Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 888
Reply with quote  #1 
Trying to figure out how to do conditional access with NDES and Intune

Does the cert that is exposed on the NDES Server need to be a public cert or the NDES IIS Published cert does anyone know.

Literature seems a little slim and I'm looking to get a cert changed. 

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #2 
https://docs.microsoft.com/en-us/intune/certificates-scep-configure

I don't know if that will help or not.
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 888
Reply with quote  #3 
Thanks but been through that and a lot more.

Was looking for a quicker solution than building a lab on it 


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 888
Reply with quote  #4 
Looks like the cert on the NDES Server for public facing use is a Public Signed Certificate.

For reference the TraceViewer for those svclog files is available here Link
As opposed to trying to install the SDK

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 888
Reply with quote  #5 
So a bit more info for any that ever try this path.

First refer to my rule on Azure/ O365/ InTune

The NDES Server uses a publicly signed certificate to secure all communications to all end point devices.
To check the certificates needed for the certificate chain, especially Android devices dothe following.
Get the NDES URL 
https://ndes-ms.customer.com/certsrv/mscep/mscep.dll
Edit the line as follows to pull down the certificate chain needed
https://ndes-ms.customer.com/certsrv/mscep?operation=GetCACert&message=MyDeviceID

This will download a file with no extension.
Edit the file name to add the extension .p7b
This will open the Certificate manager, which will 3 or 4 certificates, 2 required for NDES server role and then a Root and possibly SubOrd Root CA Cert for the devices.

Required NDES Certs
NDES Required Certificates.png 
Root and Subordinate Root CA Certificates

Root and SubOrd Root Certs.png 





__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.