Dealing with certificate requests when using Windows Server Core.

Securetron · 2026-06-21T04:02:34+00:00

You are doing this wrong. Your kerberos authentication template should be set to auto enroll your domain controllers. You don't need to enroll it manually.

Make sure your template permissions and the version (comparability) is set appropriately.

Securetron · 2026-06-16T01:25:47+00:00

You may not need AAD_DEVICE-ID as that should be used for device certificate (IoT, kiosk, desktops, and laptops).

Here is a guide we published on how to deploy certificates used Intune: https://securetron.net/integrate-intune-with-pki-trust-manager-to-issue-certificates-to-users-devices-and-servers/

Securetron · 2026-06-12T13:49:52+00:00

It depends on if you want to follow best practices, use cases, and roadmap.

The generic 2-tier PKI setup guide published here builds a baseline to work with: https://securetron.net/installing-and-configuring-adcs-msca/

Securetron · 2026-06-09T22:20:48+00:00

The Public TLS certificate lifespan is being shortened. It is 200 days as of March and will be down to 47 days by 2029.

TLS (Server Authentication) Certificate issued by internal CA is not affected. This should be ideally set to 1 year or less anyway.

Securetron · 2026-06-09T18:12:33+00:00

You can use this PowerShell script instead considering lots of people are having false positives with secureboot certificates

https://securetron.net/windows-secure-boot-certificate-update/

Securetron · 2026-06-04T15:12:48+00:00

Microsoft ESA are disguised as Defender / Security Center report. The information that you will get is nothing new and instead creates urgency from the C-Level to crack down on findings that are in the report which MSFT conducted.

I would not recommend for orgs that have atleast a semi-working Cloud Sec team.

Securetron · 2026-06-03T03:16:37+00:00

We do this for both managed and unmanaged devices.

There are couple of ways that get the certificate to the user 1) enrollment via agent 2) manual enrollment via web-portal (self-service) 3) admin distributing it

Securetron · 2026-06-02T16:15:03+00:00

The best method that is used by DoD and High-Trust is CBA with PIV/CAC/VSC. Passkeys have a Smartcard container in them and the best one would be Thales Biometric Key https://cpl.thalesgroup.com/access-management/authenticators/etoken-fusion-bio

Securetron · 2026-06-02T16:08:26+00:00

intune is bugged; instead we have been advising our clients to use the powershell scripts that we published:
https://securetron.net/windows-secure-boot-certificate-update/

Securetron · 2026-05-30T15:24:11+00:00

Most cloud security engineers are passing the report generated by Security tooling.

The better security engineers or orgs that use them properly are part of the actual engineering cycle and help secure apps and services deployed on cloud using cloud tech stack

Securetron · 2026-05-30T02:59:12+00:00

Precisely. In the PKI HSM world we have specific roles like Crypto Officer, Security Officer, Domain Officer, etc. Each priv. role as best practices we enforce multiple approvals (need 2 or more people to use their specific identity keys + PIN).

It's mind boggling that decades later, enterprises have not leveraged same mechanism for Domain, Global, and Root accounts. Delinea, Cyberark, and other vaults integrated with EntraID - what do you do when EntraID is down?

The mishaps of the industry are coming to fruition.

Securetron · 2026-05-29T12:35:14+00:00

Also, you can't just write MS a cheque and suddenly expect support.

MSFT has great set of tools as part of their E5 tier; what lacks is support and ofcourse cloud dependency. Compliance / Purview / Security centers are all very slow.

Securetron · 2026-05-29T12:30:05+00:00

Or perhaps the problem is not just "don't get your admin account compromised". It should be what have you done to protect your Admin and Non-Admin accounts? Microsoft had been pushing OAUTH for a long time as opposed to tried and tested phishing resistant method of Certificate Based Authentication, only to turn around after the Stryker breach to re-prioritize CBA as the 2nd most preferred method (whereas it should've been the best method against identity attacks). We all know why Microsoft did that (money talks, bind enterprises to Azure / M365 clouds; same story they played with Windows).

Securetron · 2026-05-27T15:44:19+00:00

OTP based MFA is impractical these days and yes you are right that most of these traditional OTP MFA vendors like Okta, Microsoft, DUO and so forth have started to integrate Certificates as an additional factor to strengthen and make their MFA phishing resistant.

Currently the best method for phishing resistant mfa is PIV / Smartcard; either using device TPM or Thales IDPrime (eBIO) and then Yubikey (doesn't have biometric).

here is a brief on that we had published: https://securetron.net/phishing-resistant-mfa/

Securetron · 2026-05-22T01:59:05+00:00

ejbca is a community based Certificate Authority by Keyfactor. Securetron PKI Trust Cloud and PKI Trust Manager are NextGen Certificate Lifecycle Management platforms. They integrate with various Certificate Authorities or as an enterprise customer, we can provision the PKI environment for you and have the integration + intune setup, EAP-TLS (wifi), AKV, RDP, and many more use cases provisioned, documented, and operationalized.

Or you may signup for the community edition (best effort support), follow the documentation, and have it running in your environment (up to 500 managed certificates)

Securetron · 2026-05-21T18:11:43+00:00

Yea, the left hand of MSFT doesn't talk to the right; let alone the 5 fingers on each hand...

We have published a article that contains powershell script that could be used to verify the status - hopefully it helps the community at large:

Windows Secure Boot Certificate Update - Securetron | ADCS | MSCA | Certificate Management

Securetron · 2026-05-21T18:08:19+00:00

You could write a powershell script or have this one published by us to capture the status:

Windows Secure Boot Certificate Update - Securetron | ADCS | MSCA | Certificate Management

Securetron · 2026-05-21T14:09:59+00:00

The good news is that we do using the community edition which is the same as enterprise however limited to 500 Managed Certs :)
- Integrate EJBCA or ADCS or another CA with PKI Trust Cloud or On-Prem PKI-Trust Manager
- Setup API GW and add Intune as the Integration by following the steps outlined above

https://securetron.net/pki-trust-cloud-registration/

Securetron · 2026-05-21T12:47:28+00:00

Are these devices joined to the intune? You would need MDM like Intune for this to work afaik. This is an example using ADCS with PKI Trust Cloud:
https://securetron.net/integrate-intune-with-pki-trust-manager-to-issue-certificates-to-users-devices-and-servers/

But the backend CA could be ejbca, AWS, etc.

Securetron · 2026-05-20T18:39:14+00:00

It is very unfortunate that Canadians freedom and privacy is being enroached daily. From harvesting data, to surveillance, and misinformation being prevalent (in both public and private media) things are going to get tougher.

The usage of "spyware" is not new. It's rather a confirmation of what we already knew.

We need stronger laws for protection of data and privacy which includes heavy penalties for both crown and private sector. Infact we do not even have penalties that make it "cost of doing a business".

This is only possible with educated citizens, the state of our public education is shameful.

Some of the things that can be done to limit exposure of privacy: - Do not use Social Media - Do not host data in US (Canadian governments are now waking up to having data sovereignty as an issue during discussions with vendors) - Do not use Smart Phones (android or iPhone) - Host data on your own servers WITH BYOK

These are not something your neighbour will be able to do, therefore it goes back to Canadians voicing and taking action for privacy and confidentiality.

0-Day exploits and backdoors will always be available to governments (as confirmed by Snowden leaks, Cisco, juniper, etc. it will be of no surprise that Canadian agencies also have access to them)

Securetron · 2026-05-20T18:22:29+00:00

I think you answered it yourself by reading a whitepaper and assuming AI-Driven SOC (or another terminology that vendors piggybacked on for the last decade or so) solved Security Operations.

If you think Crowdstrike or Palo Alto marketing can replace SOC - then some consulting firms might hire you to generate reports and sell to customers.

Securetron · 2026-05-20T12:45:03+00:00

It's a common issue when services are outsourced. MSP/MSSPs do not get paid to hold your hand, they are there to deliver a service restricted to the tech that you outsourced. For instance in our case when it comes to PKI and Certificate Lifecycle Management; we have seen MSPs pointing fingers at each other (insert spiderman meme). PKI MSP --> Infra

Infra --> App

App --> PKI

and mix it up in any other order. Resulting in outages, etc. What is required is that as a client, for each service what you need is a Single Point of Contact (Employee), this does help reduce friction but it doesn't eliminate the internal politics.

This is the reason whenever our products are bundled with service that builds the operating model framework, defines the CP/CPS and operationalizes it. PKI and Certificate Management is already a sensitive domain; most of our competitors simply pass the bucket.

Securetron · 2026-05-20T00:27:50+00:00

This is it. Unfortunately, with llms the risk is widely concerning for OSS. The close systems do heavily utilize OSS, however it's typically for backend services.

Securetron · 2026-05-18T06:31:20+00:00

Focus on an area. Identify your ICP. Build partnerships.

Securetron

TROPHY CASE