Webinar Q&A For: Common And Risky MS Intune And NDES Misconfigurations and How to Fix Them

Q: Is there a way we could configure NDES Certs to be auto-renewed?

A: By default, the base NDES install templates are set to expire. It is a matter of recreating the templates and setting them to auto renew. So, we do not run the risk of having them expire. This also is an opportunity to use Hardware Security Modules to protect the keys for signing certificates.

Q: If you only need to issue certs to Intune devices, NDES is not really necessary isn’t it?

A: Yes, NDES is not necessary. Companies can also use the PFX option while setting up the Intune connector. The big takeaway is that when using PFX we are not generating certificates on the device. The certificate and the private key are being generated off the device and sent to the devices. In the NDES option, you do not have to move the private keys around.

Q: How would you build high availability into your NDES? Intune doesn’t seem to support load balancing of NDES servers?

A: There is a lot to unpack in this question. We will try to cover high level concepts in the response. As others also mentioned on the webinar, NDES can only point at one CA at a time, meaning if, if something happens to that CA it becomes a single point of failure. But we can point multiple NDES servers at a single CA and within Intune, we can also have multiple NDES servers. This acts as that redundancy layer. So, if we have multiple CAs we can issue certificates that will be trusted.

Q: Do we have any document that explains how to setup NDES Certs (CEP etc.) to auto-renew?

A: This is a topic that we can cover in another webinar. Ping us if you want to see a document that covers the topic.

Q: Is it possible to use GMSA for running the NDES Service?

A: Yes, it is possible. PKI Solutions has worked with other customers to set up this configuration and it works well.

Q: Is this vulnerability still a concern with NDES/SCEP and MDM? https://www.kb.cert.org/vuls/id/971035

A: The Intune Policy Module is designed to prevent this for Intune based enrollments as Intune itself predefines the subject and identity of the enrollment, even though the mobile device generates and submits the request to NDES. Otherwise yes, NDES is vulnerable in this way – it is just how SCEP was written. It is technically possible to write your own NDES policy module for specific rules to mimic Intune for other types of strong identity proofing processes.

Q: When we migrate a CA to a new machine with same name and same CA name, do we need to make any changes to NDES config?

A: In this scenario, no changes are needed to the NDES Config.

Q: We had an audit and they found the low security template. We were able to change the auto-enrollment scope to include the computer with the Intune NDES.

A: NDES can be fickle. And you can bypass NDES with the Intune connector if you use the PFX portion of it. The big takeaway is that when using PFX we are not generating certificates on the device. The certificate and the private key is being generated off the device and sent to the devices. In the NDES option, you do not have to move the keys around.

Below is a copy of the deck we used for the presentation as a SlideShare.

Common And Risky MS Intune And NDES Misconfigurations and How to Fix Them from PKI Solutions

And here is a link to the full transcript of the webinar.

Key moments of the webinar can be found in the playlist below: