1
00:00:02,140 --> 00:00:06,940
Welcome back once again to Implementing Microsoft Always On VPN.

2
00:00:06,940 --> 00:00:12,040
This module covers certificate deployments with Intune.

3
00:00:12,040 --> 00:00:13,450
Now, up until this point,

4
00:00:13,450 --> 00:00:18,770
we've kind of assumed that your endpoints and users were joined to a domain

5
00:00:18,770 --> 00:00:23,400
and that you had access to the on‑premises network, and you're enrolling for

6
00:00:23,400 --> 00:00:26,580
certificates using Active Directory and Group Policy. And that's all well and

7
00:00:26,580 --> 00:00:31,660
fine and and works in in the vast majority of cases, but, of course, this is

8
00:00:31,660 --> 00:00:36,180
not the only use case for deploying certificates, and there may certainly be

9
00:00:36,180 --> 00:00:40,880
some scenarios in which we need to deploy certificates to devices that don't

10
00:00:40,880 --> 00:00:44,090
have access to the domain or maybe aren't even joined to the domain.

11
00:00:44,090 --> 00:00:47,980
And so that's what this particular module is going to focus on, and we'll

12
00:00:47,980 --> 00:00:50,270
start by looking at some of those common use cases.

13
00:00:50,270 --> 00:00:54,950
We'll talk about deploying trusted certificates because we can't enroll for

14
00:00:54,950 --> 00:00:59,560
end‑entity certificates, the certificates that are actually used for device

15
00:00:59,560 --> 00:01:04,290
and user authentication from any CA that the endpoint doesn't trust, so the

16
00:01:04,290 --> 00:01:09,220
first step is to get our endpoints to trust our issuing CAs and our CA

17
00:01:09,220 --> 00:01:13,220
infrastructure and then ultimately get those certificates rolled out to the

18
00:01:13,220 --> 00:01:14,220
end entities.

19
00:01:14,220 --> 00:01:18,740
Now you have two options available to you as an administrator in

20
00:01:18,740 --> 00:01:22,240
Intune with which to enroll end‑ entity certificates.

21
00:01:22,240 --> 00:01:26,620
The first is PKCS, and the second one is called SCEP, and we're

22
00:01:26,620 --> 00:01:30,450
going to have a long conversation about these two technologies and

23
00:01:30,450 --> 00:01:32,950
why you should choose one over the other.

24
00:01:32,950 --> 00:01:33,880
And then finally,

25
00:01:33,880 --> 00:01:37,630
we'll wrap up the conversation with deployment of

26
00:01:37,630 --> 00:01:39,250
the Intune certificate connector,

27
00:01:39,250 --> 00:01:45,240
which is the software that establishes the connectivity between Intune and our

28
00:01:45,240 --> 00:01:55,000
on‑premises enterprise PKI so that we can enroll certificates for devices and users that are outside of the corporate network.