Blog Post

Intune Customer Success
6 MIN READ

Support tip: Implementing strong mapping in Microsoft Intune certificates

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Feb 09, 2024
Updated 11/25/24: Strong mapping for SCEP certificates has now been fully rolled out, with support available on Windows, iOS, macOS, and Android operating systems.   With the May 10, 2022 Windows...
A screenshot of the SID variable added to the SCEP profile in Microsoft Intune admin center.
Updated Dec 09, 2024
Version 11.0
Certificates
AndrewMcN_SFRS's avatar
AndrewMcN_SFRS
Brass Contributor
Feb 26, 2025

I might be misunderstanding you but this just works already. ADCS Certificates issued the traditional way have been getting the new OID added since May 2022 (I think). NPS already respects this.

Have you checked your current device certificates to see if they already have the OID?

 

FWIW, products like Cisco ISE need to be updated to support this Intune SAN URI. I did not see any concerns about the certificate extension found in RPC-issued certs.

BBFroggy's avatar
BBFroggy
Copper Contributor
Feb 28, 2025

Strong mapping is only required if the certificate authenticates a user or device against AD. NPS does it this way and thus requires the strong mapping, but all other NACs that I know do not require a mapping of certificates to AD entities and thus require no strong mapping and also neither a SAN URI nor SID extension. IMHO, NPS' approach is not well suited for modern environments with (some) cloud-only devices or users.

Therefore, I think ISE & Co. do not need to add support for the strong mapping. Having a valid certificate is enough to get into the network in their case, without an explicit mapping to an AD entity. You still have the certificate properties for auditing and can revoke a certificate if a specific user or device shouldn't get into the network anymore. This way, you also don't need to put the CA certificate in the NTAuth Store anymore, so they cannot be used for AD authentication. NPS requires the NTAuth and this exposes one more potential attack vector, as a stolen certificate does not only grant access to the network, but can also be used to impersonate an AD user or device.

  • AndrewMcN_SFRS's avatar
    AndrewMcN_SFRS
    Brass Contributor
    Feb 28, 2025

    It's not so much that ISE needs to add support for it, it's that it chokes on the SAN URI because they already coded support for their Intune device lookup URI but obviously somewhat loosely. So, if you are not patched to the right level, ISE will choke if you use the SAN URI as recommended by this article, because ISE wasn't coded smart enough to distinguish which SAN is which. As Peter_Mohr shows, you can see the Field Notice they published about it.