Event banner
Event details
Is there a timeframe for adding SSL certificates as an option? To completely remove any onprem ca that would be needed for wifi/vpn cba?
In addition to the questions posted on this page, we also answer questions posted in reply to the event on LinkedIn and X (Twitter). Here are the questions we answered today:
From X -- How much PKI knowledge do I need to have to administer this? - answered at 8:55
From X -- Can I get rid of all my on-prem certificate servers? - answered at 21:40
From X -- This is going to make NDES servers obsolete I hope. What are your thoughts? - answered at 37:40
From LinkedIn -- Are there any hierarchical limitations in moving our CA to the cloud in Intune? - answered at 40:00
Question -- Will we be able to add the Certificate Authority to an Azure Key Vault, to be able to deploy certs to VMs, etc. easily and securely? - answered at 44:15
Question -- Besides SCEP, are there any other supported protocols or planned support? - answered at 45:40
Question -- How should silo’ed groups within IT orgs handle this feature? Usually Endpoint Managers handle Intune features, but what about those orgs that handle PKI through their security departments? Is there a new Entra role that can be delegated just for Cloud PKI? - answered at 50:00
Question -- Is Cloud PKI just CA (or Certificate Authority) as a service---or is it more than that? - answered at 52:30
That concludes today’s Tech Community Live: Microsoft Intune! Thanks for joining us, and we hope you enjoyed these sessions. If you missed the live broadcast, don’t worry – you can watch it on demand.
Stay up to date on the latest in Intune! Bookmark the Microsoft Intune Blog and follow MSIntune on X and LinkedIn. Want more tips, tricks, and insights from the experts? Tune in to new episodes of Unpacking Endpoint Management series each month here on the Tech Community.
- Does cloud PKI cause any conflict with exsisting NDES/SCEP infra or it can co-exisit.
natkimMicrosoft
Cloud PKI can co-exist with existing NDES/SCEP infrastructure.
- A few questions, that probably be on the mind of some: does it support an externally created, offline root CA? does it support custom EKUs? does it support custom templates? how does security works for enrollment, how do we limit who can request what certificates? what methods and protocols does it support for enrollment other than SCEP? can we issue certificates with custom properties similar to ADCS’ “supply in the request”, and how is that secured?
- EricTedjDoes it support an externally created, offline root CA?Does it support custom EKUs?
- Yes. Custom EKUs can be added to CAs during creation.
Does it support custom templates?- Cloud PKI does not use custom templates. All customization is done through the SCEP profile. See: Use SCEP certificate profiles with Microsoft Intune | Microsoft Learn
How does security works for enrollment, how do we limit who can request what certificates?- We utilize the SCEP protocol for certificate enrollment. The endpoint is secured so only those devices that have received SCEP enrollment requests through Intune will be able to receive certificates. When an Intune SCEP certificate profile is delivered to a device, Intune generates a custom challenge blob that it encrypts and signs. That challenge needs to be present in the request, or it will be rejected by the SCEP enrollment endpoint.
What methods and protocols does it support for enrollment other than SCEP?
- Certificate delivery for Cloud PKI is currently limited to SCEP certificates. If you are interested in seeing other scenarios supported in the future, please submit feedback to https://aka.ms/IntuneFeedback.
Can we issue certificates with custom properties similar to ADCS’ “supply in the request”, and how is that secured?
- Customization is currently limited to what can be done from within the SCEP profile. If there are additional properties you would like to be able to add to issued certificates, please give us feedback at https://aka.ms/IntuneFeedback
What CA templates are currently covered by the current release, apart from WebServer TLS and Code Signing?
- I think I have read that the Revocation list was still a CRL and not OCSP. Any reason why this option and not the other?
Hi, JF, thank you for your questions! For reference, the panel covered this one at around 47:55.
There should be both. OCSP is real-time, instead of CRL which could be at best near real-time.
- How do we manage issued certs (i.e. revocation)? Also, does the revocation list have a public endpoint?
- EricTedj
- You can monitor, view, and revoke certificates issued by Cloud PKI from within the Intune portal. For more details, visit: https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-monitor
- Each CA created by Cloud PKI will have a URL to a public certificate revocation list (CRL)
Hi, Troy! For reference, the panel covered this question at around 43:02.
- What Azure services are currently integrated with Azure PKI ? Is there a roadmap for further integration with the rest of the services in Azure?
- e.g. Front Door, AKS, etc.
Thanks for participating in today's session of AMA: Microsoft Cloud PKI in Intune Suite! For reference, the panel covered your question at around 41:30.
- This is not answered at the indicated minute.
We're halfway through the last AMA for today! Keep your questions coming. Thanks!
