Event banner
Event details
Few more questions:
- I assume Elliptic Curve algorithms are not supported?
- If you are going to support user certificates for authentication, will Microsoft Entra CBA be supported?
- Are SCEP (template) profiles shared between all issuing CAs or is it determined by Root Certificate within SCEP Profile?
- What type of backup & recovery will be supported?
- Is CDP highly available? Is it using a Azure Web App?
- What type of automation is supported for Cloud PKI provisioning (ARM template, bicep files, Terraform)?
- In addition to Intune Portal, which management methods are supported for managing Cloud PKI? Microsoft Graph REST API / Powershell / CLI? If Powershell (Graph SDK), will cmdlets be included in Microsoft.Graph.Intune module?
Will Intune PKI support the issuance of S/MIME certificates and corresponding private keys to all registered Intune users?
Would issuing S/MIME still require the Intune PFX connector to safeguard privatekeys before PFX get sent to Intune?
Can Intune PKI issue certificates using modern certificate management protocols such as ACME and CMPv2?
Will Intune PKI support TPM and HSM key attestation?
How can custom OIDs be configured? With PQC on the horizon, will Intune PKI support PQC algo's?
Generating the Root and Issuing CA seems simple enough, how is AIA configured?
__PRESENT
Bill CaleroMicrosoft
Hi Michael, S/MIME encryption certs is something we are investigating, but will not be available at GA. S/MIME signature certs can be issued using Cloud PKI. If we do provide support for S/MIME encryption certs, then the PFX connector will not be required. ACME, and CMP are protocols we are investigating, but are not available when we GA. TPM and HSM attestation ... can you provide more detail here? If you are referring to the ability to issue a Windows Hello for Business cert then, yes you should be able to issue these to Windows. By chance, are you are referring to attestation in general, like using Azure Device Health Attestation of Microsoft Azure Attestation - https://learn.microsoft.com/en-us/windows-server/security/device-health-attestation ... then these are 2 separate topics. Yes OID's will be configurable and required, the UI in the demo is not the final GA version, but an early implementation. The AIA will be auto configured, again, the UI in the demo is not the final GA version.- Bill thanks! Ref Key attestation Im referring to https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation Ie the ability to prove within an issued PKI certificate that the private key got generated on a trusted TPM or HSM. It requires the PKI to enforce verification of the used HSM or TPM depending on the configured trust model.
- There may be a problem with the CRL - not necessarily do all on-prem systems that have to cope with the user certs (what you called relying parties in the video) access to the internet. Is there a way to customize the CRL URL e.g. to an own domain with split-brain config that works internally and externally with different targets? Or any other built-in ideas for that problem?
- Bill CaleroHi Florian, Its a good ask, and one I've heard from other customers ... it something we are investigating, but not for GA.
- Are there any plans to include Templates for this cloud PKI? Since there's not really effort to create / manage an individual PKI, it would not be a problem if every issuing CA can only issue one template (especially since this what SCEP can do, it only can issue one template per SCEP), but if we could have more settings by just using different templates per CA, this would help for future usages.
- It was disapointing to see that managing Code Signing Certs is stilllllllll not on a GA list...
- You imply phase 1 is essentially incomplete. What are the timings for phase 1 GA, and then when can we expect phase 2?
- Bill CaleroPhase 1 GA is scheduled for March 2024. After we GA, we plan on releasing updated roadmap details for phase 2.
- and whats the scope of phase 2?
Thanks for joining us! We hope you enjoyed this session. If you missed the live broadcast, don’t worry – you can watch it on demand. And we’ll continue to answer questions here in the chat through the end of the week. There's more great content in store at the Microsoft Technical Takeoff! What do you like about the event so far? Share your feedback and help shape the direction of future events on the Tech Community!
- How does the licensing work - per user, admin and user?
DaveChomasIt is $2 per user per month - read more here: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/microsoft-cloud-pki-launches-as-a-new-addition-to-the-microsoft/ba-p/3982830- Is the license needed only for users that really have at least one active (non-revoked, non-expired) cert there? Or is it based on some other plan, e.g. we need to assign the license to everyone with a specific E-plan license?
- Will this service work for macOS devices managed by Jamf Pro + Intune?
- Bill CaleroHi Jay, we can support issuing SCEP certs to macOS, but not if the mac is being managed by Jamf Pro.
- On this same line, please let me know if it'll work with Mosyle + Intune.
- To be clear, can we deliver device certs to Intune devices without any on-prem infrastructure? Lets say in a lab. I'm confused about when we need SSL certs, and when we don't.
- Bill CaleroHi Paul, yes, you will be able to issue a certificate to a device managed by Intune and supporting the SCEP profile, no onprem infra will be required. The cert can be used for a cert based auth (WiF, VPN, WHfB, webapps) scenarios.. However, in phase 1 we dont support issuing SSL certs ... and when any device connects over TLS/SSL an SSL cert is required.
- If using Device certificates (not user certificates), how does the licensing cost work?
