วีดีโอ

I really enjoyed watching this video, thanks for sharing.

Awesome!!

Great discussion. Thanks for sharing your knowledge and experiences Brian. I hope to see the new book someday. Enjoy your retirement!

Great, Presentation . I have implemented my company PKI in 2013.

Awesome!

Great content! Would love a post launch follow up video re-exploring MS Cloud PKI.

What would be the process or command to renew the root ca cert from a windows core server?

Interesting video. One thing I'm surprised he didn't touch on during the discussion about HTTP vs LDAP CRL publication is about how when using LDAP, the CA role service by default assumes a lot of things about the path it should use. That's great until you have to change anything, such as rebuild your CA or go through a naming scheme restructure (domain or server name). I prefer to use HTTP for CRLs - it forces you to pick a (hopefully static) FQDN and pattern to publish your CRLs too which will work long-term. LDAP is fine for some use cases, but I like using HTTP.

It's interesting why you compare Intune PKI only with NDES used for Intune which is required to be exposed to the internet and not the PFX connector which eliminates this requirement, very simple to implement and secure (knowing the keys are generated on the PFX connector and not on the device) .

Thanks for recording this. You brought clarity to quite a few concepts that I only dimmly understood.

Hyper-V is AWESOME.

The main idea is that you should replace all authentication certificates with new OID till November 14. Don't understand why April 11 is mentioned as deadline. April 11 affects only certificates which predates accounts, which should be very rare case. Of course it is better not wait for November 14 and migrate to full enforcement as fast as possible, but real deadline is November 14.

The fallout of the Absuing Active Directory Certificate Services whitepaper still continues to amaze.

😩 "promosm".

Thanks for posting this. Very good info

I know you qualified your statement about not needing to revoke, but I thought I would chime in here. A lot of Certificate Policies that I have written, and others that I have read, mandate that end-entity certificates need to be revoke-able over their lifespan. Extending the lifespan of the CRL to match the expiration of a CA effectively removes that capability, and would place my former customers in violation of their own certificate policies. For that reason, I always push back on the very common request to "extend the lifespan" of a given CRL. Just my .02cents. Love these videos BTW.

excellent tip

I am new to the PKI stuff, and I was watching you other videos. Then I found this, wow. I have not been required to "pre-test" my AD stuff, as most of the things are easy to setup and/or correct (think GPOs). But this automated lab is a game changer for PKI education. You note the documentation is really great, but your video actually helped me trough a couple of blind spots. Thanks you!

Great video and voice over

Can you also script sub-OUs? In the videos I only see one level OUs.

Great video!!! Question... What happens with the lab after 90 days? Do we have to go thru the process of scrapping and restarting a new environment?

This was a great video! Thank you David and keep up the amazing work!

This software is underrated. 100% of the clients I know, could benefit from this software, and the practices it seeks to automate. Nice job.

This is a great ps module, thank you guys. I have utilised this today in a script with a few logic gates to ultimately spit an email out to the ticket system if a cert is expiring within 30 days. It will only do it once based on a txt file which it outputs on first time a cert expires, as subsequent runs of the script polls the directory for the text file of the cert; txt file present = don't send another email. All txt files are purged after last write time older than 30 days, therefore next year's expiry will get picked up. Be happy to show you guys if you're interested!

Excellent coverage of checking PKI health. Where’s Brian Roma?

Question: is enabling Directory Browsing mandatory for the ‘PKI’ site? I’ve gotten some flack for that. Thoughts?

Nice Demo! I've always done the 'click through' with the GUI. Will have to try the command line method in my lab. Also, looking for the script you used for the install - can you please post it? Thanks!!!

Was just discussing this with MSFT a week or two ago. The behavior of certificates specifically with WHfB works in unique ways that ended up causing a deep-dive in this realm. Would love to see some videos around PKI with WHfB. This is a pain-point with many orgs right now. Thanks for walking through detail MSFT seems to not want to document!

Is there any standard KPI metric followed in certificate management, PKi infra

Wow, Im your first like! Mark, you haven't responded to my email yet......:(

25 cert limit in Azure AD. The only way we found to fix this issue is to remove all certs from the user's on-prem AD and allow new certs to publish to AD with credential roaming set on a few users at a time. It's a nightmare painful scenario.

Yet another great segment! Just one ‘ask’ … can you include the certutil commands that you used in the description? Thanks!

Repeatedly building lab infrastructure manually has been very time-consuming for me, and I have been looking for a way to automate it. This is going to be great. Thanks for the video.

Do you still have SHA1 CAs in your environment?

Great primer for an “offline” root CA! Looking forward to intermediate CAs. Thanks.

Just completed the Autolab setup on a Windows 10 Pro PC. Looking forward to more Autolab videos to do PKI!

Hey Brian ... I can't get passed doing the 'setup-lab' ... getting errors in PowerShell ... At C:\AutoLab\Configurations\MultiRole-Server-2016\VMConfiguration.ps1:23 chr:5 Import-DSCresource -moduleName @{ModuleName = "PSDisredStateConf ... Could not find the module '<xPendingReboot, 0.4.0.0>'. At C:\AutoLab\configurations\MultiRole-Server-2016\VMConfiguration.ps1:414 char:9 xAdcsCertificationAuthority ADCSConfig Any advice to fix this?

What Windows Server Operating System are you focused on as you test in your lab?

Thank you Jake, Mark, Vadims and Brian for addressing the WHfB question. I had to tune into the recording to catch it. Cheers!

I didn't realize that text in my second capture session was going to be this small. I will make sure text is bigger for next episode! Here are a list of paths and commands with time codes in case you can't read the screen: 8:27 Config files are found under Autolab\Configurations 8:36 PowerShell command is Setup-Lab 10:39 PowerShell command is Run-Lab 11:35 PowerShell command is Enable-Internet 12:00 PowerShell command is Validate-Lab 12:42 PowerShell command is Invoke-Pester .\vmvalidate.test.ps1 13:58 Some system variables (like passwords) are configured in the VMConfigurationData.ps1 file 15:12 PowerShell command is Get-WindowsCapability Name RSAT* -Online | Add-WindowsCapability -Online

Hi Brian , can this module run on Windows 10 Home edition?

With what virtualization solution do you prefer to use to build your lab?