Let’s discuss New Intune Cloud PKI Architecture and Features. Microsoft is planning to release this feature by Feb 2024. Bill Calero’s Microsoft take-off session explained Intune Cloud PKI Architecture and Features more.
Intune Cloud PKI (public key infrastructure) is a new cloud-based SaaS service offered by Microsoft. Maintaining on-prem PKI infra is very complex, and the Customers have long desired a PKI solution in the cloud. Cloud PKI will be part of the Intune Suite. It will also be available as a standalone offering. You can get it through the suite or separately individually.
This is a comprehensive solution for endpoint management and security. Every aspect of the certificate lifecycle operations for devices will be administered by Intune, such as issuing, renewing, revoking, and expiring certificates.
With Intune Cloud PKI, you would be able to eliminate a lot of on-prem infra components that help to deliver certificates to Intune managed devices. Some of them are the NDES server, Azure App Proxy, the number of On-Premise CA workloads, etc.
- List of Intune Sessions in Microsoft Ignite 2023
- Intune Anomaly Detection Device and Advanced Analytics
- Intune EPM Support Approve Scenario Explained
Benefits of Cloud PKI Service
Let’s quickly look into the benefits of Intune Cloud PKI service provided by Microsoft. You can eliminate a lot of workloads from On-premise infrastructure. Check out the list below for more information.
- No NDES deployments
- No servers to procure, change control, etc.
- No Reverse Proxy (AAD App Proxy or other)
- No network firewall rule hole poking
- Reduce on-premise CA loads & operations
- DB size
- Maintenance
- Literally, stand up a working CA in the cloud in less than 5 minutes
New Intune Cloud PKI Architecture and Features
A new cloud-based service for public key infrastructure (PKI) called Microsoft Cloud PKI will be included in the Microsoft Intune Suite, an all-inclusive system for managing and protecting devices. Get it through the suite or separately individually.
| Other features of Microsoft integrated value |
|---|
| Remote Help |
| Tunnel for Mobile app management |
| Endpoint privilege management |
| Advanced endpoint analytics |
| Cloud PKI |
| Advanced app management |
This is the hero scenario; many customers have been interested in and demanding a cloud-based PKI solution from Microsoft Intune for years. Microsoft Cloud PKI can help customers reduce the cost and complexity of managing certificates for their devices and users.
It can set up a PKI in minutes instead of weeks and months, eliminating the need for on-premises servers, connectors, proxies, and firewalls. It also has some benefits and simplifications.
Features of Intune Cloud PKI
In a high-level version, you will be able to issue certificates for Intune-managed devices and also manage those issued certificates. It will support the ability to deploy those certificates automatically. Certificates will be automatically revoked when devices are retired, and IT pros or admins can sometimes manually
repost certificates. Also, there will be monitoring and reporting capabilities, and the primary use case is for certificate-based authentication scenarios, such as Wi-Fi, VPN, Windows Hello for Business (WHfb), and other applications.
| High-Level Versions | Role |
|---|---|
| Issue Certificates for Intune Managed Devices | Provide a certificate registration authority to deploy certificates (SCEP) and automatically deploy certificates |
| Manage issued Certificate | It supports automatic and manual certificate revocation and also removes the certificate from the device(delete, retire, wipe) |
| Monitor and reporting | Detailed reports for issued certificates( Users, devices policy) |
| Certificate-based authentication | Support current scenario Wi-Fi, VPN, WHfb |
You can bring your own certificate authority (CA), anchor it to your private CA in the cloud, and support multiple tiers in your PKI hierarchy. You can use RSA encryption and signing algorithms with key sizes of 496 and SHA-512 hash algorithms, which are more secure than 1024 and SHA-128.
Cloud certificate registration authority (CRA) that supports the SCEP protocol and avoids the need for an NDES server, connectors, proxies, or firewalls. You can issue and manage SCEP-based certificates for your devices through the SCEP protocol and support the current platforms and scenarios that use certificate-based authentication (CBA).
- You can monitor and review the certificate status and actions on the CA
- Manage cloud PKI permissions and roles, such as CA actions and certificate revocation
- Use scope tags to limit what different admins can see and do with multiple PKIs and businesses.
Cloud PKI Features
Let’s look into Cloud PKI features when it gets released on 1st February 2024. Thanks to Bill for making this presentation available with all the details. Version 1 of the Microsoft Cloud PKI solution comes with RBAC permissions and scope tags features.
Create Certification Authorities per Intune tenant
- Create a 2-tier PKI hierarchy: Root, Issuing CA in the cloud
- Support Bring Your Own CA (BYOCA)
- Anchor Intune Issuing CA to a Private CA.
- Private CA N+ Tier support
- Signing and Encryption Algorithms: RSA
- RSA Key sizes: 2048, 3072, 4096
- Hash Algorithms – SHA-256, SHA-384, SHA-512
- Providing a Cloud Certificate Registration Authority (SCEP) service per issuing CA
- CRL – distribution points
End-entity (Leaf) certificate issuance
- Protocol/ Cert format – SCEP (PKCS#7).
- Platforms: Intune MDM enrolled devices supporting SCEP configuration profile.
Certificate life-cycle management
- Cert – Issue, renew, revoke (manual and automatic)
Reporting/Dashboard of Cloud PKI
- Issuing CA summary (issued, expired, revoked).
- Detailed issued certificates.
Audit options for Intune Cloud PKI SaaS solution
- Admin actions performed (i.e., Create, disable, delete, renew, revoke)
Architecture and Flow
The Architecture and Flow explains an Intune administrator, who can be a global admin, an Intune admin, a CA admin, or a custom role, creates a CA in the cloud. The CA can be a root CA, an intermediate, or an issuing CA that is anchored to an on-premises CA (BYOCA scenario).
An admin with the correct privileges sets up and assigns the device or user certificate profiles. The device gets the SCEP (Simple Certificate Enrollment Protocol)profile and creates a CSR with a private key to request a certificate. This is more secure than PFX profiles. The cloud SCEP service checks the CSR values with the SCEP profile and Azure AD or Intune.
- The cloud CA signs and sends the certificate to the device if the CSR values match
- The certificate lifecycle, including issuing, renewing, and revoking, is monitored and reported by Intune
- Any actions on the CA, such as creating, stopping, pausing, or deleting, are audited and logged by Intune
This cloud service takes over the role of your on-prem CA for issuing certificates to your devices. You can skip the need for an NDES server, a certificate connector, and any proxy or firewall configuration for this. The following is the architecture and data flow for Intune Cloud PKI.
- Check-in with Device Check-in service
- Request Cert with SCEP service
- Validate Request with SCEP Validation Service
- Request to Issue Certificate to Cloud PKI services (Built with Azure Services)
- Deliver signed cert by SCEP service
Video –Coming to the Microsoft Intune Suite – Microsoft Cloud PKI!
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here – HTMD WhatsApp.
Author
Krishna. R is a computer enthusiast. She loves writing on Windows 11 and Intune-related technologies. She likes to share her knowledge, quick tips, and tricks with Windows 11 or Windows 10 with the community.