All posts in category HAADJ

Resolving PKCS Certificate Mapping Issues in Windows Autopilot Hybrid Join Deployments

Microsoft Windows Autopilot streamlines device provisioning through Intune, allowing IT administrators to preconfigure new Windows devices with minimal hands-on effort. However, when combined with Hybrid Entra Join and PKCS certificate deployment, specific challenges arise—particularly with certificate mapping and authentication.

Hybrid Entra Join

During autopilot provisioning, administrators may also choose to join the device to their on-premises Active Directory domain, a deployment model called Hybrid Entra join. Hybrid Entra join presents some unique challenges when using Autopilot to remotely provision devices. Specifically, the user must have connectivity to a domain controller to perform the first logon, as they do not have a user profile on the endpoint.

Device Tunnel

To support offline Hybrid Entra join during Autopilot provisioning, administrators can deploy the Always On VPN device tunnel to provide pre-logon connectivity to domain controllers. A device tunnel connection enables users to log on to their newly provisioned device remotely.

Requirements

The following prerequisites must be met to support the Always On VPN device tunnel.

  • The endpoint must be running Windows Enterprise edition.
  • An Always On VPN device tunnel profile must be assigned to the device.
  • A machine certificate must be deployed to the endpoint that includes the Client Authentication EKU (OID 1.3.6.1.5.5.7.3.2).

Note: If you plan to use the subscription step-up upgrade from Windows Professional to Windows Enterprise, the device tunnel will not connect automatically after provisioning is complete, which prevents the user from logging in. More details and a workaround for this issue can be found here.

Strong Certificate Mapping

Microsoft knowledge base article KB5014754, released in May of 2022, introduced changes to domain controllers to require strong certificate mapping when using certificates to authenticate to Active Directory (AD). It was initially deployed in compatibility mode, only warning administrators when certificates are used for authentication that aren’t strongly mapped. However, full enforcement is mandatory beginning with the September 2025 security updates. This requirement introduces some challenges when issuing certificates to the device using PKCS during Autopilot provisioning.

Intune PKCS Certificates

When using PKCS certificates and the Intune Certificate Connector, the endpoint’s on-premises AD security identifier (SID) is not added to the issued certificate during Autopilot. Interestingly, this does not happen when using SCEP certificates. If the device certificate is not strongly mapped, the Always On VPN device tunnel will still authenticate successfully because Always On VPN does not use AD to authenticate device connections. Instead, Always On VPN simply verifies the certificate (e.g., that it is not expired or revoked) and allows authentication if the certificate passes the validation.

However, enterprise Wi-Fi access may fail without strongly mapped certificates if device authentication is required. Also, there may be other scenarios where a device authentication certificate without strong mapping may cause authentication to fail.

Workarounds

There are a few ways to work around this limitation. Consider the following options.

Native Entra ID Join

The simplest way to avoid the challenges of PKCS certificates and Hybrid Entra join is to avoid it altogether in favor of native Entra join. However, this may not be an option for everyone.

Use SCEP

For some reason, certificates issued with SCEP do not suffer from this limitation. In my testing, SCEP certificates are always strongly mapped. However, deploying SCEP certificates is much more complex than using PKCS. (Pro tip: Cloud PKI for Intune uses SCEP and requires no configuration! It’s definitely something to consider.)

Short-Lived Certificates

Another option is to deploy temporary, short-lived certificates (valid for only a few days) using PKCS to ensure the Always On VPN device tunnel works, and then deploy a permanent, long-term certificate post-deployment that includes the strong mapping. To do this, administrators can leverage dynamic group assignments in Intune. For example, the administrator can assign the short-lived certificate to an Autopilot Provisioning devices group and later assign a long-term certificate to the Hybrid Joined devices group.

Here’s an example of the dynamic group membership configuration.

Autopilot Provisioning Devices:

(device.devicePhysicalIDs -any (_ -contains “[ZTDId]”)) -and (device.deviceTrustType -ne “ServerAD”)

Hybrid Entra Join Devices:

(device.deviceTrustType -eq “ServerAD”)

In this configuration, the initial PKCS certificate is deployed without the strong mapping when the endpoint is enrolled to Autopilot but has not yet joined the domain. During this time, the endpoint will only be a member of the Autopilot Provisioning Devices group and will receive the short-lived, temporary certificate. Later, once the endpoint has successfully joined the domain, the device will move from the provisioning group to the Hybrid Entra Join Devices group. When this happens, a permanent, strongly mapped long-term certificate is enrolled on the device.

Manual Certificate Mapping

Certificates can be manually mapped via the altSecurityIdentities property of the computer object in AD. Obviously, this doesn’t scale well, so my good friend Steve Prentice published a PowerShell script to automate this process. You can find more details and the script here.

Summary

Windows Autopilot streamlines device provisioning with Intune, but Hybrid Entra Join introduces challenges when PKCS certificates lack strong mapping during initial deployment, potentially disrupting VPN and Wi-Fi authentication. Administrators can avoid this by switching to native Entra join or by using workarounds such as switching to SCEP, using short-lived certificates, or manually mapping certificates.

Additional Information

KB5014754 – Certificate-based authentication changes on Windows domain controllers

How To: Map a user to a certificate via all methods available in the altSecurityIdentities attribute

Hybrid Autopilot: Automating altSecurityIdentities

Configure Microsoft Entra hybrid join

Overview: Cloud PKI for Microsoft Intune

Leave a comment
by Richard M. Hicks on November 17, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, Always On VPN, AOVPN, authentication, Autopilot, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, Certificate-Based Authentication, certificates, Cloud PKI, Deployment, Device Management, device tunnel, Endpoint Manager, Enterprise, enterprise mobility, Entra ID, HAADJ, Hybrid Azure AD Join, Hybrid Entra ID Join, Hybrid Entra Join, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PFX Connector, PKCS, PKI, PowerShell, public key infrastructure, Remote Access, SCEP, Security, Simple Certificate Enrollment Protocol, systems management, troubleshooting, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 17, 2025

https://directaccess.richardhicks.com/2025/11/17/resolving-pkcs-certificate-mapping-issues-in-windows-autopilot-hybrid-join-deployments/

Microsoft Security Service Edge Now Generally Available

A few weeks ago, Microsoft announced the general availability of its Security Service Edge (SSE) offering, Global Secure Access (GSA). GSA encompasses Entra Internet Access, a cloud-based Secure Web Gateway, and Entra Private Access, a Zero Trust Network Access (ZTNA) solution for accessing private data and applications on-premises.

ZTNA vs. VPN

Entra Private Access will be a compelling alternative to traditional VPN solutions such as Windows Always On VPN. Where traditional VPNs grant the endpoint an IP address on the internal network, Entra Private Access provides more granular access and does not require the device to be directly connected to the network.

GSA Client

Administrators must install the GSA client on all endpoints using Entra Internet Access or Entra Private Access. Today, the client is available for Windows and Android devices. iOS and macOS clients are forthcoming.

Private Network Connector

The Entra Private Access solution relies on the Entra Private Network Connector. The Entra Private Network Connector is a software component installed on-premises that provides remote access connectivity. Previously, it was called the Azure AD Application Proxy. Essentially, it is the same technology extended to support TCP and UDP network access in addition to HTTP.

Limitations

Entra Private Access is the way of the future for secure remote access. However, today, there are still some important limitations associated with this technology.

Private DNS

Although Microsoft announced general availability for Entra Private Access, it still lacks the private DNS feature many organizations require to provide feature parity with their existing VPN. This feature is still in private preview at the time of this writing. Hopefully, Microsoft will release this feature soon.

Device Connection

Entra Private Access does not support device-based connections. This limits its capabilities for domain-joined devices. If your organization uses hybrid Entra join today, consider sticking with Always On VPN until you move to native Entra joined endpoints.

Licensing

Global Secure Access (Entra Private Access and Entra Internet Access) are included in the Microsoft Entra Suite license. More information about Entra licensing can be found here.

Additional Information

Microsoft Global Secure Access Now Generally Available

Microsoft Entra Global Secure Access (GSA) Overview

Microsoft Entra Security Service Edge (SSE) on the RunAs Radio Podcast

Microsoft Entra Plans & Pricing

2 Comments
by Richard M. Hicks on August 6, 2024  •  Permalink
Posted in Always On VPN, AOVPN, authentication, Azure AD, Azure AD Join, Azure App Proxy, Azure Application Proxy, cloud, Cloud Service, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra Global Secure Access, Entra ID, Entra Internet Access, Entra Private Access, Entra Private Network Connector, GSA, HAADJ, Hybrid Azure AD Join, Hybrid Entra ID Join, Hybrid Entra Join, InTune, MDM, MEM, MFA, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Internet Access, Microsoft Entra Private Access, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, Private Network Connector, Remote Access, Secure Access Service Edge, Secure Service Edge, Secure Web Gateway, Security, Security Service Edge, Uncategorized, VPN, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 6, 2024

https://directaccess.richardhicks.com/2024/08/06/microsoft-security-service-edge-now-generally-available/

Microsoft Intune Cloud PKI

Recently, Microsoft introduced the general availability of its new PKI-as-a-service solution called Microsoft Intune Cloud PKI. Cloud PKI allows administrators to issue and manage user and device authentication certificates for Intune-managed endpoints without deploying Active Directory Certificate Services (AD CS) on-premises. Cloud PKI frees administrators from the burdens of deploying and managing AD CS, including the complicated Network Device Enrollment Service (NDES) server configuration required for Simple Certificate Enrollment Protocol (SCEP) certificate deployment with Intune.

Advantages

Microsoft Intune Cloud PKI offers many significant advantages over traditional on-premises AD CS deployments.

No Infrastructure

The most obvious advantage of using Cloud PKI is that you do not have to deploy and manage your own Certification Authority (CA). Although implementing AD CS isn’t that difficult, managing and operating a CA infrastructure securely can be quite challenging. In addition, a high-security AD CS deployment utilizes hardware secure modules (HSMs) to protect CA private keys, which are quite expensive and sometimes difficult to support.

Cloud-Hosted SCEP

Removing the requirement to configure and deploy your own NDES server to support SCEP certificates is certainly a welcome advantage. NDES is notoriously difficult to configure, secure, and troubleshoot when it doesn’t work correctly. Cloud PKI includes cloud hosted SCEP services that are highly available and redundant within the Microsoft Azure infrastructure.

Automatic Revocation

Cloud PKI automates the deployment of certificates to Intune-managed users and devices and automatically revokes certificates when they fall out of scope. Administrators can also manually revoke certificates using the Intune management console.

Reporting

Administrators can easily view the status of Cloud PKI-issued certificates in Intune. The UI shows the active, expired, and revoked certificates for the issuing CA.

Clicking View all certificates shows a detailed list of all certificates.

BYOCA

Another compelling feature of Cloud PKI is Bring Your Own CA (BYOCA). This feature enables administrators to deploy a cloud-hosted CA that is chained to their existing on-premises AD CS root CA. This is helpful for scenarios where AD CS is already in place and used to issue and manage certificates to existing domain-joined clients and servers. BYOCA effectively allows you to extend your existing CA infrastructure to the cloud and use Cloud PKI to issue and manage certificates for your Intune-managed endpoints while maintaining the full functionality and feature set of on-premises AD CS for non-Intune-managed devices.

Limitations

Although there are many advantages to Cloud PKI, there are some limiting factors to consider.

RSA Only

Today, Cloud PKI is limited to RSA keys only. Administrators can create CAs using RSA 2048, 3072, or 4096-bit keys. Elliptic Curve (EC) keys are not currently supported in Cloud PKI.

Intune Devices Only

Cloud PKI is limited to issuing certificates to Intune-managed devices only. Endpoints must be Entra-joined, or hybrid Entra-joined to enroll for certificates using Cloud PKI.

Inflexible Configuration

The Cloud PKI root and issuing CAs cannot be reconfigured after deployment. Since Cloud PKI root and issuing CAs don’t support the Any Purpose EKU (2.5.29.37.0), all EKUs must be defined when the CA is created. If, in the future, an administrator requires an EKU that was not present when the CA was deployed, an entirely new hierarchy (root and issuing CA) must be deployed.

Cost

There’s been much discussion about the cost associated with Cloud PKI. Cloud PKI can be licensed as part of the Intune Suite, which is $10.00 per user per month. Cloud PKI licenses will also be available as a standalone add-on for $2.00 per user per month. For large organizations, this might be cost-prohibitive.

Summary

Overall, Microsoft Intune Cloud PKI is a welcome addition to the Microsoft suite of cloud services. Certificates are excellent phishing-resistant credentials that can be used to improve security for organizations of all sizes. However, managing a CA can be tedious and time-consuming. Leveraging the cloud for PKI and certificate management will be helpful in many scenarios. However, Cloud PKI has some potential drawbacks, and many may not fit everyone.

More Information

Want to learn more about Microsoft Intune Cloud PKI and how it can benefit your organization? Take the first step towards streamlined certificate management and enhanced security for your organization. Fill out the form below, and I’ll provide more information about using Intune Cloud PKI to safeguard your digital assets confidently.

Go back

Your message has been sent

6 Comments
by Richard M. Hicks on March 18, 2024  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, administration, authentication, Azure, Azure Active Directory, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, cloud, Cloud PKI, Cloud Service, Cryptography, Device Management, Encryption, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra ID, HAADJ, Hybrid Azure AD Join, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, Network Device Enrollment Service, Network Device Enrollment Services, network policy server, NPS, Operational Support, PFX Connector, PKCS, PKI, public cloud, public key infrastructure, SCEP, Security, Simple Certificate Enrollment Protocol, systems management, TPM, troubleshooting, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 18, 2024

https://directaccess.richardhicks.com/2024/03/18/microsoft-intune-cloud-pki/

« Older Posts