1
00:00:03,640 --> 00:00:06,900
So that wraps up this module on certificates and Intune.

2
00:00:06,900 --> 00:00:08,070
As you saw,

3
00:00:08,070 --> 00:00:11,480
we were able to successfully provision some

4
00:00:11,480 --> 00:00:13,890
certificates to a device that is in the field.

5
00:00:13,890 --> 00:00:14,120
Right?

6
00:00:14,120 --> 00:00:17,710
So not joined to the domain, it doesn't even have domain connectivity,

7
00:00:17,710 --> 00:00:19,330
it just needs to have access to the internet,

8
00:00:19,330 --> 00:00:21,440
and we can get our certificates there.

9
00:00:21,440 --> 00:00:23,720
Not only did we deploy our trusted certificates,

10
00:00:23,720 --> 00:00:27,140
which is kind of the prerequisite or the requirement for

11
00:00:27,140 --> 00:00:29,900
getting our end entity certificates in place,

12
00:00:29,900 --> 00:00:31,910
but you also saw that, you know,

13
00:00:31,910 --> 00:00:35,950
you have options available to you in terms of deploying certificates.

14
00:00:35,950 --> 00:00:42,010
You can use PKCS, which is recommended, certainly SCEP is an option as well,

15
00:00:42,010 --> 00:00:46,740
but as I described earlier in the lesson that there's a

16
00:00:46,740 --> 00:00:49,240
significant amount of risk associated with SCEP.

17
00:00:49,240 --> 00:00:49,910
Specifically,

18
00:00:49,910 --> 00:00:56,040
SCEP has that kind of challenge where you have to install the NDES role,

19
00:00:56,040 --> 00:00:58,480
which includes IIS, and of course,

20
00:00:58,480 --> 00:01:03,670
the NDES role as a highly privileged workstation or a server in your

21
00:01:03,670 --> 00:01:07,040
environment and shouldn't have access directly to the internet,

22
00:01:07,040 --> 00:01:08,050
especially inbound,

23
00:01:08,050 --> 00:01:14,110
which is a requirement for NDES SCEP when using the the Intune connector.

24
00:01:14,110 --> 00:01:15,300
So in that scenario,

25
00:01:15,300 --> 00:01:19,260
I always recommend using PKCS because not only is it

26
00:01:19,260 --> 00:01:23,350
easier to install and configure, and you saw how quick and painless that was,

27
00:01:23,350 --> 00:01:27,050
but it is more secure because it doesn't require inbound access; it doesn't

28
00:01:27,050 --> 00:01:32,140
require you to install IIS and expose it directly to the internet when in

29
00:01:32,140 --> 00:01:35,990
fact that is a Tier 0 or a control plane asset.

30
00:01:35,990 --> 00:01:39,520
So always make sure you use PKCS whenever possible.

31
00:01:39,520 --> 00:01:40,820
And then finally, you know,

32
00:01:40,820 --> 00:01:43,440
installing a certificate connector was pretty straightforward.

33
00:01:43,440 --> 00:01:46,490
The key components there are it just requires a

34
00:01:46,490 --> 00:01:49,050
member server joined to your domain,

35
00:01:49,050 --> 00:01:51,830
it requires some permissions on not only the template,

36
00:01:51,830 --> 00:01:53,470
but also on the CA,

37
00:01:53,470 --> 00:01:56,680
and then just make sure that when you install the connector

38
00:01:56,680 --> 00:01:59,760
that you have access to the internet, and then importantly,

39
00:01:59,760 --> 00:02:05,550
that that user that you log into Azure AD to register the connector,

40
00:02:05,550 --> 00:02:10,460
make sure that that has a global administrator privileges in in your tenant,

41
00:02:10,460 --> 00:02:12,410
and also, and this is really critical,

42
00:02:12,410 --> 00:02:16,460
that it has an Intune license assigned to it as well.

43
00:02:16,460 --> 00:02:18,700
If you do all of those things, you'll be in good shape,

44
00:02:18,700 --> 00:02:30,000
and you'll be well on your way to deploying certificates using Intune. Join me in the next module where we talk about configuring high availability.