1
00:00:02,240 --> 00:00:04,450
So now that we have our certificates in place,

2
00:00:04,450 --> 00:00:08,560
we have our template published, we have our trusted root certificates out there,

3
00:00:08,560 --> 00:00:13,490
and we've created our PKCS profiles for the device and

4
00:00:13,490 --> 00:00:15,480
the user authentication certificate,

5
00:00:15,480 --> 00:00:20,420
the last step is to actually deploy the certificate connector itself.

6
00:00:20,420 --> 00:00:23,540
So this basically enables that communication between

7
00:00:23,540 --> 00:00:26,650
Intune and your on‑premises Enterprise PKI.

8
00:00:26,650 --> 00:00:27,580
And so to do this,

9
00:00:27,580 --> 00:00:31,540
we're actually going to go to the Tenant administration tab here,

10
00:00:31,540 --> 00:00:34,020
and then we'll click Connectors and tokens.

11
00:00:34,020 --> 00:00:39,470
We'll scroll down and find Certificate connectors, and then we will click Add.

12
00:00:39,470 --> 00:00:43,440
We'll click on this link here that says certificate connector,

13
00:00:43,440 --> 00:00:46,180
and it will download the connector for us.

14
00:00:46,180 --> 00:01:00,340
So we'll copy this over to our server that we've set aside for the PKCS role.

15
00:01:00,340 --> 00:01:03,510
So here we are on our PKCS server, and again,

16
00:01:03,510 --> 00:01:08,470
we don't install any roles or features, it's just a domain‑joined Windows Server,

17
00:01:08,470 --> 00:01:13,120
basic member server, and then we're going to install the certificate connector.

18
00:01:13,120 --> 00:01:17,140
But, before we do that, we have to make one crucial change.

19
00:01:17,140 --> 00:01:19,510
We need to actually go click on the Start menu,

20
00:01:19,510 --> 00:01:24,740
and go to the Server Manager, and we need to select Local Server,

21
00:01:24,740 --> 00:01:28,930
and then disable Enhanced Security for IE.

22
00:01:28,930 --> 00:01:33,130
And this is required because we're going to authenticate to Azure AD,

23
00:01:33,130 --> 00:01:37,860
and, of course, if we leave IE Security enhanced security on,

24
00:01:37,860 --> 00:01:39,050
then, of course, it will break things.

25
00:01:39,050 --> 00:01:42,580
So I'm going to turn this off for both Users and

26
00:01:42,580 --> 00:01:44,990
Administrators, you can turn this on again later,

27
00:01:44,990 --> 00:01:45,940
of course.

28
00:01:45,940 --> 00:01:47,210
And then once that's done,

29
00:01:47,210 --> 00:01:48,980
we're going to go ahead and just double‑click on the

30
00:01:48,980 --> 00:01:53,440
Intune Connector that we just downloaded,

31
00:01:53,440 --> 00:01:57,140
select the agreement there, and then click Install,

32
00:01:57,140 --> 00:01:57,970
and click Yes.

33
00:01:57,970 --> 00:01:58,970
And, by the way,

34
00:01:58,970 --> 00:02:04,680
it's vital that when you install the Intune certificate connector,

35
00:02:04,680 --> 00:02:07,750
that the user that you're going to authenticate to

36
00:02:07,750 --> 00:02:11,770
Azure AD to install the connector, you'll see this in just a second,

37
00:02:11,770 --> 00:02:16,550
they must be a Global Administrator and they must also

38
00:02:16,550 --> 00:02:19,740
have an Intune license assigned.

39
00:02:19,740 --> 00:02:22,730
It's crucial that you meet both of those, Global Administrator,

40
00:02:22,730 --> 00:02:24,490
as well as Intune license.

41
00:02:24,490 --> 00:02:26,970
This Global Administrator may not need Intune,

42
00:02:26,970 --> 00:02:30,520
but it must have an Intune license assigned to it in

43
00:02:30,520 --> 00:02:32,530
order to complete this successfully.

44
00:02:32,530 --> 00:02:37,140
So once that's done, I'm going to go ahead and click Configure Now.

45
00:02:37,140 --> 00:02:39,250
And we're going to walk through this wizard here,

46
00:02:39,250 --> 00:02:42,280
so we'll just choose Next, and we're going to

47
00:02:42,280 --> 00:02:47,040
uncheck PKCS imported certificates, we will select PKCS,

48
00:02:47,040 --> 00:02:49,440
as well as Certificate revocation.

49
00:02:49,440 --> 00:02:51,190
And this is really important because this means

50
00:02:51,190 --> 00:02:53,090
that when you enable this feature,

51
00:02:53,090 --> 00:02:58,630
once a certificate no longer applies to a user or device,

52
00:02:58,630 --> 00:03:02,720
the Intune Connector will automatically go out and remove that

53
00:03:02,720 --> 00:03:05,300
certificate or revoke it on your issuing CA.

54
00:03:05,300 --> 00:03:09,040
So we'll choose Next, and I'm going to run this as a SYSTEM account.

55
00:03:09,040 --> 00:03:11,950
You can run it as a Domain account if you prefer,

56
00:03:11,950 --> 00:03:15,700
that Domain account must be a member of the local administrator's group,

57
00:03:15,700 --> 00:03:16,140
however.

58
00:03:16,140 --> 00:03:18,690
I'm going to choose SYSTEM account and choose Next.

59
00:03:18,690 --> 00:03:21,550
I'm not using a proxy server to access the internet.

60
00:03:21,550 --> 00:03:21,980
And again,

61
00:03:21,980 --> 00:03:24,760
we do have to access the internet because we're going to authenticate

62
00:03:24,760 --> 00:03:29,650
against Azure AD here shortly, so choose Next. It's going to look for our

63
00:03:29,650 --> 00:03:31,840
prerequisite checks. Everything looks good,

64
00:03:31,840 --> 00:03:33,720
so we'll go ahead and choose Next again.

65
00:03:33,720 --> 00:03:37,370
I'm going to select Public Commercial Cloud, and click Sign In,

66
00:03:37,370 --> 00:03:48,040
and here is where I'm going to enter my Azure AD credentials,

67
00:03:48,040 --> 00:03:51,740
and we'll choose Next again.

68
00:03:51,740 --> 00:03:52,370
And that's it.

69
00:03:52,370 --> 00:03:53,580
That's all there is to it.

70
00:03:53,580 --> 00:03:57,680
So at this point, we're done with the certificate connector installation,

71
00:03:57,680 --> 00:03:59,940
so we'll go ahead and choose Exit.

72
00:03:59,940 --> 00:04:04,120
And the next thing we want to do is jump over to our issuing CA.

73
00:04:04,120 --> 00:04:04,720
And here,

74
00:04:04,720 --> 00:04:10,300
what we need to do is grant permission on the CA for the Intune

75
00:04:10,300 --> 00:04:13,670
Connector server to enroll and manage certificates.

76
00:04:13,670 --> 00:04:17,960
So I'm going to right‑click here and choose Properties, go to the Security tab,

77
00:04:17,960 --> 00:04:20,350
and here I'm going to click Add,

78
00:04:20,350 --> 00:04:26,240
and I'm going to add the Computer Object for the PKCS connector server,

79
00:04:26,240 --> 00:04:29,910
and then I'm going to grant it Issue and Manage Certificates,

80
00:04:29,910 --> 00:04:35,040
as well as Request Certificates, so it needs these permissions on the CA in

81
00:04:35,040 --> 00:04:38,850
order to enroll for those certificates on behalf of those users.

82
00:04:38,850 --> 00:04:40,110
So once you're done, click OK.

83
00:04:40,110 --> 00:04:41,120
And we're all set.

84
00:04:41,120 --> 00:04:43,720
So once the endpoint is synchronized with Intune,

85
00:04:43,720 --> 00:04:46,630
you should be able to go into the local user certificate

86
00:04:46,630 --> 00:04:50,640
store and actually find this certificate.

87
00:04:50,640 --> 00:04:53,280
And here it is, it's issued to my test user.

88
00:04:53,280 --> 00:04:57,490
And if I look at the certificate here, I have a private key.

89
00:04:57,490 --> 00:05:01,480
If I go to the Certification Path, you'll see that there are no trust issues.

90
00:05:01,480 --> 00:05:03,800
You may notice that it has a kind of a funky name,

91
00:05:03,800 --> 00:05:05,960
and also if you look here at the template,

92
00:05:05,960 --> 00:05:07,310
it has an odd name.

93
00:05:07,310 --> 00:05:09,680
This will sort itself out a little bit later,

94
00:05:09,680 --> 00:05:20,000
but eventually, that will actually show you the template name of the PKCS enrollment template that we created previously.