Intune Strong Certificate Mapping Error

Microsoft recently introduced support for strong certificate mapping in Intune to support changes introduced with the May 2022 security update KB5014754. Specifically, Intune now supports adding the SID for the principal in the subject name to the certificate for PKCS and SCEP device configuration policies.

Error

A few folks have contacted me about an error they encountered when configuring strong certificate mapping for Intune device configuration profiles using PKCS. Specifically, they would receive the following error message after specifying the URI value {{OnPremisesSecurityIdentifier}} in the Subject Alternative Name section of the PKCS policy.

A value is required for Value. Value can include allowed variables combined with static text. UPN and Email address should include an @, for example: “{{AAD_Device_ID}}@contoso.com”. DNS cannot end with a symbol or contain an @ sign, e.g. “{{DeviceName}}.contoso.com“ or “{{DeviceName}}”. See support variables here: https://go.microsoft.com/fwlink/?linkid=2104597

Resolution

Administrators will receive this message when adding the {{OnPremisesSecurityIdentifier}} variable to a PKCS device configuration policy. This error is expected because PKCS does not require (or support) the use of this value in this field. The {{OnPremisesSecurityIdentifier}} value is only required for SCEP Intune device configuration profiles.

To add the SID to a PKCS certificate, administrators must only define a registry value on the Intune Certificate Connector server as described here. No changes are required on the PKCS device configuration policy in Intune.

Additional Information

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Certificate-Based Authentication Changes for Always On VPN