All posts tagged certificate authority

Intune PKCS and SCEP Certificate Validity Period

With the recent announcement of drastically reduced certificate lifetimes for public TLS certificates, there has been much discussion about certificate lifetimes for private certification authorities (CAs) like Microsoft Active Directory Certificate Services (AD CS). Most commonly, AD CS certificates are issued with a one-year validity period. However, as I’ve discussed in the past, there’s good reason to consider shorter lifetimes in many scenarios. Reducing certificate lifetimes is a growing trend to enhance security, but it poses challenges for private CAs like AD CS. This post explains how to manage shorter certificate lifetimes in Intune using PKCS and SCEP.

AD CS Template

With AD CS, the administrator defines the certificate lifetime by setting the validity period value when creating the certificate template in Active Directory (AD), as shown here.

All certificates issued using this template will be valid for one year from the date of issuance.

Note: The only exception would be if the issuing CA’s certificate were due to expire before the one-year expiration date. In that case, the certificate would be valid until the CA certificate expires.

Intune PKCS and SCEP

When issuing certificates with Intune using either PKCS or SCEP, administrators deploy an Intune enrollment certificate template in AD that Intune uses for user and device certificate enrollment. While the Intune enrollment certificate template defines the default validity period, Intune also allows administrators to specify a desired validity period in the PKCS or SCEP policy settings, as shown here.

Intune Validity Period and AD CS

Although Intune provides the ability to define the validity period on the PKCS or SCEP policy, AD CS does not honor this setting unless explicitly configured to do so. Instead, it defaults to the period defined in the certificate template. Using the example above, the administrator defined a validity period of 1 month. However, since the Intune enrollment certificate template’s validity period was set to one year, a certificate valid for one year will be issued.

Override Template Settings

Fortunately, there is a way to override this default behavior. On the issuing CA where the Intune enrollment certificate template is published, open an elevated PowerShell command window and run the following command.

certutil.exe -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE

Once complete, run the following PowerShell command to restart the CA service.

Restart-Service -Name CertSvc -PassThru

After making this change, administrators can define a shorter certificate validity period than specified on the template using Intune PKCS and SCEP policies.

Note: For security reasons, this setting only allows requests that are shorter than the template’s defined validity period. You cannot request a certificate with a validity period that is longer than the template allows.

Summary

By enabling the EDITF_ATTRIBUTEENDDATE flag on your issuing CA, you gain flexibility to tailor certificate validity periods per use case—while still enforcing a maximum validity via the AD Intune certificate enrollment template. Flexible certificate validity periods are especially valuable in environments that are moving toward short-lived certificates for improved security posture.

Additional Information

TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Always On VPN SSTP and 47-Day TLS Certificates

The Case for Short-Lived Certificates in Enterprise Environments

Mastering Certificates with Microsoft Intune – Live Online Training

Leave a comment
by Richard M. Hicks on August 11, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, authentication, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, Certificate-Based Authentication, certificates, Deployment, Device Management, Enterprise, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, NDES, Network Device Enrollment Service, Network Device Enrollment Services, Operational Support, PFX Connector, PKCS, PKI, PowerShell, public key infrastructure, SCEP, Security, Simple Certificate Enrollment Protocol, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 11, 2025

https://directaccess.richardhicks.com/2025/08/11/intune-pkcs-and-scep-certificate-validity-period/

Intune SCEP Profile Changes for Public S/MIME Certificates

Recently, the CA/Browser Forum, which is a voluntary consortium made up of public CAs, browser vendors, and other industry stakeholders, introduced new requirements for S/MIME certificates issued by public certification authorities (CAs). For organizations using Microsoft Intune SCEP device configuration profiles to enroll for these certificates, administrators must update Intune settings to ensure uninterrupted enrollment once the changes take effect.

Subject Name Changes

Beginning July 16, 2025, all public CAs will enforce these new S/MIME Baseline Requirements, mandating “Given Name” and “Surname” attributes in the Subject Name field of S/MIME certificates. By default, Intune user certificate profiles include only the “UserName” attribute in the Subject Name field.

Intune Support

Intune recently completed the rollout of these new attributes in SCEP profiles. Administrators can now update their SCEP profiles for third-party public CAs to include these new attributes for S/MIME certificates using the following supported variables.

G={{GivenName}}
SN={{SurName}}

To align with current public CA standards, include these two fields along with any other information required in the Subject name format field. Multiple values must be separated by commas without spaces, as shown in the example below.

Private CAs

Private CAs, like Active Directory Certificate Services (AD CS) or Intune Cloud PKI, are unaffected. If you are enrolling for S/MIME certificates using these services, no changes are required.

Reenrollment

It’s important to note that modifying an existing Intune SCEP profile will trigger certificate reissuance for all users and devices within the policy’s scope, which could yield unexpected results. When making changes to Intune certificate policies, it is best to create a new policy to supersede the old one, allowing administrators to pilot the new policy before its broad deployment.

Additional Information

CA/Browser Forum S/MIME Baseline Requirements

Mastering Certificates with Microsoft Intune Training August 2025

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

The Case for Short-Lived Certificates in Enterprise Environments

Always On VPN SSTP and 47-Day TLS Certificates

Leave a comment
by Richard M. Hicks on July 10, 2025  •  Permalink
Posted in Active Directory Certificate Services, AD CS, ADCS, administration, Certificate Authority, Certificate Services, certificates, Cloud PKI, Compliance, Cryptography, Device Management, Encryption, Endpoint Manager, Enterprise, InTune, MDM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Operational Support, PKI, public cloud, public key infrastructure, SCEP, Simple Certificate Enrollment Protocol, systems management, Windows 10, Windows 11
Tagged , , , , , , , , , , , ,

Posted by Richard M. Hicks on July 10, 2025

https://directaccess.richardhicks.com/2025/07/10/intune-scep-profile-changes-for-public-smime-certificates/

Strong Certificate Mapping Enforcement February 2025

Are you ready? In just a few short weeks(!) Microsoft will release the February 2025 security updates. This is a critical update because Microsoft plans to enable full enforcement of strong certificate mapping on Active Directory Domain Controllers (DCs) with this release. Administrators unprepared for this may incur outages for workloads using certificate-based authentication such as Always On VPN, Wi-Fi, and others.

Reminder: There’s still space available in my Certificates and Intune Masterclass. Register now!

KB5014754

Microsoft introduced strong certificate mapping with the May 2022 update KB5014754 to address vulnerabilities identified with certificate-based authentication. The update makes changes to Active Directory Certificate Services (AD CS) certification authorities (CAs) to embed the principal’s Security Identifier (SID) on issued certificates with a new certificate extension. The update also changes domain controller behavior to monitor and optionally enforce strong certificate mapping for authentication.

Enforcement Mode

When first introduced, the update is configured in compatibility mode. If a certificate that isn’t strongly mapped is presented for authentication, an event is recorded in the event log indicating that. Microsoft has been planning for years to enable full enforcement. After many delays, that time is now upon us. Specifically, full enforcement for strong certificate mapping will be enabled by default on DCs after applying the February 2025 security updates.

Note: Administrators can switch back to compatibility mode for now. See below for more details.

Limitations

Initially, the strong certificate mapping update was applied only to online certificate templates. Specifically, those templates are configured to build the subject name from Active Directory information. However, offline templates, where the subject name is supplied in the request, do not include this information by default. Crucially, any certificate issued with Microsoft Intune with PKCS or SCEP uses offline templates and is not strongly mapped. The lack of strong certificate mapping options for Intune-issued certificates forced Microsoft to delay its full enforcement deadline until these limitations were resolved.

Updates

In October 2024, Microsoft Intune announced support for strong certificate mapping for PKCS and SCEP certificates. Administrators can now configure these certificates to include strong certificate mapping. However, administrators must take action to affect this change.

PKCS

To enable strong certificate mapping for PKCS certificates, administrators must ensure that the certificate connector is running at least version 6.2406.0.1001. In addition, the following registry key must be configured on the connector server.

Key: HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector
Name: EnableSidSecurityExtension
Type: DWORD
Value: 1

You can implement this change by opening an elevated PowerShell command window and running the following command.

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\MicrosoftIntune\PFXCertificateConnector’ -Name EnableSidSecurityExtension -Value 1 -Force

The Intune Certificate Connector server must be restarted for this change to take effect. No changes are required on the PKCS certificate policy in Intune.

SCEP

To enable strong certificate mapping for SCEP certificates, administrators must add the following attribute/value pair to the Subject alternative name settings on their existing Intune SCEP certificate policy.

Attribute: URI
Value: {{OnPremisesSecurityIdentifier}}

Preparation

Administrators using certificate-based authentication against on-premises Active Directory should ensure all user and device authentication certificates include embedded SID information. For certificates issued on-premises, with Intune using PKCS or certificates issued by Entra Conditional Access, the certificate should now have the extension 1.3.6.1.4.1.311.25.2, including the principal’s SID.


SCEP certificates issued using Intune will include the following information in the Subject Alternative Name field.

URL=tag:microsoft.com,2022-09-24:sid:<sid>


Note: This applies to certificates issued using Cloud PKI for Microsoft Intune as those certificates are deployed using a SCEP device configuration policy.

Opt-Out

With the February 2025 security update, all domain controllers will be switched to full enforcement mode. Authentication requests using certificates without strong mapping will be denied in this configuration.

If your organization is not prepared to move to full enforcement mode, the February 2025 update allows administrators to opt out and switch back to compatibility mode by enabling the following registry key on all domain controllers.

Key: HKLM:\SYSTEM\CurrentControlSet\Services\Kdc
Name: StrongCertificateBindingEnforcement
Type: DWORD
Value: 1

You can implement this change by opening an elevated PowerShell command window and running the following command.

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\Kdc’ -Name ‘StrongCertificateBindingEnforcement’ -PropertyType DWORD -Value 1 -Force

September 2025

Administrators are strongly encouraged to update all user and device authentication certificates before September 2025. With the September 2025 security update, Microsoft will no longer honor the opt-out registry settings and strictly enforce strong certificate mapping for all certificate-based authentication requests.

Troubleshooting

Certificate authentication is commonly used for Always On VPN and Wi-Fi authentication. If full enforcement mode is enabled on domain controllers and a certificate is presented for authentication that is not strongly mapped, administrators may see the following event log information recorded on the Network Policy Server (NPS).

Network Policy Server denied access to a user.

The details of the event include the following.

Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Obviously, the user does not enter their password when using certificates for authentication. However, the indication of a credential mismatch can be caused by missing strong certificate mapping information when the DC is in full enforcement mode.

Note: There are other causes for reason code 16 failures on NPS. Further investigation may be required to determine the root cause.

Additional Information

Training: Certificates and Intune Masterclass

Certificate-Based Authentication Changes and Always On VPN

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Entra Conditional Access Certificates with SID Information Now Available

Intune Strong Certificate Mapping Error

Strong Certificate Mapping Error with PKCS

KB5014754: Certificate-Based Authentication Changes on Windows Domain Controllers

3 Comments
by Richard M. Hicks on January 27, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, authentication, Azure Active Directory, Azure AD, Azure VPN, CBA, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, Certificate-Based Authentication, certificates, cloud, Cloud PKI, Conditional Access, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra Conditional Access, Entra ID, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, Network Device Enrollment Service, Network Device Enrollment Services, network policy server, NPS, Operational Support, PFX Connector, PKCS, PKI, PowerShell, public cloud, public key infrastructure, Remote Access, SCEP, Security, Security Update, Simple Certificate Enrollment Protocol, systems management, troubleshooting, Update, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 27, 2025

https://directaccess.richardhicks.com/2025/01/27/strong-certificate-mapping-enforcement-february-2025/

« Older Posts