131: MDM based policies for certs

Overview

Deploying certificates to Windows devices using Microsoft Intune is a powerful way to enhance security and streamline authentication processes. Here's a comprehensive overview:

Benefits

1. Enhanced Security: Certificates provide a secure method for authentication, reducing the reliance on passwords which can be compromised.
2. Seamless User Experience: Users can access resources without repeatedly entering credentials, improving productivity.
3. Compliance: Helps meet regulatory requirements by ensuring secure access to corporate resources.
4. Centralized Management: Intune allows for centralized deployment and management of certificates, simplifying administration.

Drawbacks

1. Complex Setup: Initial configuration, especially for on-premises components like NDES, can be complex and time-consuming.
2. Maintenance: Ongoing maintenance of the certificate infrastructure is required to ensure continued security and functionality.
3. Compatibility Issues: Potential compatibility issues with older devices or applications that may not fully support certificate-based authentication.

Impact on End Users

• Improved Security: Users benefit from enhanced security without the need for complex passwords.
• Reduced Downtime: Properly managed certificates reduce the risk of downtime due to authentication issues.
• User Training: Some users may require training to understand the new authentication process.

Configuring an NDES Server

Network Device Enrollment Service (NDES) is used to issue and manage certificates for devices. Here are the basic steps to configure an NDES server:

1. Install NDES: Install the NDES role on a Windows Server.
2. Configure NDES: Set up the NDES service to communicate with your Certification Authority (CA).
3. Integrate with Intune: Configure Intune to use NDES for certificate deployment.
4. Secure NDES: Ensure the NDES server is secured and accessible only to authorized devices.

Tying to Zero Trust

Zero Trust is a security model that assumes no implicit trust and continuously verifies every request. Deploying certificates through Intune aligns with Zero Trust principles by:

• Ensuring Secure Access: Certificates provide a secure method for authenticating users and devices.
• Continuous Verification: Certificates can be used to continuously verify the identity of users and devices accessing corporate resources.
• Reducing Attack Surface: By eliminating the need for passwords, certificates reduce the potential attack surface.

Reference

• Use certificates for authentication in Microsoft Intune. https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure
• Overview of Certificate Deployment via Intune: https://everythingaboutintune.com/2020/06/overview-of-certificate-deployment-via-intune-and-scep-vs-pkcs
• Microsoft Intune Cloud PKI | Richard M. Hicks Consulting, Inc.. https://directaccess.richardhicks.com/2024/03/18/microsoft-intune-cloud-pki/
• https://docs.microsoft.com/en-us/intune/certificates-scep-configure