MC932464: Implement strong mapping for SCEP and PKCS certificates

Announcement IDMC932464Published Date11-13-2024
ServiceIntuneLast Updated11-13-2024
CategoryPlan for changeExpiration Date04-04-2025
Roadmap IDAction Required by Date
TagsAdmin impact, User impact


Summary
                Windows Server 2008 and later will enforce changes to mitigate certificate spoofing vulnerabilities from February 11, 2025. Intune users must prepare by enabling strong mapping for SCEP and PKCS certificates or use Compatibility mode until September 2025. Detailed guidance is available on the Microsoft Tech Community blog.


More Information

With the May 10, 2022, Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows will enforce these changes on February 11, 2025.

To prepare for this change, Intune has released the ability to include the security identifier to strongly map SCEP and PKCS certificates. 

How this will affect your organization:

These changes will impact SCEP and PKCS certificates delivered by Intune for Microsoft Entra hybrid joined users or devices. If a certificate cannot be strongly mapped, authentication will be denied. To enable strong mapping:

  • SCEP certificates: Add the security identifier to your SCEP profile. We strongly recommend testing with a small group of devices and then slowly rollout updated certificates to minimize disruptions to your users. Note: Support for Android devices is expected with Intune's November (2411) release.
  • PKCS certificates: Update to the latest version of the Certificate Connector, change the registry key to enable the security identifier, and then restart the connector service. Important: Before you modify the registry key, review how to change the registry key and how to back up and restore the registry

What you need to do to prepare:

If you use SCEP or PKCS certificates for Microsoft Entra Hybrid joined users or devices, you will need to take action before February 11, 2025 to either:

  • (Recommended) Enable strong mapping by reviewing the steps described in the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates
  • Alternatively, if all certificates cannot be renewed before February 11, 2025, with the SID included, enable Compatibility mode by adjusting the registry settings as described in KB5014754. Compatibility mode will remain valid until September 2025.
Previous Post Next Post