From 8015224337f81b26139f27c438ffcaa9f5162e1a Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 10:40:44 +0500 Subject: [PATCH 1/7] Update hello-hybrid-aadj-sso-cert.md --- .../hello-hybrid-aadj-sso-cert.md | 134 +----------------- 1 file changed, 7 insertions(+), 127 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 807592de85..039b8d9442 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -814,143 +814,23 @@ Sign-in the NDES server with access equivalent to _local administrator_. The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. -### Download Intune Certificate Connector - -Sign-in a workstation with access equivalent to a _domain user_. - -1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). - -2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. - -3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. - - ![Intune Certificate Authority.](images/aadjcert/profile01.png) - -4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. - -5. Sign-out of the Microsoft Endpoint Manager admin center. - -### Install the Intune Certificate Connector - -Sign-in the NDES server with access equivalent to _domain administrator_. - -1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. - -2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. - -3. On the **Microsoft Intune** page, click **Next**. - - ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png) - -4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. - -5. On the **Destination Folder** page, click **Next**. - -6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. - - ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png) - -7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. - - ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png) - - > [!NOTE] - > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. - -8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. - -9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. - - ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png) - - > [!NOTE] - > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. - -10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. - - ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png) - -### Configure the Intune Certificate Connector - -Sign-in the NDES server with access equivalent to _domain administrator_. - -1. The **NDES Connector** user interface should be open from the last task. - - > [!NOTE] - > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**. - -2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply** - - ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png) - -3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. - - ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png) - - > [!IMPORTANT] - > The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails. - -4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task. - +To learn how to download, install and configure Intune Certificate Connector, please see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install) ### Configure the NDES Connector for certificate revocation (**Optional**) -Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). +Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). You need to select **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation. -#### Enabling the NDES Service account for revocation +1. Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. -Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. +2. Start the **Certification Authority** management console. -1. Start the **Certification Authority** management console. +3. In the navigation pane, right-click the name of the certificate authority and select **Properties**. -2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. - -3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. +4. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) -4. Close the **Certification Authority** - -#### Enable the NDES Connector for certificate revocation - -Sign-in the NDES server with access equivalent to _domain administrator_. - -1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). - -2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. - - ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png) - -3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. - -### Test the NDES Connector - -Sign-in the NDES server with access equivalent to _domain admin_. - -1. Open a command prompt. - -2. Type the following command to confirm the NDES Connector's last connection time is current. - - ```console - reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus - ``` - -3. Close the command prompt. - -4. Open **Internet Explorer**. - -5. In the navigation bar, type: - - ```console - https://[fqdnHostName]/certsrv/mscep/mscep.dll - ``` - - where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. - A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. - - ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png) - -6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. +5. Close the **Certification Authority** ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile From 8f8cf37bef0b2ca336a43dfbc966bf6558986815 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 11:49:23 +0500 Subject: [PATCH 2/7] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 039b8d9442..46c270d038 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -814,7 +814,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. -To learn how to download, install and configure Intune Certificate Connector, please see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install) +To learn how to download, install, and configure the Intune Certificate Connector, see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install). ### Configure the NDES Connector for certificate revocation (**Optional**) From 1ea5b2501aa5f22490e82f44bd38cda09c54707e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 11:49:44 +0500 Subject: [PATCH 3/7] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 46c270d038..669112c0b6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -818,7 +818,7 @@ To learn how to download, install, and configure the Intune Certificate Connecto ### Configure the NDES Connector for certificate revocation (**Optional**) -Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). You need to select **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation. +Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users are removed, deleted, or the profile is deleted). You need to select the **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation. 1. Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. From 2ff4cee88eb5dc58e01c953dcdcc8e51c7616f69 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 11:49:52 +0500 Subject: [PATCH 4/7] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 669112c0b6..dd04ba4432 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -820,7 +820,7 @@ To learn how to download, install, and configure the Intune Certificate Connecto Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users are removed, deleted, or the profile is deleted). You need to select the **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation. -1. Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. +1. Sign in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. 2. Start the **Certification Authority** management console. From 49233a2e2d248cf9d3ee875a6dc750bbad073be2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 11:50:03 +0500 Subject: [PATCH 5/7] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index dd04ba4432..83e3036f24 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -826,7 +826,7 @@ Optionally (not required), you can configure the Intune connector for certificat 3. In the navigation pane, right-click the name of the certificate authority and select **Properties**. -4. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. +4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**. ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) From 57f0b32ca0563192b33bda4ee63702b0ea2319fe Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 12:35:57 +0500 Subject: [PATCH 6/7] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 83e3036f24..54afa073cc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -830,7 +830,7 @@ Optionally (not required), you can configure the Intune connector for certificat ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) -5. Close the **Certification Authority** +5. Close the **Certification Authority**. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile From d01bd7c022fcea77d35cfcad4f4c38bdb5a9944d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 12:36:04 +0500 Subject: [PATCH 7/7] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 54afa073cc..cb173a70b7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -826,7 +826,7 @@ Optionally (not required), you can configure the Intune connector for certificat 3. In the navigation pane, right-click the name of the certificate authority and select **Properties**. -4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**. +4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**. ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png)