Support tip: Implementing strong mapping in Microsoft Intune certificates

Updated 11/25/24: Strong mapping for SCEP certificates has now been fully rolled out, with support available on Windows, iOS, macOS, and Android operating systems.

 

With the May 10, 2022 Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows will enforce these changes on February 11, 2025. If a certificate can't be strongly mapped, authentication will be denied. The option to revert to Compatibility mode will be available until September 10, 2025, after which the StrongCertificateBindingEnforcement registry value will no longer be supported. 

 

We’ve received feedback from customers wanting to understand how this impacts certificates delivered by Intune. In February 2024, we initiated the rollout of strong mapping for SCEP certificates in Intune. However, based on customer feedback, we paused the rollout. Instead, we're now introducing support for a SID variable in SCEP profiles to give more control to customers to choose if they would like to have the SID in the certificate for strong mapping, particularly in scenarios where they authenticate against KDC for certificate-based authentication.

 

This feature has rolled out in the October (2410) service release for Windows, iOS, and Mac with Android support in the November (2411) service release. The variable, OnPremisesSecurityIdentifier, allows customers to test against their infrastructure and roll out at their own pace to ensure other applications or systems they may use support the new certificate format.

 

Enablement of certificate strong mapping in Active Directory

To address security concerns related to certificate spoofing, Windows introduced changes to the KDC that requires certificates for a user or computer object to be strongly mapped to Active Directory. These changes ensure a more robust validation process during certificate-based authentication.

 

Various mapping options are allowed, including manual mapping and automatic mapping using the object identifier (OID) extension with the device or user security identifier (SID) for online certificate templates from Active Directory Certificate Services (AD CS).

 

In case of manual and offline certificates, which is what Intune uses to deliver certificates to devices, a new mapping has been introduced which is a Subject Alternative Name (SAN) tag-based URI with the following format.

 

URL=tag:microsoft.com,2022-09-14:sid:<value>

 

When a user or device presents a certificate for authentication in Active Directory, the KDC will check if the required mappings are present to verify if the certificate is strongly mapped and issued to the specific user or device.

 

Adding SID to SCEP certificates for ADCS/KDC changes

To address the ADCS/KDC changes, we’re introducing the capability for admins to include the On-premises Security Identifier (SID) in SCEP certificates. Admins can either edit existing SCEP profiles or create new ones to incorporate the OnPremisesSecurityIdentifier variable with a URI tag as shown below. Note that URI is the only supported attribute for OnPremisesSecurityIdentifier.

A screenshot of the SID variable added to the SCEP profile in Microsoft Intune admin center.

 

Once you’ve added it to the SCEP profile, Intune will append the SID value along with the tag “tag:microsoft.com,2022-09-14” to the SAN attribute of the certificate. The SAN now includes the object's SID formatted as "tag:microsoft.com,2022-09-14:sid:<OnPremisesSecurityIdentifier>". This URI is included in the SCEP payload and sent through the mobile device management (MDM) channel. 

 

Example screenshot of a certificate that has been issued with a SAN URI.

 

For user certificates, the variable resolves to the user SID, while for device certificates, it resolves to the device SID. Additionally, the KDC logic for evaluating how certificates are mapped has been updated to check a URI based on a Subject Alternative Name (SAN) tag that works with SCEP. This solution works with Windows Server 2019 and above. 

 

Recommendations for safe implementation

Testing

It's essential to thoroughly test new configurations on a select group of devices before rolling them out broadly. Create a profile with the variable "OnPremisesSecurityIdentifier" and apply it to this group. Ensure compatibility with applications, Intune-integrated conditional access, NAC solutions, and any certificate-based authentication in your networking infrastructure.

 

Phased certificate renewal

Renew certificates in phases by creating a new SCEP profile and gradually targeting it to groups of users or devices. This approach helps to avoid overwhelming your certificate authority and minimize disruptions.

 

 

Note: If you notice the tag "tag:microsoft.com,2022-09-14:sid:<value>" in the certificates already issued within your organization, your tenant received the initial KDC change in February 2024. For any certificates that don’t include this SID, they must be reissued before February 2025 to ensure they contain the SID and authentication isn‘t denied. Alternatively, you can enable compatibility mode by adjusting the registry settings to allow for automatic certificate renewal. Specifically, you will need to change the registry key StrongCertificateBindingEnforcement to 1, as defined in the KB5014754.This registry change must be completed before February 2025, and all certificates should be renewed before September 2025 to avoid any disruption.

 

Implementation for PKCS certificates

The implementation of strong mapping in PKCS certificates is now available via certificate connector updates in the version 6.2406.0.1001. For information about the latest version and how to update the certificate connector, review Certificate connector for Microsoft Intune and Update certificate connector for KB5014754 requirements.

For the PKCS changes to take effect, you need to update the connector, make the below registry change, and then restart the connector service in that order.

Important: Before you modify the registry key, review these articles on how to change the registry key and how to back up and restore the registry:

• How to back up and restore the registry in Windows - Microsoft Support
• How to add, modify, or delete registry subkeys and values by using a .reg file - Microsoft Support

Modify the value for the following registry key:

[HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector]:(dword)EnableSidSecurityExtension

Value: 1

After modifying the registry key, restart the connector services in order for the changes to take effect. If you would like to revert the changes, restore the registry changes and create new profile such that certificates are re-issued without the SID attribute.

Known issue: For Windows, when issuing the PKCS certificate you may see the following exception:

Strong mapping prerequisites for Intune

The changes introduced by Intune apply to Microsoft Entra hybrid joined users and devices that authenticate against Active Directory using Intune-issued certificates. For strong mapping to work for these users and devices, the following prerequisites must be met:

• User and device SID must be synchronized with Microsoft Entra ID. For more information, read How objects and credentials are synchronized in a Microsoft Entra Domain Services managed domain.
• For device certificates, only Microsoft Entra hybrid joined devices will have SID information, so strong mapping changes are applicable only to Windows devices that are Microsoft Entra hybrid joined. For other device types, like iOS or Android, strong mapping is not supported for device certificates, and user certificates should be used instead.
  
  

Strong mapping is supported for:

• Windows 10
• Windows 11
• Windows Server 2019 and later
• iOS
• macOS

Note: Android support is expected to rollout in November 2024.

 

SID support for third-party CA and NAC partners

We are working closely with partners to ensure readiness for all third-party certification authorities (CA) and network access control (NAC) solutions.  

The following CA partners have been verified to be compatible with the SID inclusion from Intune: 

• Cogito Group
• DigiCert
• EasyScep
• EJBCA
• Entrust
• EverTrust
• HID Global
• IDnomic
• Keyfactor Command
• KeyTalk
• Keytos
• Nexus Certificate Manager
• SCEPman
• Sectigo
• Venafi
• Securew2 

 

If you're using NAC solutions with Intune, it's important to check compatibility with the SID included in certificates. We're working closely with various NAC partners to ensure smooth integration. Here's the current status: 

• Portnox – Completed
• Cisco – In progress

  • ISE 3.2 P7 – Released in October 2024

  • ISE 3.3 P4 – Planned for October 2024

  • ISE 3.4 P1 – Planned for November 2024

  • ISE 3.1 P10 – Planned for January 2025

• Citrix – In progress
• F5 – In progress
• Ivanti – In progress
• Forescout – In progress
• Aruba Clearpass – Completed, Intune extension version 6.3.3  

We recommend thorough testing of any applications, Intune-integrated CAs, NAC solutions and networking infrastructure where clients may utilize certificates for authentication to ensure optimal functionality. 

 

If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam.

 

Post updates:

03/18/24: Based on customer feedback, we paused the rollout for this update. More information can be found above.

10/10/24: Added steps to implement SID in SCEP and PKCS certificates, along with information on SID support for third-party CA and NAC partners.
10/29/24: Updated status of NAC partners.
11/14/24: Updated to include a PKCS known issue with resolution (KB5046616).
11/25/24: Strong mapping for SCEP certificates has now been fully rolled out, with support available on Windows, iOS, macOS, and Android operating systems.