Forum Discussion
Intune Standalone Device-Based Certificate Issue
This has proven to be a royal pain for me the past week because the Microsoft documentation at https://docs.microsoft.com/en-us/intune/wi-fi-settings-ios is a bit ambiguous where it describes Server Trust - Certificate server names.
It states, "Add one or more common names used in the certificates issued by your trusted certificate authority (CA)." This sounds as if it's implying entering the common names of the clients device certificates, e.g. *.domain.com.
It's not clear whether this means the root CA common name, the root CA common.domain.com, the common name of the CA that issued the device certs, the common name of the CA that the issued the server certificate or the latter two with the domain suffix.
Furthermore, does this need to match with the certificate selected under Root certificate for server validation or should I enter the common name for the CA that issued the server's cert in Certificate server names whilst selecting the root CA cert under Root certificate for server validation?
I'm about to eat my hand.... grrrr... :-D
Hi, did you manage to work this approach?
alexander tikhomirov ah good point I'm not deep enough into NPS, there might be a limitation here...
Oliver Kieselbach thanks for article, but users based certs used in their solution
"For a more immersive experience, machine certificates are preferred for use, subject to their availability in Intune"
Hey alexander tikhomirov,
don't think this is the case, AADJ can be used in the scenario. There are blogs out there which are showing successful implementation of this scenario, like this one: https://blog.auth360.net/2018/10/12/windows-10-password-less-azure-ad-join-microsoft-intune-and-windows-hello-for-business/
best,
Oliver
- Incidentally, ours are iOS devices so a somewhat different use case.
Our issue miraculously disappeared after having the case open (with no activity) with Microsoft for over a month.
However, it mysteriously resurfaced a few weeks ago. I've been dealing with other issues so haven't revisited it to investigate further but will do so once I have some availability and report back any findings.
- As I understand correctly Windows NPS server (as a RADIUS) cant auth Azure AD joined device to Access Point even device-based cert was deployed to client because NPS could only check trusts for domain-joined computers, not for only Azure AD Joined devices.
