Intune Certificate Strong Mapping KB5014754, what you need to do!!

Microsoft released KB5014754 which introduced a significant change to The Certificate Based Authentication on Windows Domain Controllers. The Change intended to increase security by enforcing stricter certificate mappings, and eliminate the vulnerabilities associated with certificate spoofing.

In this article from IntuneBytes We’ll explain to you all what you need to know about New Strong Certificate Mapping in Intune Certificate Connectors and all steps needed from Admin side.

Update reflecting in Intune

Microsoft adopted the Strong Certificate Mapping in Microsoft Intune Certificate (PKCS, SCEP) with Intune Service Update 2409 (September 2024), Certificate Connector Version 6.2406.0.1001.

Supported Platforms

New Strong Certificate Mapping is supporting all Platforms:

• Windows 10,11
• MacOS
• Android
• iOS

User Certificate: Change is supporting all User Certificate Profiles (PKCS/SCEP)

Device Certificate: Change is only applicable to Hybrid Join Devices (PKCS/SCEP) which is only “Windows”

As an Intune Admin, What I need to do?

You need to follow below steps to enable strong mapping in Intune Certificate Connectors

1- You need to Update Certificate Connector to version 6.2406.0.1001

2- For PKCS Server you need to update the registry [HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector] : EnableSidSecurityExtension to be 1 instead of 0

3- For SCEP Server, you need to add new attributes to Subject Alternative Name

URI : {{OnPremisesSecurityIdentifier}} >> for the on-premise User’s SID

URI : ID:Microsoft Endpoint Manager:GUID:{{DeviceID}} >> for Intune Device ID

New issued Certificate, what’s changed?

If the new Strong Mapping Capabilities implementation is completed from your side, we can verify it via:

1- PKCS Windows Certificate: New OID will be added (1.3.6.1.4.1.311.25.2) that’s exactly match User SID

2- SCEP Profile in Windows: in SAN 2 attributes will show 2 new values

URI= tag:microsoft.com,2022-09-14:sid:<User SID>

URI=ID:Microsoft Endpoint Manager:GUID:<Intune Device ID>

3- SCEP Profile in iOS: can be checked from Device Settings , General, VPN and Device Management, SCEP Certificate.

Quick Bytes:

• New Strong Mapping can be used with Microsoft Intune Cloud-PKI (which is part of Microsoft Intune Add-on)
• Be careful with updating the SCEP Profile, because changes with Certificate Profile always trigger issuing new Certificates to all targeted User and Devices.
• If Intune Certificate Connector in your PKI Environment didn’t receive the New Certificate Connector Automatically, It’s okay to download it and install it manually.
• Device Certificate with new Strong Mapping MUST be assigned to Hybrid Joined devices only, which requires Entra Dynamic Group.
• If new URIs are added to unsupported device, Certificate will be generated normally but without that URI.
• If User doesn’t have SID (i.e. Cloud User), Certificate will be generated normally but without that URI.

Conclusion

In conclusion, the release of KB5014754 marks a pivotal advancement in Certificate Based Authentication on Windows Domain Controllers, enhancing security by enforcing stricter certificate mappings and mitigating the risks associated with certificate spoofing. This significant change has been effectively mirrored in the Intune Certificate Connector, providing engineers with a robust framework for managing certificates within their environments.

By adopting these updates, organizations can bolster their security posture and ensure a more reliable authentication process, ultimately safeguarding sensitive data and resources. It is imperative for engineers to stay informed and implement these changes to leverage the full potential of Microsoft Intune in securing their infrastructures.