S03E14 - Configuring NDES for SCEP Certificate Deployment (I.T)

Hahaha did I hear Ben say at the end "This is so difficult process because there are so many SCEPS (not steps) involved"? probably not it was just my brain that translated it bad :) great video again!

Certificates for MCSE were a minor topic giving maybe two questions on your exam, none if you were lucky.
Biting the bullet and diving in there is really the only option to getting it right. And yes, no Intune without a decent PKI.
Thanks for this breakdown. Seeing that the 403 was by design saved my sanity :-)
Cheers

Great video and awesome energy as always, guys.

Thanks for making these videos!

Thank you very much! It would be great a video about HA\Multiples NDES Servers and of course multiples Intune and App Proxies.

Really brilliant. Thank you,

Wow! Where you guys were 3 years ago! Anyway thanks a lot!

Thank you so much for this!!!

Great content guys, thanks, I will have to review it a couple of times more, at least ;)

Regarding 'Service account' selection in the Certificate Connector wizard. The caption states 'The connector also uses this account to communicate with a MS Certification Authority'. (I presume mostly for revocation)
For me that would typically imply using a Service account (with appropriate CA permissions) instead of SYSTEM? Else use SYSTEM and add the NDES computer account to the CA to 'Issue and Manage Certificates'. (Security risk?)
Happy to stand corrected. Many thanks for the excellent video.

great stuff, Thanks

53:00 exactly what I'm dealing with. I'm stumbling upon our Netscaler when doing certain Intune stuff, but because I have no idea how our Netscaler works (nor in general), I'm totally depending one of my colleagues who's managing the Netscaler. It's a pain in the ass because we both have our own jobs to do, but are struggling to get things done because we heavily rely on each other for this.

First - great video. Thanks for this. A have some most likely noob questions as I am still a bit confused by what this does. I built this all out with the help of this video and so far everything looks good. A couple questions:
1. You guys used a User template as the SCEP Certificate template. Is this the certificate that you will eventually be deploying out through Intune?
2. If yes to #1 - should I be setting up the SCEP certificate template with the cert I need to push out?
3. If I am on the right track, can we set up multiple certs to be deployed through SCEP?
Thanks for the channel. Always life saving....

With allowing "Supply Subject Name" in the request and having a domain user be able to read the certificate, an attacker with line of sight of the CA/Intermediate can domain admin escalate with any standard account. Do you guys know of any security best practices regarding protecting internally against the certificate template being exploited?

Great video guys! Can you clarify a comment made at 1:01:05 that PKCS should now be used instead of SCEP? Microsoft defines SCEP as more secure as the because the private key never leaves the device and is marked as not exportable? Granted it's easier using PKCS to deliver certificates but from a security perspective is it like for like?

Great video
can you please advice if we must change the NDES service user password
what is the steps we need to take?
do we need to run NDESConnector UI again ?
Thanks
Taz

Hi! I cannot find a seperate video of the mentioned certificate discussion over the different options, scep vs pkcs. Was it scrapped, or is it out there? (would rather avoid the SCEP/NDES hassle if PKCS is a more simple approach, and still secure..goal is cert for office wifi). As always, thanks for your efforts!

Hello great video thank you
I have question if i need to change the CA on ndes how can i do it?

Great video guys! After configuring NDES, AppProxy and installing the Certificate Connector, I do not have these reg keys under HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector: EncryptingCertificate, KeyRecoveryAgentCertificate, PfxSigningCertificate and SigningCertificate. Did I miss a step or is part of the installation process not completing properly? Any ideas?

Hi guys, thank u for this helpfull video! have you maybe prepared even an installation tutorial using on-prem reverse proxy?

thanks alot. i just want to know, if i can block with the Conditional Access the deivces, which didnot have SCEP Cetrificate
Awating your reply
thanks
Jan

I followed your entire steps and it was very helpful.
Can you confirm once the connector is deployed does that NDES iis website open correctly or not. I am getting error 403 forbidden and MS article says it is normal. Also my SCEP certificate is not deployed on android. Can you make a separate video on how to deploy it on android devices 12.0 ? and how to configure a wifi ldap based authentication on wifi.
Any help is appreciated ☺️

Now that is has been 2 years I think we need a how to renew your NDES cert video.

Hi guys. Can anyone confirm whether this binds the user certificates to the user in AD? I am in the process of setting up an EAP-TLS RADIUS using Aruba ClearPass, but I keep getting AD: User not found. EAP-TLS: Authentication failure, unknown user

Should you use the Microsoft CA and NDES to deploy SCEP certificates in Intune when you're fully cloud based or is this set up for hybrid configuration? Does it matter?

is there a process to renew ndes service certificates as well?

Do we need to install "Online Responder" feature on man CA?

I keept getting promptet to sign in, at 47:00, when trying to access the mscep_admin site.
My solution was to disable the "IE Enhanced Security Configration" for administrators, and then restart the server.

Hi,
User template was not mentioned in the Microsoft docs. Why do you create the user template first??

Hello, one question, with the new update of the Intune certificate connector, the client certificate template would no longer be necessary, right?

Guys, on the process I get error 403 forbidden. Denied access. How can I fix the issue? 😢

Thanks so much for this video! I was struggling with wrapping my head around how it worked, but this certainly helped!!
NOW.... I am down to the very last step and getting an error on the Certificate Connector. It runs through the config and ends with "Enrollment Failed. Error: System.ArgumentException: An item with the same key has already been added.".
I am afraid that with all my testing, trial and errors and "redoing" of steps, I might have missed removing something? Anyone have any ideas, or where I could go to check logs for the Certificate connector? Thanks guys!!

How to publish? Is there a part 2 coming?

NDES/SCEP needs EA (Enterprise Admin )account to configure them? is it mandatory?

Hi, In this video at 25:15 you have added as Computer account ( ITNDES), But when i try to add the computer account, its adding as user but not as a machine. Could you please advise how to get the computer account added or any documents on how to do that step?

Stuck in 29:33 of the video. when i specify the service account it shows an error "The Implementation is not capable of performing the request" need help :(

thanks, but can this be done with machine certs.

Hello, I have a question please. if I open the service page with the FQDN of the server (/mscep_admin) a pop-up requests me to authenticate, and the service account fails here to bypass this step, so, as I've seen on your vidue that you've also got that login pop-up, is this really okay or not? and, when I authenticate with the service account, should the admin page open normally, or it's also normal that the credentials are not accepted? I haven't linked NDES yet to our MDM solution and I have doubts. I hope my question was clear. Thank you in advance,

Can we re-configured NDES server on Azure VM as currently all configurations like CA, NDES , DC are on-prem. Can we move all to Azure VM. Any challenges or end user may face?

When I get to configuring the Intune connector and it wants me to log in to Azure AD, all 3 of our global admin accounts say they're personal accounts (which isn't true because they have our domain attached to them) and when I try to use my intune admin account it says Microsoft cannot find my account. Do you have any ideas on why this is happening? It should be so simple!!

Tbh, I have built 4 NDES and SCEP environments in the last year, and I still find the documents are kinda lacking at times, or at least vague.

Do we need app proxy? The MS Learn document only mentions it.

hanks for the guide, everything worked fine for me, but after some time in the ndes server I get the message "The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request." The device is not getting a certificate.
What could be causing this?

Where is the "links down below" as mentioned several times in the video.

Hi, I followed you until the last logon screen in the 'certificate connector'. I am trying to log in, but it wont continue (it just prompts me with the login screen again, no errors.) Do you have any clue to where the fault is? What tools can I use to debug this issue?

Hi, guys!
I've a situation in my deploy...Everything work well, but the Intune are requesting 2 certificates per user and I don't know why.
If the certificate still valid, I think the Intune need to get the same certificate for the user.

So this is confusing, do you actually request a certificate for the NDES server or not? You kinda just skipped over that part?