Intune implementing strong mapping for SCEP and PKCS certificates
Currently Microsoft informs customers to double-check their PKIs: With the May 10, 2022 Windows update (KB5014754) changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. We described the impact of this change when the vulnerability was originally disclosed.
To address the ADCS/KDC changes, Microsoft Intune can include the SID in enrolled certificates. You can include the SID by adding a SAN of type URI with the value "{{OnPremisesSecurityIdentifier}}" and it will appear in the certificate like this:
This change rolls out this new feature in October/November 2024 for all Microsoft Intune customers.
SCEPman is ready for this change. No changes to SCEPman are required, only to the Intune configuration.
If you want to use this feature, you must update your SCEP Configuration Profiles in Intune according to Microsoft instructions. We have tested that SCEPman supports this SAN format and it works with all SCEPman versions.
Alternatively, you can add a SID extension with SCEPman. This is how we addressed the KDC issue in July 2023 in the same way that the on-premises ADCS does it. Therefore, SCEPman customers do not require the new SAN field, especially if they are already using the SID extension.
SCEPman customers can choose whether they want the SID extension or the SID SAN value. The former requires a SCEPman configuration setting, the latter requires a change to the SCEP configuration profiles, as detailled above.
Last updated