Event banner
Event details
69 Comments
- Is this ONLY for Intune clients? If we still need an on prem PKI to issue SSL certs to internal servers, and this would be separate from that, then I’m not sure this makes sense.
- Then you can still use 3rd part like SCEPman (price actually the same or cheaper per user, but it is 3rd part)
- Code signing is mentioned on the "What's Next" slide. Is there any relationship between that future offering and the Azure Code Signing service that is in private preview? What are the differences, and how should customers choose between these service offerings?
Bill CaleroMicrosoft
Hi Jay, no there is no relationship between the 2.
- What are the licensing requirements/minimums? For users do they require an A3/E3 or higher? In edu we have a split between A3 and A1 users. Are devices required to be enrolled or managed? Also for non-intune join-able devices (e.g. on prem servers) is a separate environment still required (azure or on prem) for onprem SQL or other apps?
- Is it possible to use a HSM or Azure Key Vault to store the CA private keys?
- Bill CaleroHi Christoffer, we use Azure Managed HSM to store the CA private keys.
- does that mean that's already the default for all CAs? Or is this some optional feature with extra pricing? thanks!
- Is there an option to force publish a new CRL immediately?
- and what is the base intervall where root and issuing CAs issue new CRLs? (aka when do revocations take effect?)
- I was scratching my head about that one too. Is it normal to only publish CRLs once a week?
- Certificate revoking must be done as rapidly as possible. The weekly cadence here likely means that the current PKI solution won't meet SOC2 or other auditory requirements.
- Is there an expiration experience like when creating new Issuing CA or does it automatically update its certs between root and issuer?
- Is 10 years maximum validity period for Root CA certificate? How are we going to renew CA certs?
- Bill CaleroHi Mika, the 10 yr validity period outdated, I believe at GA it will be 30yrs ... For renewing CA, there will be a renew button .. not shown in the demo
- Did I understand it correctly, that Azure Key Vault can be used for storing CA key pairs especially private keys "BYOK"?
- Bill CaleroAzure managed HSM is used for storing the CA key pairs, including they BYOCA issuing CA. BYOK (Bing Your Own Keys) is not supported currently.
Welcome to Coming to the Microsoft Intune Suite - Microsoft Cloud PKI! and the second annual Microsoft Technical Takeoff for Windows + Intune! Have a question? Post here in the Comments so we can help. Let’s make this an active Q&A!
- What is the added cost, per use, for adding PKI? I see this as a core feature, something missing from the platform, and worry that the addition of cost for this will be a barrier for many. Please, tell me this is included with the commonly purchased O365 M3 with Endra ID P1 (Azure AD P1). If there is added cost, I'm more likely to use packet fence or another open source solution, than see my per users costs pushed over $40 a seat. I am very excited for this offering, but worry that pricing will make it a miss for consumers. I feel we already pay enough for MS services that PKI needs to be included at the M3 level or above. Please.... tell me it is. 🙂
reposted
- I'm looking to use this in a K-12 Education environment, are there any plans to allow managed Chromebook devices to enroll in the PKI now that you can see them in Intune? Our younger users often have Chromebooks and allowing them to enroll with a user/device certificate would allow us to turn on MFA for those users.
- Bill CaleroHi Aaron, Cloud PKI uses the Intune SCEP profile to issue certs .... Intune does not support this capability for Chromebooks today.
- Bill, thank you for this reply. It's to the point and accurate. Is there a plan to better support ChromeBooks in the future? As a parent with kids who operate chromebooks in the K-12 environments, and the constant attacks they face, our educational systems would benefit from a strong focus on supporting the chromebooks. If this is not a priority on the roadmap, please consider discussing this with your teams to determine if MS can be first to bring the missing value to K-12 systems, and help better secure some of our most attacked, and most vulnerable, users.
