Hey John! Question: We have a compliance policy in Intune for our Window devices, that requires Antivirus, bitlocker, TPM, etc and the policy is all assigned to All Devices, however, some devices are coming back NOT Compliant strictly for the Antivirus portion of the policy, do you know why is that and how do we resolve this ?
Great question! Yes, you can use machine certificates for authentication in a Wireless NAC setup via ISE (Cisco Identity Services Engine) when leveraging the Intune NAC API. The machine certificate GUID can be an effective way to identify devices, especially when combined with the device compliance data provided by Intune. With that said, I have never personally set this up
@IntuneVitaDoctrina thanks very much for responding. In cisco ISE it says we need CN,GUID. But we only have CN. Will this still help? This is unique to device. If yes, then we get the certs from Intune so I am wondering how it will play out long term if Microsoft decides to change or revoke certs in future. Would it also change CN?
One thing to note, when you have CP configured in Intune and you shift the workload in SCCM to Intunre for compliance policies your GPOs will conflict quite a lot. It's a pain to troubleshoot. Literally even though it's a compliance policy, some settings WILL GET forced by Intune and override whatever you have in GPOs.
Thanks DanZi, yes my video doesn't speak about that at all, when you co-manage or have ConfigMgr also. There is a way in Intune to also take the calculations of compliance from ConfigMgr also. Thanks for the information
Very informative. Thank you.
thanks a lot Gert
Thanks for this video John! Informative indeed!
Thanks a lot, happy to hear
Hey John! Question: We have a compliance policy in Intune for our Window devices, that requires Antivirus, bitlocker, TPM, etc and the policy is all assigned to All Devices, however, some devices are coming back NOT Compliant strictly for the Antivirus portion of the policy, do you know why is that and how do we resolve this ?
Hi - I am doing Wireless NAC via ISE using Intune NAC API. Can I use machine certs guid to create auth
Great question! Yes, you can use machine certificates for authentication in a Wireless NAC setup via ISE (Cisco Identity Services Engine) when leveraging the Intune NAC API. The machine certificate GUID can be an effective way to identify devices, especially when combined with the device compliance data provided by Intune.
With that said, I have never personally set this up
@IntuneVitaDoctrina thanks very much for responding. In cisco ISE it says we need CN,GUID. But we only have CN. Will this still help? This is unique to device. If yes, then we get the certs from Intune so I am wondering how it will play out long term if Microsoft decides to change or revoke certs in future. Would it also change CN?
sorry not tested my self, this is a bit outside what I could help with, if you got CN (Common Name) if that is unique etc... hmmm maybe could work
@@IntuneVitaDoctrina ok that's fine. But if I want to deploy nac via azure ISE. Can I use on prem PKI without using ISE pxgrid or ISE premier license?
One thing to note, when you have CP configured in Intune and you shift the workload in SCCM to Intunre for compliance policies your GPOs will conflict quite a lot. It's a pain to troubleshoot. Literally even though it's a compliance policy, some settings WILL GET forced by Intune and override whatever you have in GPOs.
Thanks DanZi, yes my video doesn't speak about that at all, when you co-manage or have ConfigMgr also. There is a way in Intune to also take the calculations of compliance from ConfigMgr also. Thanks for the information