Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Always On VPN LockDown Mode

With the October 2024 Intune update, Microsoft introduced support for strong certificate mapping for certificates issued by Intune via the Intune Certificate Connector. Enabling strong certificate mapping support in Intune is an important change for those organizations using Microsoft Intune to issue and manage certificates for their users and devices, as it resolves a critical implementation blocker.

Note: This post was updated to clarify that adding the {{OnPremisesSecurityIdentifier}} for PKCS certificates is not required. This variable is only used for SCEP certificates.

Background

In May 2022, Microsoft released security update KB5014754, which added functionality to domain controllers and enterprise issuing certification authority (CA) servers, allowing the Kerberos Key Distribution Center (KDC) to enforce strong certificate mapping. Specifically, with KB5014754 installed, issuing CAs now add the requesting principal’s Security Identifier (SID) to the certificate in a new certificate extension. Domain controllers can be configured to reject authentication requests using certificates that do not include this information.

Today, DCs with KB5014754 installed will still allow authentication without strong certificate mapping. However, Microsoft has stated they will begin enforcing strong certificate mapping in February 2025, with an option to disable it via the registry. Starting in September 2025, full enforcement will be mandatory.

Reference: https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

Limitation

The initial changes in KB5014754 applied only to online certificate templates, meaning those that build the subject name from Active Directory. However, deploying certificates with Intune using either PKCS or SCEP requires using an offline certificate template that allows the requestor to supply the subject name in the request. When using offline templates, a certificate is issued but does not embed the SID in the certificate. Using offline templates presents unique challenges to organizations moving to modern management with Intune and Entra ID.

Intune Changes

The October 2024 Intune update addresses this limitation by providing a method to include SID information in certificates using either SCEP or PKCS.

SCEP

To include the SID information in SCEP certificates, create or edit an existing SCEP device configuration policy and define a URI Subject Alternative Name (SAN) attribute with the value {{OnPremisesSecurityIdentifier}} as shown here.

PKCS

To include SID information in PKCS certificates, administrators must ensure the Intune Certificate Connector is updated to at least version 6.2406.0.1001. In addition, a registry setting must be enabled on the Intune Certificate Connector server.

On the server where the Intune Certificate Connector is installed, open the registry editor, navigate to HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector, and change the value of EnableSidSecurityExtension to 1.

Optionally, administrators can update this setting at the command line by running the following PowerShell command.

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\MicrosoftIntune\PFXCertificateConnector’ -Name EnableSidSecurityExtension -Value 1 -Force

Once complete, restart the Intune Certificate Connector server for the changes to take effect.

Certificates

SID information is added to certificates differently depending on which Intune device configuration policy type is used.

PCKS

PKCS certificates have the SID embedded in the certificate extension 1.3.6.1.4.1.311.25.2, as shown here.

SCEP

SCEP certificates have the SID embedded in the Subject Alternative Name (SAN) field in the format “tag:microsoft.com,2022-09-14:sid:<SID>” as shown here.

Migration

When making these changes to embed the SID in Intune-issued certificates in an existing Intune PKCS or SCEP configuration policy, the change will only affect certificates issued after the change is made. To update all certificate holders, you must create and deploy a new device configuration policy to targeted users or devices. Deleting the old profile (or ensuring it no longer applies) will remove the old certificate from the endpoint. If you’ve configured your Intune Certificate Connector to support revocation, the old certificate will also be revoked.

Entra Conditional Access

Entra Conditional Access certificates have included SID information since July 2023. More details here.

Intune Cloud PKI

The changes above will also work with certificates issued by Cloud PKI for Intune.

Other Cloud PKI Providers

Many other Cloud PKI providers, such as SCEPman and KEYTOS, already include the embedded SID in their certificates. Other cloud PKI providers may also include embedded SID. Consult your provider to confirm.

Additional Information

Microsoft Intune October 2024 Strong Certificate Mapping Update

Microsoft Intune Certificate Connector Strong Certificate Mapping Update for PKCS

Entra ID Conditional Access Certificates with SID Information Now Available

Implementing Strong Certificate Mapping in Microsoft Intune PKCS and SCEP Certificates

Certificate-Based Authentication Changes and Always On VPN

20 Comments
by Richard M. Hicks on November 4, 2024  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, Always On VPN, AOVPN, authentication, Azure, Azure Active Directory, Azure AD, Azure Conditional Access, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, Certificate-Based Authentication, certificates, cloud, Cloud PKI, Cloud Service, Conditional Access, Device Management, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra Conditional Access, Entra ID, Hybrid Entra ID Join, Hybrid Entra Join, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, NDES, Network Device Enrollment Service, Network Device Enrollment Services, Operational Support, PFX Connector, PKCS, PKI, public cloud, public key infrastructure, SCEP, Security, Security Update, Simple Certificate Enrollment Protocol, Update, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 4, 2024

https://directaccess.richardhicks.com/2024/11/04/strong-certificate-mapping-for-intune-pkcs-and-scep-certificates/

Previous Post
Next Post
Leave a comment

20 Comments

  1. James

     /  November 4, 2024

    Many thanks, as always! I was waiting for this to become available 🙂

    Reply

  2. James

     /  November 4, 2024

    I assume that the UPN is still required in the certificate SAN for Always On VPN? I removed it to see what happens just with the SID and now it fails to connect.

    Reply

  3. jones1337

     /  November 4, 2024

    Great find and a very important one. So if I read the blog post correctly, there is no need to edit the actual Certificate Template?

    Reply

    • Richard M. Hicks

       /  November 5, 2024

      No changes are required to the certificate template in AD. For SCEP policies you must add the {{OnPremisesSecurityIdentifier}} value and for PKCS you just have to add the registry key on the Intune Certificate Connector server and reboot. 🙂

      Reply

  4. Chris112

     /  November 5, 2024

    I am getting the below error when attempting to add the URI attribute with value {{OnPremisesSecurityIdentifier}}. Anyone else seeing this? Our Intune tenancy says it is version 2410.

    A value is required for Value. Value can include allowed variables combined with static text. UPN and Email address should include an @, for example: “{{AAD_Device_ID}}@contoso.com”. DNS cannot end with a symbol or contain an @ sign, e.g. “{{DeviceName}}.contoso.com“ or “{{DeviceName}}”. See support variables here: https://go.microsoft.com/fwlink/?linkid=2104597

    Reply

    • Richard M. Hicks

       /  November 5, 2024

      Are you adding this to a PKCS or SCEP policy? FYI, {{OnPremisesSecurityIdentifier}} is only supported on SCEP policies. You’ll see this error if you try to add it to a PKCS policy.

      Reply

      • Chris112

         /  November 5, 2024

        Thank you for the prompt response Richard. I was indeed trying to add it to a PKCS policy as I had missed that PKCS only needed the registry entry on the Intune certificate connector server.

      • Richard M. Hicks

         /  November 6, 2024

        I’ll post something on this because I’m sure you won’t be the only person that tries this. 🙂

  5. Mo

     /  February 2, 2025

    Hi Richard,
    Could you please advise if this applies to certs issued by OnPrem Certification Authority for Always On VPN where intune Certificate connector is not configured.

    Reply

    • Richard M. Hicks

       /  February 3, 2025

      No changes are required on-premises to support strong certificate mapping. As long as you have the May 2022 security update installed your CA will issue certificates that are strongly mapped. However, this only applies to online templates, those that build their subject name from AD. Strong mapping is not automatically configured for offline templates, those that build the subject name from AD.

      Reply

      • My Seoulace

         /  April 21, 2025

        Hello,

        We have implemented the change (update to version 6.2406.0.1001, add the registry key, and server restart) on our Intune Connector Server.

        However, when checking the new certificates provided by our CA it doesn’t include the extension 1.3.6.1.4.1.311.25.2.

        Do you have idea on what might be missing?

        Thanks.

      • Richard M. Hicks

         /  April 21, 2025

        Is this for a user or device certificate?

      • My Seoulace

         /  April 22, 2025

        This is for an Android dedicated devices.

        We use UPN of a user in AD as a SAN and DeviceID for the Subject Name Format.

      • Richard M. Hicks

         /  April 22, 2025

        Ok, good to know. Since your Android device doesn’t have an account in AD it won’t have a SID available for mapping. This option is only for domain-joined endpoints.

      • Seoulace

         /  April 22, 2025

        Hello,

        The certificate is used by Android Dedicated (Handheld) devices wherein no users logged in.

        On the Intune PKCS configuration, we are using the details below.

        Subject alternative name – User Principal name (UPN) – user@
        Subject name format – CN={{DeviceID}}

  1. Intune Strong Certificate Mapping Error | Richard M. Hicks Consulting, Inc.
  2. PowerShell Script to Display User or Computer SID | Richard M. Hicks Consulting, Inc.
  3. Strong Certificate Mapping Error with PKCS | Richard M. Hicks Consulting, Inc.
  4. Always On VPN Authentication Failure After February 2025 Security Update | Richard M. Hicks Consulting, Inc.

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading