Can you please send the instructions on how to set NDES system level certficates for authrenewal?
Webinar Q&A For: Common And Risky MS Intune And NDES Misconfigurations and How to Fix Them
Got a PKI Problem?
We can help! Learn more about custom PKI consulting and assessments.
Discover Consulting for Every PKI NeedQ: Is there a way we could configure NDES Certs to be auto-renewed?
A: By default, the base NDES install templates are set to expire. It is a matter of recreating the templates and setting them to auto renew. So, we do not run the risk of having them expire. This also is an opportunity to use Hardware Security Modules to protect the keys for signing certificates.
Q: If you only need to issue certs to Intune devices, NDES is not really necessary isn’t it?
A: Yes, NDES is not necessary. Companies can also use the PFX option while setting up the Intune connector. The big takeaway is that when using PFX we are not generating certificates on the device. The certificate and the private key are being generated off the device and sent to the devices. In the NDES option, you do not have to move the private keys around.
Q: How would you build high availability into your NDES? Intune doesn’t seem to support load balancing of NDES servers?
A: There is a lot to unpack in this question. We will try to cover high level concepts in the response. As others also mentioned on the webinar, NDES can only point at one CA at a time, meaning if, if something happens to that CA it becomes a single point of failure. But we can point multiple NDES servers at a single CA and within Intune, we can also have multiple NDES servers. This acts as that redundancy layer. So, if we have multiple CAs we can issue certificates that will be trusted.
Q: Do we have any document that explains how to setup NDES Certs (CEP etc.) to auto-renew?
A: This is a topic that we can cover in another webinar. Ping us if you want to see a document that covers the topic.
Q: Is it possible to use GMSA for running the NDES Service?
A: Yes, it is possible. PKI Solutions has worked with other customers to set up this configuration and it works well.
Q: Is this vulnerability still a concern with NDES/SCEP and MDM? https://www.kb.cert.org/vuls/id/971035
A: The Intune Policy Module is designed to prevent this for Intune based enrollments as Intune itself predefines the subject and identity of the enrollment, even though the mobile device generates and submits the request to NDES. Otherwise yes, NDES is vulnerable in this way – it is just how SCEP was written. It is technically possible to write your own NDES policy module for specific rules to mimic Intune for other types of strong identity proofing processes.
Q: When we migrate a CA to a new machine with same name and same CA name, do we need to make any changes to NDES config?
A: In this scenario, no changes are needed to the NDES Config.
Q: We had an audit and they found the low security template. We were able to change the auto-enrollment scope to include the computer with the Intune NDES.
A: NDES can be fickle. And you can bypass NDES with the Intune connector if you use the PFX portion of it. The big takeaway is that when using PFX we are not generating certificates on the device. The certificate and the private key is being generated off the device and sent to the devices. In the NDES option, you do not have to move the keys around.
Below is a copy of the deck we used for the presentation as a SlideShare.
Common And Risky MS Intune And NDES Misconfigurations and How to Fix Them from PKI Solutions
And here is a link to the full transcript of the webinar.
Key moments of the webinar can be found in the playlist below:
https://www.youtube.com/watch?v=11FjBV_8yaA&list=PL_76cVA2R9XfqhuZ8P23L0dHS-bKrNph_&t=16s
Mark B. Cooper
President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.
View All Posts by Mark B. CooperComments
-
-
*autorenewal
-
NDES itself isn’t responsible for renewals. NDES is an enrollment protocol (SCEP) which is used to perform enrollments and renewals. The enrolling device (end-entity) or system managing the end-entity is responsible for enrolling and renewing certificates. So you would need to refer to the manufacturer of the end-entity to determine how their device should be configured for renewal.
-
Thanks for the quick response but I am referring to the NDES system level certificate templates. Discussion from the Q/A…
Q: Is there a way we could configure NDES Certs to be auto-renewed?
A: By default, the base NDES install templates are set to expire. It is a matter of recreating the templates and setting them to auto renew. So, we do not run the risk of having them expire. This also is an opportunity to use Hardware Security Modules to protect the keys for signing certificates.
Just wondering if there is a written procedure detailing the process to set the system level NDES certificate templates to auto-renew. How do you make sure that the Encryption and Signing certificate auto renew at the same time?
-
Ah, yes, thanks for the clarification. I don’t believe there are any written instructions for this in the public domain that I am aware of. We work with customers on NDES projects and typically provide enrollment and renewal configuration so this issue doesn’t come up.
-
The reason I am asking about it is because in the video I watched they said to reach out for the specific details on how to do this. Apparently, that is not the case. No worries, I will figure it out myself. Thanks for your time.
-
-
-
-
-
We do offer this as part of engagements and consulting services with customers, so we do in fact offer it. It sounds like you were looking for a free source for the information though.
-
Can you please remove my account from the pkisolutions web site. I don’t see a way to delete my account.