appsand select one or more apps that will use the certificate in the background without user interaction.

9. ChooseNext.

10. emassignments, select the user or groups that should receive your profile. Plan to deploy this certificate profile to the same groups that will receive the trusted certificate profile and a configuration profile such as a Wi-Fi profile that uses the certificate. For more information on mapping profiles, seeAssign user and device profiles.

    ChooseNext.

11. emcheck + create, check your settings. if you chooseCreate, your changes will be saved and the profile will be assigned to you. The policy also appears in the list of profiles.

subject name format

When creating a PKCS certificate profile for the following platforms, the options for the subject name format also depend on the type of certificate selectedof the useroDevice.

Platforms:

• Android Company (Personal and company-specific job profile)
• iOS
• MacOS
• windows 10/11

• User certificate type
  format options forsubject name formatinclude two variables:Common name (CN)miEmail (E). Email (E) is usually configured using the {{EmailAddress}} variable. For example: E={{Email address}}

  Common name (CN)can be set to one of the following variables:

  (Video) Microsoft Endpoint Manager Intune Configuration Profiles Part 5 Working with Certificates

  • CN={{username}}: Or Benutzer name two Benutzer, as zso and so.

  • CN={{UserPrincipalName}}: The UPN of the user, for example B.janedoe@contoso.com.

  • CN={{AAD_Device_ID}}– An ID assigned when you register a device in Azure Active Directory (AD). This ID is typically used to authenticate with Azure AD.

  • CN={{Device ID}}– An ID assigned when you enroll a device in Intune.

  • CN={{SERIAL NUMBER}}: The unique serial number (SN) commonly used by the manufacturer to identify a device.

  • CN={{IMEIN number}}: The unique International Mobile Equipment Identity (IMEI) number used to identify a mobile phone.

  • CN={{OnPrem_Distinguished_Name}}: A comma-separated string of relative distinguished names, such asCN = Jane Doe, OU = Cuentas de usuario, DC = corp, DC = contoso, DC = com.

    use the{{OnPrem_Distinguished_Name}}Variable, make sure you sync thoseLocal Distinguished NameUse user attributeAzure AD connectiona su Azure AD.

  • CN={{onPremisesSamAccountName}}- Administrators can synchronize the samAccountName attribute from Active Directory to Azure AD by converting the Azure AD connection to an attribute named "onPremisesSamAccountName. Intune can substitute this variable in the subject of a certificate as part of a certificate issuance request. The samAccountName attribute is the user's logon name, which is used to support clients and servers on an earlier version of Windows (before Windows 2000). The format of the user login name is:domain name\testuser, Or onlytestBenutzer.

    use the{{onPremisesSamAccountName}}Variable, make sure you sync thoseonPremisesSamAccountNameUse user attributeAzure AD connectiona su Azure AD.

  All device variables listed belowDevice Certificate TypeThe section can also be used in subject names of user certificates.

  By using a combination of one or more of these variables and static text strings, you can create a custom format for patient names, for example, for example:CN={{UserName}},E={{EmailAddress}},OU=Móvil,O=Finance Group,L=Redmond,ST=Washington,C=US

  This example includes a subject name format that uses CN and E variables and strings for OU, Organization, Location, State, and Country values.CertStrToName functiondescribes this function and its supported strings.

  User attributes are not supported for devices that do not have user mappings, such as B. Devices registered as dedicated to Android Enterprise. For example, a profile that usesCN={{UserPrincipalName}}in Subject or SAN cannot get UPN if there is no user on the device.

• Device Certificate Type
  The format options for the subject name format include the following variables:

  • {{AAD_Device_ID}}
  • {{device ID}}- This is the Intune device ID
  • {{Device_Series}}
  • {{Device_IMEI}}
  • {{Serial number}}
  • {{IMEIN Number}}
  • {{AzureADDeviceId}}
  • {{WiFiMacAddress}}
  • {{IMEI}}
  • {{ Device Name}}
  • {{Full Domain Name}} (Only applies to Windows and domain joined devices)
  • {{US}}

  You can specify these variables in the text box, followed by the variable text. For example, the common name of a device nameddevice1can be added asCN={{device name}}device1.

  Important

  • If you specify a variable, enclose the variable name in braces { } as shown in the example to avoid errors.
  • Device properties used inHeoSANa device certificate, such asIMEI,serial number, mifully qualified domain name, are properties that can be forged by someone with access to the device.
  • A device must support all variables specified in a certificate profile for that profile to be installed on that device. for example when{{IMEI}}is used in the subject name of a SCEP profile and is assigned to a device without an IMEI number, the profile cannot be installed.

Next steps

• Use SCEP to prepare certificates
• Issue PKCS certificates from a Symantec PKI Manager web service.
• Troubleshooting PKCS certificate profiles