Event banner
Event details
39 Comments
Is the CRL, AIA, OCSP still publicly accessible over port 80? or 443 possible
- Jack_Poehlman
Microsoft
The CRL and AIA are published per standard at HTTP / port 80. Currently OCSP is not published by Cloud PKI.
This was great. I have an AADJ device that can't connect to the domain WiFi. I have to rewatch the video and try the BYOCA deployment again.
- Max_Stein
Thanks for taking the time to attend, and your feedback - we're glad to hear it was helpful! As Alex and Bill mentioned below, feel free to review those two suggestions further review. If you need any further assistance and are active out on social media, feel free to give our team a shout for further support with your deployment: aka.ms/IntuneSuppTeam.
AADJ devices are not in on-prem AD (by default). Depending on your Radius configuration you may decide to bring them onprem, but they will arrive with their Azure Object ID instead of names (so you may decide to add that to the cert and instruct Radius to check for that).
Bill CaleroAlso, please give the online docs a good read - https://aka.ms/cloudpkidocs
- Heather_Poulsen
Community Manager
Thanks for joining today’s session on “Utilize, configure, and manage Cloud PKI like a pro” at Microsoft Technical Takeoff. We're still here answering questions live until 10:30. Q&A will remain open through Friday so keep your comments and questions coming! Up next: Skill up! Cloud PC management and reporting
You should build a cloud RADIUS solution too. ;)
- Bill Calero
I would love to build a cloud RADIUS solution ... on my wish list :-)
anything to do with NTDS container?
- Jack_Poehlman
The NTDS container holds the NT Auth certificates set with the PKIView.msc utility..
To clarify, only issuing CA certificates are required in the NTAuth store. Details here:
https://directaccess.richardhicks.com/2024/03/05/microsoft-intune-cloud-pki-and-active-directory/
why can't use device write-back for EntraId -joined?
- Jack_Poehlman
We'd love to hear specifically what you are looking for in this scenario. Please let us know at aka.ms/IntuneFeedback
green field really depends on certificate usage you need. (for example SSL certs).
- Jack_Poehlman
no disagreement.
If we have an ADCS on premise, would it be best to first implement BYOCA and then implement the Intune CA if we are wanting to retire the BYOCA?
- Jack_Poehlman
ucbryanweaver yes, you could absolutely take the approach of first using BYOC CA as a sort of bridge as you move from on-premises to cloud only and later move to Could based Root and issuing CA's.
Aer there any other selling point other than "offload load from onprem CA and HCSM backend"? It looks like a properly configured on-prem CA (with NDES and published CRL) is more flexible and does not need additional charges. I guess in mixed environment ADCS only is no brainer.
- Bill Calero
TBH, these are great selling points... HSM is expensive and challenging to configure and maintain on-prem ... the NDES RA certs below do not autorenew - requiring manual admin intervention, often leading to an outtage ... so yeah, these are great selling point :-)
CEP Encryption
Exchange Enrollment Agent (Offline request)
NDES certificates can be configured to automatically renew, if needed. :)
URI for SID does not have schema and column (which is the must)?
- Jack_Poehlman
Please reference the Intune Customer success blog article, Support tip: Implementing strong mapping in Microsoft Intune certificates | Microsoft Community Hub You need to define the URI with {{OnPremisesSecurityIdentifier}} Intune will handle the proper schema delivery.
