Announcement ID | MC932464 | Published Date | 11-13-2024 | |
Service | Intune | Last Updated | 11-13-2024 | |
Category | Plan for change | Expiration Date | 04-04-2025 | |
Roadmap ID | Action Required by Date | |||
Tags | Admin impact, User impact |
Summary |
---|
Windows Server 2008 and later will enforce changes to mitigate certificate spoofing vulnerabilities from February 11, 2025. Intune users must prepare by enabling strong mapping for SCEP and PKCS certificates or use Compatibility mode until September 2025. Detailed guidance is available on the Microsoft Tech Community blog. |
More Information |
---|
With the May 10, 2022, Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows will enforce these changes on February 11, 2025. To prepare for this change, Intune has released the ability to include the security identifier to strongly map SCEP and PKCS certificates. How this will affect your organization:These changes will impact SCEP and PKCS certificates delivered by Intune for Microsoft Entra hybrid joined users or devices. If a certificate cannot be strongly mapped, authentication will be denied. To enable strong mapping:
What you need to do to prepare:If you use SCEP or PKCS certificates for Microsoft Entra Hybrid joined users or devices, you will need to take action before February 11, 2025 to either:
|