IT Consultant Everyday Notes

Just some problems/solutions storage

Category Archives: Autopilot

Intune: Configure Intune NDES Connector to get User certificates from Digicert (Symantec) Web Services

One of my Customers moving everything to Azure decided to replace internal Microsoft PKI with a managed solution from Digicert (Digicert bought Symantec certificate business recently).

At the present time Microsoft has an article describing Intune Configuration with Symantec PKI Manager Web Service: https://docs.microsoft.com/en-us/intune/certificates-symantec-configure

Unfortunately, it is not very clear what needs to be configured on Symantec (sorry, Digicert) side and I spent some time to get it working.

So, first of you need to talk to Digicert and get a Managed PKI environment.

After that, as per the article, generate a managed certificate and deploy your Managed PKI environment Root cert using Intune. It should be easy.

I took this certificate:

image

image

After that you need to add  a certificate profile on Symantec side (MS article does not provide any details on it):

image

image

I select Client Authentication (User)

image

Give your template a friendly name, select a PKI Web Services as Enrollment method and click Advanced Options:

image

Now we need to do an interesting trick. It is in “Troubleshooting” section of Microsoft article and apparently is required if your UPN have a special characters. I need it even though my UPN did not have them… So:

– Click Add field and select Common Name (CN) and Webservice Request. That will create a new Common Name tab at the bottom. DO NOT click Save

– Delete the old Common Name (CN) at the top of the list.

image

– You can customize other parameters. For example, I added an email as a Subject Alternative Name

image

– Now you can save

Copy Certificate Template OID, you will need it for Intune:

image

At this point you can Download/Install Intune Connector. The procedure is described well in the Microsoft article.

When the connector is up:

image

you can create an Intune PKSC 10 profile (I also added EKU even though it is not in the doc):

image

Save the settings, click Create the profile and assign it to a group of users.

After Intune policy update the certificate should be requested by Intune on a Client behalf and deployed to your device:

image

Advertisements

Azure: Deploy One Drive Known Folder Move with Intune

I am preparing for an Autopilot project for one of my Customers. Microsoft recommends to use One Drive for Business for User data migration.

I tried a couple off approaches how it can be achieved with Intune:

1. Using OMA-DM as per Deploy OneDrive KFM with Microsoft Intune OMA-URI

2. Using Powershell Management Extension: How to deploy OneDrive Known Folder Move with Intune

Both approaches are working; personally I prefer OMA-DM hoping Microsoft will add this option to a standard profile options.