Event details

Have questions about the latest security features and updates for Windows 11? Learn how to better protect your data and identities. Explore defaults, customization, and best practices that enable you...
Heather_Poulsen
Updated Dec 27, 2024
AMA
Tech Community Live
Andrew_Beard's avatar
Andrew_Beard
Copper Contributor
Jun 04, 2024
Hi - I am interested in deploying the cloud PKI infrastructure for Intune to a customer who uses cloud only Windows devices but wishes to authenticate their Wi-Fi and VPN using certificates from the computers and users. https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-deployment The VPN accesses a few servers in an AzureAD DS or in a legacy AD lifted to run on Azure cloud machines. They have no legacy Certificate Authority and as a small company of between 20 and 50 users and client workstations, cannot afford third party solutions for RADIUS which are all the instructions I find when searching the web for practical step by step implementation instructions like this from Oliver Kieselbach: https://oliverkieselbach.com/2024/03/04/how-to-configure-cloud-pki-certificate-based-wifi-with-intune/ My issue when reading through the Microsoft learning documentation I find that it wants another separate PKI or CA service is needed (or a certificate from the third party Radius service?) - I thought that was they whole point of the Cloud PKI service - not to have to have another one? "When connecting to a relying party such as a Wi-Fi access point or VPN server, an SSL/TLS connection is first established by the managed Intune device when attempting to connect. Microsoft Cloud PKI doesn't provide these TLS/SSL certificates. You must obtain these certificates through another PKI or CA service." From: https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-deployment#ensure-chain-of-trust Can you help me with this as I don't understand why the cloud PKI alone would not be sufficient to provide the Root and intermediate root certs exported and uploaded to the VPN gateway/firewall and the network access point controllers for Wi-Fi when combined perhaps with the Microsoft cloud NPS extension service, but then again that also needs an on prem AD with Radius server and presumably a CA server? https://learn.microsoft.com/en-us/entra/architecture/auth-radius I am happy to use SAML and SSO in Entra for the VPN which may negate the requirement for RADIUS and NPS, but how would that work for Wi-Fi? Is that also possible?
  • Jason_Sandys's avatar
    Jason_Sandys
    Icon for Microsoft rankMicrosoft
    Jun 05, 2024
    Hi Andrew. The crux of the limitation here is that the current Cloud PKI offering in Intune is for issuing certs to managed devices only. VPNs and WAPs typically require their own SSL/TLS cert to establish the secure connection with the client but since these are not Intune manageable devices, Cloud PKI cannot be used to issue certs to them. Note that a service side cert is required to established the secure channel -- a client-side cert cannot be used for this. We are aware of these types of scenarios (there are others) but they were not part of the initial scope for the solution; they are something we've discussed investigating but there's nothing to share about this today.