Does Intune store on-premises CA certificates permanently in the cloud?

[German]Good question raised by a Microsoft Intune administrator. The man had problems with certificates and took a closer look. It looks like Intune is permanently storing the CA certificates generated for on-premises systems in the cloud. Another Intune administrator pointed me to the relevant post on reddit.com. The question is whether this can be confirmed.


Advertising

Intune for device management

Microsoft Intune is a cloud computing software from Microsoft. It is used to manage PCs and mobile devices via the internet and was introduced in 2011. In this support article, Microsoft describes Intune as a solution that securely manages identities, apps and devices.

Microsoft Intune is a cloud-based endpoint management solution that manages user access to organizational resources and simplifies app and device management across many devices (including mobile devices, desktop computers and virtual endpoints).

A reader's note and a guess

It was just a quick email that reached me hours ago (thanks for that). The message contained the information: "I found something interesting on Reddit. It fits in with the current headlines about Microsoft and security." The background: On the reddit.com platform, an Intune administrator posted something about his experiences and analyses and raised the question "Does Intune permanently store locally generated CA certificates in the cloud?".

An observation

The Intune administrator in question was experiencing certificate issues with iOS PKCS and Wi-Fi profiles in his environment and began to investigate the issue further. While analyzing the certificate issues, the support team instructed the administrator to temporarily remove the profiles via "Excluded groups", wait for changes to be applied to the device and then deploy the profile again. The administrator made a surprising discovery:

  • the old device certificate has not been revoked
  • that the same device certificate with identical thumbprint was used

In a further step, the administrator therefore checked the servers with the "Certificate Connector" installed:


Advertising

  • the event log stored there and
  • the Microsoft Intune\PFXCertificateConnector\PfxRequest folder,

to see when Intune requests the issued certificate from the on-premise Microsoft AD CS. However, the administrator did not find a request in the logs. The certificates had to be obtained from another location. Then the person concerned ran a test, which he describes on reddit.com.

It looks as if the device certificates are stored directly in Microsoft Intune in the cloud. The affected person asks whether other users have also made this observation. The administrator remarks: "Why should it be necessary for an MDM to permanently store device certificates on the management platform itself? At least I haven't noticed it with other MDMs."

Normally, such certificates should only be stored permanently at a certification authority (CA), right? Questions immediately arise such as: What if the certificates are not lost or stolen at the "well-secured" certification authority on site, but at another, less well-secured location? Does it then still make sense to use certificate-based authentication? The administrator alludes to Microsoft's cloud hacks by Storm-0558 and Midnight Blizzard.

Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
Microsoft extends Purview logging (after Storm-0558 hack)
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023
Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems
Microsoft slammed for a cascade of faults that leads to Storm-0558 cloud hack
Unsecured Microsoft Azure Server exposes passwords etc. of Microsoft systems (Feb. 2024)
US CISA orders admins in authorities to mitigate the cyber risks of the Microsoft Cloud


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Cloud, devices, Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *