The need for robust, scalable, and cost-effective security solutions is now more relevant than ever. An innovation that addresses these needs is the Microsoft Cloud Public Key Infrastructure (PKI) within the Intune Suite. It is a powerful tool designed to simplify and enhance the management of certificate authorities (CAs) and the lifecycle of certificates.

What is Microsoft Cloud PKI?

Microsoft Cloud PKI in the Intune Suite is crafted to streamline the traditionally complex and expensive process of managing PKI. It allows system administrators (SysAdmins) to create, revoke, and manage certificates directly through Intune, eliminating the need for cumbersome on-premise PKI infrastructure. This approach not only reduces costs but also simplifies the administrative overhead.

Certificates are crucial for authentication, providing a secure and seamless experience for users. By verifying user identity through trusted certificates, businesses can enhance security and trust within their IT ecosystems.

Watch Microsoft’s Steven DeQuincey and Dave Chomas team up with Mobile Mentor’s Denis O’Shea and Neil Misak to explain and demo Cloud PKI in the Intune Suite.

Deployment Models: Greenfield and Brownfield

Deploying Microsoft Cloud PKI within the Intune Suite can follow two primary models: Greenfield and Brownfield.

Greenfield: Creating a New Certificate Authority

The Greenfield model involves creating a new certificate authority (CA) within Intune. Here’s a step-by-step overview of the process:

  • 1

    Root CA Deployment: The Cloud PKI root certificate needs to be distributed to all relying parties.

  • 2

    Certificate Discovery: If an issuing CA certificate is missing on a relying party, it can be automatically retrieved and installed via the certificate chaining engine (CCE). This ensures that a trust chain is established by retrieving any missing parent certificates.

  • 3

    Trust Chain Deployment: Deploy the Cloud PKI certificate trust chain, comprising root and issuing CA public keys, to all relying parties. This step ensures comprehensive trust across the infrastructure.

  • 4

    System Limitation: There is a limitation of six Certification Authorities, each with its own Simple Certificate Enrollment Protocol (SCEP). RSA key or hash algorithms can also be used.

Brownfield: Leveraging Existing Certificate Authorities

The Brownfield model allows businesses to use their existing CAs and issue certificates to devices through Intune. Here’s how it works:

  • 1

    BYOCA Deployment: Intune-managed devices need specific CA certificates, including the private CA trust chain (root and issuing CA certificates responsible for signing the BYOCA Certificate Signing Request (CSR)) and the BYOCA-issuing CA certificate.

  • 2

    Trusted Chain Deployment: For the Cloud PKI BYOCA issuing CA using a private root CA, the trusted chain of private CA certificates (root CA and issuing CA) should already be deployed across the infrastructure.

Scope and Maturity

Microsoft Cloud PKI is a mature solution, with Microsoft issuing thousands of new certificate authorities and tens of thousands of certificates each month. This high adoption rate underscores the reliability and effectiveness of the Cloud PKI solution within the Intune Suite.

Enhancing Endpoint Management Strategy

Integrating Cloud PKI with your endpoint management strategy offers several key benefits:

  • Unified Management: Manage cloud certificates alongside endpoints, facilitating a seamless migration from on-premises to cloud-managed certificates.

  • Cost Efficiency: Streamline processes and reduce management costs by eliminating the need for traditional on-premise PKI infrastructure.

  • Simplified Deployment: Deploy certificates in minutes, drastically reducing the time and effort required compared to traditional methods.

  • Enhanced Security: Improve security without the need for dedicated subject matter experts, ensuring that certificates are managed and deployed securely and efficiently.

Conclusion

Microsoft Cloud PKI in the Intune Suite is a game-changer for businesses looking to enhance their certificate management processes. By offering both Greenfield and Brownfield deployment models, it provides flexibility and efficiency, making it an indispensable tool for modern endpoint management strategies.

Amplifying efficiency and security

The Intune Suite Guide

Learn about features and strategies such as:

  • Endpoint Privilege Management: elevate user access privileges as needed

  • Enterprise App Management: discovery, packaging, deployment and patching of Windows apps

  • Cloud PKI: publish and distribute certificates from Intune without complex PKI

  • Tunnel for MAM: secure access to LOB apps from unmanaged mobile devices

  • Advanced Analytics: predict which machines, applications and users will have issues

  • Remote Help: unlock the seamless interface between the service desk agent and end-user

Andrew Reade