Forum Discussion

Perschall2022's avatar
9 days ago

Need help with prelogin Intune deployment

Hello, 

I need to understand how to get prelogin to work for my environment so users can sign in when off of the network. 

We are deploying devices from intune using the enrollment status page. So it gets deployed to them, they turn it on and it autopilots from there. 

  1. The cato sdp client is being deployed with patchmypc and has a script in place with that for the required registry keys. 
  2. The certificates are being deployed inside of a win32 intune win file with a script to install the certificate. 

Script for the certificate: yes it is password protected pfx file. (We do not have a certificate authority. (This did work for prelogin on my device.)

Import-PfxCertificate -FilePath .\Catoprelogin.pfx -Password (ConvertTo-SecureString -String 'mypassword' -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My

All of this was successfully installed, what could I be missing? 

The certificate is an SSL certificate and I confirmed that it worked prior to the autopilot on my personal work computer without autopiloting it. 

DOES ANYONE HAVE ADVICE OR SUGGESTIONS ON HOW TO SETUP THE INTUNE AUTOPILOT PROFILE, ENROLLMENT STATUS PAGE, OR ANY OF THE ABOVE TO MAKE THIS WORK? WHETHER IT IS DEPLOYING THE CERT A DIFFERENT WAY OR DEPLOYING THE CERTIFICATE WITH THE CATO CLIENT APPLICATION INSTALL. 

Thanks, 

  • I just want to echo Erwin's response regarding installing the certificate for Pre-Login in the LocalMachine store, not the store of the CurrentUser.

    Because Pre-Login is authenticating the machine (specifically not a logged-in user), the Client looks in the LocalMachine store for certificates matching the signing certificate uploaded in CMA.

  • Hi,

    We have hybrid domain join working with Intune AutoPilot. This configuration includes a Certificate Authority and we deploy certificates from that CA to newly deployed devices using NDES and SCEP. We recently moved from the Windows-based Always-On VPN client to the Cato SDP Client. We just leveraged the existing setup and it works like a charm. No user interaction is needed for deployment and domain joins, etc. So, this is where I'm coming from. 

    Anyway, some things that might be useful to you:

    • We're storing the certificate in the Cert:\LocalMachine\My store, because we use device based connections. But I guess you want user based authentication, so Cert:\CurrentUser\My should be fine.
    • Make sure that the .pfx / PKCS#12 certificate is trusted -> This is important. Which service signed the cert? 
    • If you need access to any on-prem resources, make sure you have those configured in Access / Client Access / Pre Login. If you are doing a hybrid domain join, you need at least a line-of-sight to your domain controllers.
    • In the Registry, add PreLogin = 1 as a DWORD and your subdomain as a STRING. You only need your Cato subdomain, no need to add ".via.catonetworks.com". 
    • The only modification we've made to our ESP is that the Cato client has to be installed before the device can be used. The required Registry keys are deployed using the Intune Platform Scripts feature.
    • We haven't made any changes to your deployment profiles. 


    I don't know enough about your environment, so I assumed a few things. ;-) 

    Hope this helps. 

    Regards,

    Erwin G.