1
00:00:02,140 --> 00:00:05,210
So now let's go back to the Endpoint Manager console,

2
00:00:05,210 --> 00:00:10,240
and then we'll select Devices, go to Configuration profiles,

3
00:00:10,240 --> 00:00:13,540
and then click Create profile.

4
00:00:13,540 --> 00:00:17,540
So here we're going to select Windows 10 and later,

5
00:00:17,540 --> 00:00:21,510
and choose Templates, and we'll choose PKCS certificates.

6
00:00:21,510 --> 00:00:29,470
We'll click Create, and we'll provide a descriptive name here, and choose Next.

7
00:00:29,470 --> 00:00:30,350
And, again,

8
00:00:30,350 --> 00:00:31,730
we're going to have to answer some questions here

9
00:00:31,730 --> 00:00:33,800
about this particular certificate.

10
00:00:33,800 --> 00:00:38,840
So by default the renewal threshold is 20%, meaning that this certificate

11
00:00:38,840 --> 00:00:44,040
will attempt to start the renewal process once it reaches about 20% of its

12
00:00:44,040 --> 00:00:48,030
expected lifetime, and by default that's perfectly acceptable, so I don't

13
00:00:48,030 --> 00:00:50,340
see any need to change that in here.

14
00:00:50,340 --> 00:00:53,960
The default validity period for a certificate is 1 year, and again,

15
00:00:53,960 --> 00:00:57,790
that's pretty much industry standard best practice so I'll leave that as well.

16
00:00:57,790 --> 00:00:59,820
I certainly wouldn't go any longer.

17
00:00:59,820 --> 00:01:02,500
I don't know that there's any value in going any shorter either, so

18
00:01:02,500 --> 00:01:05,510
we'll just leave it at 1 year. Next we have the Key storage

19
00:01:05,510 --> 00:01:09,840
provider. Here, this is critical, because we want to select Enroll

20
00:01:09,840 --> 00:01:14,940
to TPM, otherwise fail. Now, the reason we do that is because we

21
00:01:14,940 --> 00:01:17,400
want this to fail securely.

22
00:01:17,400 --> 00:01:21,080
In other words, we don't want it to fail silently and into

23
00:01:21,080 --> 00:01:24,780
a less secure configuration. We want to know that it's

24
00:01:24,780 --> 00:01:26,400
failed so that we can address it.

25
00:01:26,400 --> 00:01:29,910
We want to ensure that our certificates, and specifically the keys,

26
00:01:29,910 --> 00:01:32,740
the private keys for these certificates, are well protected.

27
00:01:32,740 --> 00:01:34,270
If they're not on a TPM,

28
00:01:34,270 --> 00:01:38,460
they could be exposed to an attacker quite easily. Anyone with administrative

29
00:01:38,460 --> 00:01:43,300
access on the endpoint can access those private keys if they're not in the TPM,

30
00:01:43,300 --> 00:01:48,620
and so that represents a significant security risk. So we want this to fail hard

31
00:01:48,620 --> 00:01:52,280
so that we can address the problem. Is it an endpoint that doesn't have a TPM?

32
00:01:52,280 --> 00:01:54,340
Is it not configured correctly?

33
00:01:54,340 --> 00:01:57,150
Maybe it needs to be reset, what have you, but you would rather

34
00:01:57,150 --> 00:02:01,060
deal with that on a case‑by‑case basis rather than have it silently

35
00:02:01,060 --> 00:02:04,840
fail back to an insecure configuration.

36
00:02:04,840 --> 00:02:08,570
Up next, we want to choose our Certification authority,

37
00:02:08,570 --> 00:02:12,420
and in this case this is just the FQDN of the issuing CA

38
00:02:12,420 --> 00:02:14,070
server that we're going to use.

39
00:02:14,070 --> 00:02:17,790
You may have more than one issuing CA, but you can only enter one here, so I'm

40
00:02:17,790 --> 00:02:21,720
going to enter ours now. And then the next thing it's going to ask you is for

41
00:02:21,720 --> 00:02:26,900
the Certification authority name, and this sounds a little bit redundant, but

42
00:02:26,900 --> 00:02:28,420
it is just a little bit different.

43
00:02:28,420 --> 00:02:32,630
And the way to find this information is actually to open a

44
00:02:32,630 --> 00:02:36,370
command window on a domain‑joined server or workstation,

45
00:02:36,370 --> 00:02:37,790
and once you've done that,

46
00:02:37,790 --> 00:02:43,840
just simply type in the command certutil.exe without any values.

47
00:02:43,840 --> 00:02:46,910
And in this case I have two CAs in my environment, as I

48
00:02:46,910 --> 00:02:50,620
demonstrated earlier. This one is the one that I want, so

49
00:02:50,620 --> 00:02:53,680
you'll see that Entry 1 has the name here.

50
00:02:53,680 --> 00:02:56,950
So I'm going to go ahead and copy this information and then I will just

51
00:02:56,950 --> 00:03:01,240
paste it into the Certification authority name field here.

52
00:03:01,240 --> 00:03:04,560
The next is the template name, and this can be quite confusing.

53
00:03:04,560 --> 00:03:09,010
So let's jump back over to our admin workstation

54
00:03:09,010 --> 00:03:11,040
here, and if I look at this template,

55
00:03:11,040 --> 00:03:14,670
you'll see that it's called Intune PKCS Enrollment.

56
00:03:14,670 --> 00:03:17,570
That is what's known as the display name.

57
00:03:17,570 --> 00:03:19,800
So let's go take a look at this really quick.

58
00:03:19,800 --> 00:03:21,830
So I'm going to right‑click Certificate Templates,

59
00:03:21,830 --> 00:03:26,100
choose Manage, and then I'm going to find that particular

60
00:03:26,100 --> 00:03:28,240
template. And if I double‑click on this,

61
00:03:28,240 --> 00:03:32,040
you'll see that it has a Template display name and a Template name.

62
00:03:32,040 --> 00:03:36,550
That field that we're looking at wants the template name, not the display name.

63
00:03:36,550 --> 00:03:37,370
In this scenario,

64
00:03:37,370 --> 00:03:40,490
the template name is simply the template display name without

65
00:03:40,490 --> 00:03:45,260
any spaces, and that's most common, but not 100% guaranteed,

66
00:03:45,260 --> 00:03:47,140
so always take a look at that.

67
00:03:47,140 --> 00:03:50,210
And then this is the information that you will input into the

68
00:03:50,210 --> 00:03:55,270
device configuration profile. And in this case this is a

69
00:03:55,270 --> 00:03:57,740
Device certificate, and by the way,

70
00:03:57,740 --> 00:04:00,290
the template that we created in Active Directory can

71
00:04:00,290 --> 00:04:02,540
be used for the user or the device.

72
00:04:02,540 --> 00:04:06,490
What dictates whether it's a user or device certificate is right here.

73
00:04:06,490 --> 00:04:11,930
So we'll select Device, and in the Subject name format for a Device

74
00:04:11,930 --> 00:04:16,460
certificate, we want to use the fully qualified domain name, and so

75
00:04:16,460 --> 00:04:22,650
that format is CN=, a couple of curly braces there, and then the word

76
00:04:22,650 --> 00:04:28,280
FullyQualifiedDomainName. And we'll end that with a couple of extra

77
00:04:28,280 --> 00:04:29,450
curly braces there.

78
00:04:29,450 --> 00:04:32,800
It's important to note that this format is only available

79
00:04:32,800 --> 00:04:38,170
for domain‑joined endpoints. However, for a device certificate,

80
00:04:38,170 --> 00:04:40,670
the only scenario in which we really need to deploy that for

81
00:04:40,670 --> 00:04:44,640
Always On VPN is if it's a domain‑joined computer. If it's not,

82
00:04:44,640 --> 00:04:46,150
then we don't have to worry about this.

83
00:04:46,150 --> 00:04:49,600
So in this case this is perfectly acceptable. Now

84
00:04:49,600 --> 00:04:54,010
for the Subject alternative name, we're going to do the same thing here.

85
00:04:54,010 --> 00:04:58,360
So we're going to select, in this case we're going to select

86
00:04:58,360 --> 00:05:04,170
DNS and we're going to add that same subject name format, this

87
00:05:04,170 --> 00:05:07,950
time without the CN=. Very good.

88
00:05:07,950 --> 00:05:09,250
So moving on,

89
00:05:09,250 --> 00:05:13,050
we need to set the Extended key usage, or EKU, and in this case

90
00:05:13,050 --> 00:05:15,250
it's really easy because it's a predefined value.

91
00:05:15,250 --> 00:05:17,780
So I'm going to select Client Authentication from this

92
00:05:17,780 --> 00:05:21,640
drop‑down list, and then we'll choose next.

93
00:05:21,640 --> 00:05:24,420
We will assign this, and in this case I'm going to assign it to my

94
00:05:24,420 --> 00:05:29,480
VPN Devices again, because this is a device certificate, so I'll

95
00:05:29,480 --> 00:05:33,130
choose Next, skip my Applicability Rules,

96
00:05:33,130 --> 00:05:40,240
choose Next, and click Create. And that's it, we've deployed a

97
00:05:40,240 --> 00:05:44,300
PKCS certificate for Always On VPN devices.

98
00:05:44,300 --> 00:05:47,630
Now when those clients sync, they will get that certificate since

99
00:05:47,630 --> 00:05:56,000
they already trust my hierarchy or my PKI, then they will enroll for this certificate successfully.