1
00:00:03,140 --> 00:00:06,160
All right, let's deploy some trusted certificates using Intune.

2
00:00:06,160 --> 00:00:07,540
Now, to begin,

3
00:00:07,540 --> 00:00:12,470
what we need to do is find our root and any intermediate certificates,

4
00:00:12,470 --> 00:00:16,930
and the best place to do that is from any domain‑joined workstation or server.

5
00:00:16,930 --> 00:00:19,960
You don't actually have to do this directly on a CA.

6
00:00:19,960 --> 00:00:21,240
You can actually just do it, again,

7
00:00:21,240 --> 00:00:25,340
from any domain‑joined workstation or server by typing,

8
00:00:25,340 --> 00:00:27,000
just clicking into the search field here,

9
00:00:27,000 --> 00:00:28,600
and just type certlm.msc,

10
00:00:28,600 --> 00:00:33,640
and this opens up the Local Computer Certificates store.

11
00:00:33,640 --> 00:00:41,540
So we can go into our Trusted Root CA folder, and then we'll find our CA.

12
00:00:41,540 --> 00:00:42,700
So here it is.

13
00:00:42,700 --> 00:00:46,710
And again, in this example, I do have two different CAs.

14
00:00:46,710 --> 00:00:50,730
One's a suite B hierarchy, so this is a separate hierarchy.

15
00:00:50,730 --> 00:00:52,900
It is a whole separate PKI infrastructure.

16
00:00:52,900 --> 00:00:56,560
But this is the one specifically that I'm after.

17
00:00:56,560 --> 00:00:58,140
Now, here's the deal.

18
00:00:58,140 --> 00:01:01,850
You'll see that I have just one certificate for this CA

19
00:01:01,850 --> 00:01:04,950
listed in this Trusted Root CA folder.

20
00:01:04,950 --> 00:01:08,030
You may find that you have multiple certificates with

21
00:01:08,030 --> 00:01:10,270
the same name issued by the same CA.

22
00:01:10,270 --> 00:01:12,640
And it's perfectly normal.

23
00:01:12,640 --> 00:01:15,590
There are a couple of cases that kind of cause that.

24
00:01:15,590 --> 00:01:19,110
The first is that it's not uncommon for administrators to

25
00:01:19,110 --> 00:01:21,880
publish the root CA certificate more than once,

26
00:01:21,880 --> 00:01:25,140
so it's not outside the realm of possibility that

27
00:01:25,140 --> 00:01:26,450
these are just simply duplicates.

28
00:01:26,450 --> 00:01:28,750
So if you see multiple certificates here,

29
00:01:28,750 --> 00:01:31,520
double‑click on one of them, go to Details,

30
00:01:31,520 --> 00:01:35,440
and then scroll down to Thumbprint, and then just have a look at the thumbprint.

31
00:01:35,440 --> 00:01:39,720
If you have multiple CA certificates and they each have the same thumbprint,

32
00:01:39,720 --> 00:01:41,570
then it doesn't matter; it's just duplicates.

33
00:01:41,570 --> 00:01:44,330
However, if they have different thumbprints,

34
00:01:44,330 --> 00:01:49,660
it could very well be that these were CAs that were installed and then

35
00:01:49,660 --> 00:01:52,820
removed and then reinstalled again using the same common name,

36
00:01:52,820 --> 00:01:54,670
in which case they would have a different

37
00:01:54,670 --> 00:01:56,320
certificate and a different thumbprint.

38
00:01:56,320 --> 00:02:02,490
Might be that your CA has had the root or issuing CA certificates renewed.

39
00:02:02,490 --> 00:02:04,880
So in those scenarios you might have duplicates,

40
00:02:04,880 --> 00:02:07,960
and it's vital that we choose the correct one.

41
00:02:07,960 --> 00:02:09,580
So, in that case,

42
00:02:09,580 --> 00:02:13,010
I'm going to show you a different way to export this in kind of a more

43
00:02:13,010 --> 00:02:15,690
positive manner to make sure that we get the right one.

44
00:02:15,690 --> 00:02:19,750
So if you expand the Personal and Certificates store and look

45
00:02:19,750 --> 00:02:23,700
for any certificate that was deployed to this endpoint from

46
00:02:23,700 --> 00:02:26,230
the CA that you're interested in, in this case,

47
00:02:26,230 --> 00:02:30,850
this is from my issuing CA here, I'm going to double‑click on this,

48
00:02:30,850 --> 00:02:33,800
and then I'm going to go to Certification Path,

49
00:02:33,800 --> 00:02:36,520
and then I will highlight the root CA certificate.

50
00:02:36,520 --> 00:02:38,960
And then click View Certificate,

51
00:02:38,960 --> 00:02:42,290
and this is absolutely the certificate that we want.

52
00:02:42,290 --> 00:02:44,730
This would be the active root CA certificate.

53
00:02:44,730 --> 00:02:48,380
Here I'm just going to go to Details and then Copy to File.

54
00:02:48,380 --> 00:02:50,640
Then we'll click Next.

55
00:02:50,640 --> 00:02:58,240
We'll select Base‑64 encoding, choose Next, and we'll give this a file name.

56
00:02:58,240 --> 00:03:04,180
So we'll just put it right here on the Desktop, click Next, Finish, and OK.

57
00:03:04,180 --> 00:03:06,440
So we'll click OK.

58
00:03:06,440 --> 00:03:11,140
And I could actually stay here and grab our issuing CA certificate as well.

59
00:03:11,140 --> 00:03:17,200
So if you have a multi‑tier PKI, then I can just simply highlight my issuing CA,

60
00:03:17,200 --> 00:03:18,900
or intermediate or subordinate CA,

61
00:03:18,900 --> 00:03:21,430
whatever you want to call. We'll click View Certificate,

62
00:03:21,430 --> 00:03:25,240
go to Details, Copy to File, click Next,

63
00:03:25,240 --> 00:03:30,620
Base‑64 encoded, Next, provide a file name, and this is our intermediate

64
00:03:30,620 --> 00:03:37,240
or issuing CA. So we'll click Save, Next, Finish, and OK, and we'll close

65
00:03:37,240 --> 00:03:41,530
out. And at this point now, I've saved these certificates to the root, and

66
00:03:41,530 --> 00:03:46,520
now I'm going to upload them to Intune. So here we are in the Microsoft

67
00:03:46,520 --> 00:03:50,970
Endpoint Manager admin center, or management portal, and I'm going to

68
00:03:50,970 --> 00:03:52,840
select Devices.

69
00:03:52,840 --> 00:03:54,940
I'm going to go scroll down a bit here,

70
00:03:54,940 --> 00:03:59,330
select Configuration profiles, and then I will choose Create profile.

71
00:03:59,330 --> 00:04:05,520
Next, I'm going to select the Platform as Windows 10 and later, and

72
00:04:05,520 --> 00:04:08,910
the Profile type will be Templates, and here I'm looking for a

73
00:04:08,910 --> 00:04:11,800
template called Trusted certificate.

74
00:04:11,800 --> 00:04:15,720
So I'll select that and click Create. The first one I want

75
00:04:15,720 --> 00:04:18,850
to issue is my root certificate, so let's just give that a

76
00:04:18,850 --> 00:04:23,240
name. So we'll choose Next.

77
00:04:23,240 --> 00:04:26,030
And here we're just going to click on the little folder here and

78
00:04:26,030 --> 00:04:32,630
select our file that we saved previously. And the Destination store

79
00:04:32,630 --> 00:04:36,460
is, of course, the Computer certificate store in the Root CA folder,

80
00:04:36,460 --> 00:04:40,540
so the default's fine there, so we'll choose Next. And now we'll

81
00:04:40,540 --> 00:04:41,630
assign it to our groups.

82
00:04:41,630 --> 00:04:45,030
And in this case, I'm going to sign it to my VPN Devices so

83
00:04:45,030 --> 00:04:49,120
that anybody logging in from a VPN device will automatically

84
00:04:49,120 --> 00:04:52,740
trust my CA. So we'll choose Next.

85
00:04:52,740 --> 00:04:57,320
And I'm going to skip the Applicability Rules and choose Next and

86
00:04:57,320 --> 00:05:04,700
then click Create. And then I'm going to repeat the process for the

87
00:05:04,700 --> 00:05:07,060
intermediate or issuing CA certificate.

88
00:05:07,060 --> 00:05:12,640
So click Devices, Configuration profiles, Create profile,

89
00:05:12,640 --> 00:05:17,910
Windows 10 and later, and then Templates, and we'll select

90
00:05:17,910 --> 00:05:22,240
Trusted certificate once again, and this time it's going to

91
00:05:22,240 --> 00:05:25,740
be my Issuing CA Certificate.

92
00:05:25,740 --> 00:05:27,440
Choose Next.

93
00:05:27,440 --> 00:05:30,580
And I'm going to click on the folder again, and this time I'm

94
00:05:30,580 --> 00:05:33,840
going to select my issuing CA certificate.

95
00:05:33,840 --> 00:05:36,730
And this time for the Destination store,

96
00:05:36,730 --> 00:05:39,960
I'm going to choose Computer certificate store ‑ Intermediate.

97
00:05:39,960 --> 00:05:41,940
So we'll choose next.

98
00:05:41,940 --> 00:05:50,120
We're going to add our VPN device group once more. Choose Next, Next,

99
00:05:50,120 --> 00:05:58,570
and Create. And at this point, then as soon as those endpoints that are

100
00:05:58,570 --> 00:06:08,000
in that VPN device group sync, they will receive my root CA certificate and my issuing see a certificate.