We are planning to issue certificate to clients over the Internet, thus we need to setup NDES Infrastructure.
Steps to configurate NDES:
1. NDES Service Account(Just default regular account is fine)
2.NDES Server Certificate Template
- Server Authentication and Workstation Authentication
- 10 Years Validity
- Subject Name is supplied within the request
- Set the NDES Servers to allow enroll this template
3.NDES Certificate Template(This template is used to issue certificates to the clients.)
- On Request Handling:
Include symmetric algorithms allowed by the subject
Enroll subject without requiring any user input - Cryptography:
Only select “Microsoft Enhanced Cryptographic Provider v1.0” - The NDES service account has enroll and read access to this template
4. Create an Azure AD Application proxy in portal.azure.com
- Internal URL is the FQDN to your internal NDES server
- Pre Authentication: Passthrough
5. Get a certificate for NDES Server using the template created in step 2
- Common Name: internal FQDN
- Subject Alternative Name(DNS):
internal FQDN
external Azure AD App Proxy FQDN
6. Run Powershell script to Install NDES
https://github.com/MSEndpointMgr/Intune/blob/master/Certificates/Install-MSIntuneNDESServer.ps1
- Please make sure you have at least Powershell 5.1 Installed;
- There should be only one client authentication certificate in the NDES Server;
- .Net 3.5 is required
This command is working on both win10 and Windows servers, please be advised that the server version must must the ISO source
DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:\\server_path\OSD\Win2019\sources\sxs
.\NDES.ps1 -CertificateAuthorityConfig “ca.corp.lan\caname” -NDESTemplateName “The_template_name_to_issue_client_cert” -NDESExternalFQDN “xxx.msappproxy.net” -RegistrationAuthorityName “NDESRegistrationAuthority” -RegistrationAuthorityCompany “Company_Name” -RegistrationAuthorityDepartment “Dept_Name” -RegistrationAuthorityCity “City_Name” -Verbose
7.Verify newly created NDES
https://intunendes-tenantname.msappproxy.net/certsrv/mscep/mscep.dll
You should able to see the page of “Network Device Enrollment Service”
If you are under co-management with SCCM and Intune, depends on the workload you setup – clients managed by Configuration Manager or Intune, you need an Intune connector or SCCM Policy Module.
Some References:
Setup NDES
https://msendpointmgr.com/2018/06/19/certificate-deployment-for-mobile-devices-using-microsoft-intune-part-1-overview/
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure#set-up-ndes
https://www.petenetlive.com/KB/Article/0000947
https://ronnydejong.com/2014/12/15/part-1-deploy-certificates-to-mobile-devices-using-microsoft-intune-ndes-overview/
Verify NDES configuration on-premises for SCEP certificates in Intune
https://docs.microsoft.com/en-US/troubleshoot/mem/intune/verify-ndes-configuration
TROUBLESHOOTING NDES FOR INTUNE
https://www.jeffgilb.com/troubleshooting-ndes-for-intune/
https://www.anoopcnair.com/intune-scep-certificate-made-easy-with-joy-4/
https://www.anoopcnair.com/intune-scep-http-errors-ts-made-easy-with-joy-5/
Install Certificate Registration Point with SCCM
https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/certificate-infrastructure#step-3—-install-the-configuration-manager-policy-module-for-scep-certificates-only
TROUBLESHOOTING CMG
Troubleshooting Cloud Management Gateway: Quick & effectively /w CMG Connector Analyzer