1 00:00:02,040 --> 00:00:05,850 So as I mentioned before, up until this point in the course, 2 00:00:05,850 --> 00:00:10,820 we've really focused on kind of the most common deployment model, 3 00:00:10,820 --> 00:00:15,170 which is on‑premises domain‑joined devices, 4 00:00:15,170 --> 00:00:17,960 users with access to the corporate network. 5 00:00:17,960 --> 00:00:20,890 A lot of times we're talking about provisioning these devices to, 6 00:00:20,890 --> 00:00:23,530 you know, users inside the building, and so, 7 00:00:23,530 --> 00:00:25,690 you know, we're assuming we have connectivity, 8 00:00:25,690 --> 00:00:29,640 we're enrolling for our certificates using Active Directory and group policy, 9 00:00:29,640 --> 00:00:32,640 so things work quite seamlessly and transparently. 10 00:00:32,640 --> 00:00:33,570 But again, 11 00:00:33,570 --> 00:00:37,440 there are a number of use cases in which you may need to enroll 12 00:00:37,440 --> 00:00:42,390 certificates for devices or users that don't have access to the 13 00:00:42,390 --> 00:00:45,340 corporate network or may not even be domain joined. 14 00:00:45,340 --> 00:00:47,520 Some of the most common use cases, of course, 15 00:00:47,520 --> 00:00:50,080 when we're talking about remote provisioning, 16 00:00:50,080 --> 00:00:53,960 would be for any device for which you would need to provision these 17 00:00:53,960 --> 00:00:57,360 certificates when it didn't have on‑premises connectivity. 18 00:00:57,360 --> 00:01:01,620 So these could be obviously in the context of Always On VPN, 19 00:01:01,620 --> 00:01:03,970 probably one of the more common workloads that you would 20 00:01:03,970 --> 00:01:07,020 need to provision certificates when those devices or users 21 00:01:07,020 --> 00:01:08,640 were outside of your building. 22 00:01:08,640 --> 00:01:12,750 But this could also be Wi‑Fi access certificates or any other 23 00:01:12,750 --> 00:01:16,250 certificates that you might need to deploy while these users or 24 00:01:16,250 --> 00:01:20,340 devices are not in your building or on‑premises. 25 00:01:20,340 --> 00:01:23,390 One of the more common workloads, of course, is Autopilot. 26 00:01:23,390 --> 00:01:29,270 Autopilot is a technology or a functionality of Intune for which 27 00:01:29,270 --> 00:01:35,860 administrators can provision and manage endpoints and do so without having 28 00:01:35,860 --> 00:01:39,210 them be connected to the domain or even be on‑premises. 29 00:01:39,210 --> 00:01:42,660 Autopilot allows you to, you know, 30 00:01:42,660 --> 00:01:46,860 fully configure devices for users in the field, all 31 00:01:46,860 --> 00:01:48,400 they need is access to the internet. 32 00:01:48,400 --> 00:01:51,250 And in those scenarios, if you're doing Autopilot, 33 00:01:51,250 --> 00:01:54,000 especially with hybrid Azure AD, they will, 34 00:01:54,000 --> 00:01:54,490 of course, 35 00:01:54,490 --> 00:01:57,870 need access to the on‑premises network to be able to 36 00:01:57,870 --> 00:02:00,740 support the first log on when they connect. 37 00:02:00,740 --> 00:02:05,430 And so, in that case, we need to get not only our VPN profiles, 38 00:02:05,430 --> 00:02:09,440 but we need to get those certificates to support those VPN profiles as well. 39 00:02:09,440 --> 00:02:09,940 So, 40 00:02:09,940 --> 00:02:12,320 Autopilot's a really common deployment scenario that 41 00:02:12,320 --> 00:02:15,040 would support this technology. 42 00:02:15,040 --> 00:02:15,910 And then finally, 43 00:02:15,910 --> 00:02:19,990 you may also just need to provision certificates to any 44 00:02:19,990 --> 00:02:22,260 devices that are not domain joined. 45 00:02:22,260 --> 00:02:28,700 So, you know, traditionally, we've joined our Windows endpoints to the domain, 46 00:02:28,700 --> 00:02:30,450 that's kind of going away, 47 00:02:30,450 --> 00:02:36,040 there's a lot of compelling use cases for just doing native Azure AD join. 48 00:02:36,040 --> 00:02:37,840 And in those scenarios, 49 00:02:37,840 --> 00:02:41,660 when those endpoints that are Azure AD join only need 50 00:02:41,660 --> 00:02:47,010 to talk to on‑premises resources, you know applications and data over the VPN, 51 00:02:47,010 --> 00:02:47,840 they will, of course, 52 00:02:47,840 --> 00:02:51,470 need the VPN profile and naturally need the certificate for that. 53 00:02:51,470 --> 00:02:52,630 So in that scenario, 54 00:02:52,630 --> 00:02:56,320 provisioning certificates using Intune is going to be required. 55 00:02:56,320 --> 00:02:58,570 Now when we're talking about certificates, 56 00:02:58,570 --> 00:03:03,270 there's two types of certificates that administrators need to be concerned with, 57 00:03:03,270 --> 00:03:05,200 and the first one is trusted certificates. 58 00:03:05,200 --> 00:03:06,280 Because again, 59 00:03:06,280 --> 00:03:10,610 as I mentioned at the outset that we can't enroll for end‑entity 60 00:03:10,610 --> 00:03:16,930 certificates unless that endpoint trusts our Enterprise PKI. 61 00:03:16,930 --> 00:03:17,800 So in that case, 62 00:03:17,800 --> 00:03:21,470 we need to first deploy our trusted certificates for our root CA, 63 00:03:21,470 --> 00:03:24,670 for any subordinate or intermediate CAs, 64 00:03:24,670 --> 00:03:26,370 and then our issuing CA. 65 00:03:26,370 --> 00:03:30,110 So if you have a one, two, or multi‑tier PKI, 66 00:03:30,110 --> 00:03:33,690 we need to essentially get the certificate chain onto these 67 00:03:33,690 --> 00:03:37,610 endpoints so that they fully trust the Enterprise PKI, 68 00:03:37,610 --> 00:03:42,000 so then we can get on to in issuing our end‑entity certificates. 69 00:03:42,000 --> 00:03:53,000 These are the certificates that are issued to the user and/or the device, and they are used for authenticating, in our case, to the VPN.