Hi Dalbanil,

Thanks for you answer.

The integration with Intune will allow to create rules based on the device registered at the Intune? Because our customer
wants to deploy auto pilot for the computers. When arrive a new computer it doesnt have the certificate and GPO to ISE allow thisdevice to enter in the network? The intune integration will solve this question?

@Leonardo Santana, the AutoPilot registration and Intune registration are separate things. When an AutoPilot registered device is received by a user, they would need to connect it to the network to complete the build/installation. This would require network connectivity to internet-based systems like Entra ID and Intune.

In this initial phase, the device would have no certificate and would not yet be enrolled with Intune, so ISE would have nothing to use for authentication and nothing to identify it as a Corporate-owned device. You would likely need to look at options like the following for this initial connectivity.

• Connecting to a non-802.1x Wifi network (like PSK, hotspot, etc) with basic internet connectivity to complete the initial build and enrolment/registration with Intune
• Connecting to a dedicated build Wired network (ideally with physical security) that provides basic internet connectivity
• Capturing the MAC address of the device, adding it to an 'AllowList' Endpoint Identity Group, and having a Wired MAB policy that would permit it limited access to an internet proxy or some other segmented network access. This could be done using manual GUI configuration or APIs, but would still add operational overhead.

Once the Intune enrolment is complete and the device has a certificate enrolled with the GUID, the user could connect to the secure Wired/Wireless corporate networks.

Ideally, MS would add some method to connect to an 802.1x secured network during the initial stages, but they never even implemented that in traditional builds using SCCM, so I won't hold my breath for that.

Hi Greg thanks for your answer. Its was very valuable to me.

I´ll these option for the initial connectivity.

Intune is for posture purposes right?

@Leonardo Santana... yes, the Intune integration with ISE would be used to perform Intune MDM registration/compliance checks against the device/user sessions as a condition for Authorization.

For more information, you might be interested in the webinar I delivered on ISE Integration with Intune MDM

@Leonardo Santana  - Can I ask how did your implementation go? I am doing a similar implementation for Wireless NAC with NAC API using Intune. I will be using machine certificates which are issued by Intune for auth. I want to know how the new machine will connect to the ssid if its not already enrolled in Intune. Does introducing new ssid for this purpose make sense ?

@Greg Gibbs  I intend to use existing machine cert which has CN as a match field for NAC but we don't have control over this certificate as its issued by Intune so if there are changes in future to the certificate will that impact our match criteria set? do I even need to worry about that mangement of certificates lies with Microsoft?

If there are changes to the device/user certificate that result in a change to attributes you are using as matching conditions (e.g. Issuer, Subject, etc) in your ISE policies, then it will impact how the rules are matched for that session.

There would need to be collaboration between the teams managing ISE and those managing Intune to ensure the requirements and dependencies are understood.

Thanks very much for responding. This is exactly where I am stuck at the moment. We intend to use the CN field which is the device identifier in Intune also called GUID. However, we have no control over the cert management as it is issued by Intune. So even if there are changes done by Microsoft the GUID shall remain same. But this is my guess. I think only Microsoft can clarify this.

because if Microsoft are saying the NAC API with Intune will work without using a PKI/CA then I am wondering what is that if its not the machine certs.

https://learn.microsoft.com/en-us/mem/intune/protect/network-access-control-integrate

So I believe a POC can make this clear. Do these points make sense?

When using the GUID option to perform registration/compliance lookups against Intune, the GUID (Intune Hardware ID) must be presented to ISE in the certificate. This requires Intune integrated with a PKI of some kind so it can include the GUID in the certificate request. Without the certificate and GUID, the only option would be using MAC Address based lookups against Intune, which has it's own challenges (docks/dongles, randomized MAC addresses, etc).

You might see my blog here for more info as well as a link to the Webinar I delivered on ISE integration with Intune.
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

Thank you! much appreciated. However, the question remains we have CN as Intune device ID. From your article it is ending with 8d70 which is GUID=Intune device ID and it is CN in my case. So when I check my certificate I have a CN which is same as Intune device ID when I check on my Intune. So can I just use this on ISE for auth. The documentation suggests that I need to enter CN+GUID. But then all documentation I see uses only one ID whether they call it Intune device ID or GUID or CN and that applies to your article as well, it is ending with 8d70 in your article. So this is where I am still unclear.

For the certificate issued by the "Microsoft Intune MDM Device CA" the subject field contains the Intune device GUID in the form "CN = xxxxxxxx-yyyy-yyyy-yyyy-xxxxxxxxxxxx". Can this certificate be used for compliance checking against Intune, or does the CN field need to be in a specific format which can only be achieved by a custom certificate deployment.

As illustrated as an example in my blog and stated in the Integrate MDM and UEM Servers with Cisco ISE  document linked there, the GUID must be presented in the following format in either the CN or SAN URI field for ISE to parse it correctly and use is as the identity to check against the MS Compliance Retrieval API for registration/compliance status.

ID:Microsoft Endpoint Manager:GUID:{{DeviceId}}

Having the bare Intune Hardware ID in the CN field is not enough

Ok that makes sense. Thanks very much.