Implementing : Microsoft Strong Certificate Mapping Requirements

Microsoft's strong certificate mapping enforcement affects organizations using certificate-based authentication. This technical guide covers the required changes to Certificate Authorities, Domain Controllers, and Intune SCEP profiles to maintain compatibility with the new requirements.

I have other posts that cover individual sections of this, put this wrong updates into one nice article if you’re interested.

Understanding Strong Certificate Mapping

Microsoft introduced Strong Certificate Mapping Enforcement in the May 2022 KB5014754 update to address vulnerabilities (CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923) in Active Directory certificate-based authentication. These vulnerabilities allowed attackers to bypass authentication and escalate privileges.

Strong certificate mapping ensures that certificates used for authentication contain a Security Identifier (SID) extension, properly mapping them to users and devices in Active Directory. Certificates at risk include those issued via Offline Templates and those used for Wi-Fi authentication, User Logons, VPN access, and MDM-enrolled devices.

The Timeline That Matters

• February 2025: Full enforcement for strong certificate mapping enabled by default on DCs after applying the February 2025 security updates
• September 2025: The option to revert to Compatibility mode will be available until September 10, 2025, after which the StrongCertificateBindingEnforcement registry value will no longer be supported

Certificate Authority Requirements

Local Certificate Authorities must be updated with the May 2022 KB5014754 patch to automatically include the OID extension (1.3.6.1.4.1.311.25.2) in issued certificates.

Verification of CA patching:

# Check if templates include the required OID
certutil -template | findstr "OID=1.3.6.1.4.1.311.25.2"

Templates without this OID require the CA to be patched with KB5014754. Once patched, new certificates issued using online templates will automatically include the extension.

For existing templates:

• Online templates: Will automatically receive the extension after CA patching
• Offline templates (used by Intune SCEP/PKCS): Require additional configuration as detailed below

Step-by-Step Implementation Guide

Step 1: Verify Certificate Authority Patching

Before proceeding with Intune configuration changes, ensure your Certificate Authorities have the required updates.

Required CA updates:

• Install KB5014754 (May 2022) on all Enterprise Certificate Authorities
• Verify the OID 1.3.6.1.4.1.311.25.2 extension is present in certificate templates
• Restart Certificate Services after patching

Template verification:

certutil -template | findstr "OID=1.3.6.1.4.1.311.25.2"

Step 2: Update Your Intune SCEP Profiles

The key to enabling strong certificate mapping in Intune SCEP profiles is adding the device's Security Identifier (SID) to the Subject Alternative Name (SAN) field.

To update your SCEP profiles:

1. Navigate to your Intune admin center

   • Go to Devices > Configuration profiles
   • Select your existing SCEP certificate profile

2. Edit the Subject Alternative Name section

   • Add a new SAN entry with the following details:
   • Type: URI
   • Value: tag:microsoft.com,2022-09-14:sid:{{OnPremisesSecurityIdentifier}}

3. Important considerations:

   • This variable is supported in device certificates for Microsoft Entra hybrid joined devices, and only works with the URI attribute
   • The {{OnPremisesSecurityIdentifier}} value is only required for SCEP Intune device configuration profiles
   • For PKCS certificates, a different approach using registry values is required

4. Test with a pilot group first

   • Save the updated profile
   • Assign it to a small pilot group before broad deployment
   • Validate that new certificates contain the SID information

Step 3: Configure Domain Controller Monitoring

Before rolling out the changes organization-wide, set up monitoring on your Domain Controllers to identify non-compliant certificates.

Configure audit mode on each DC:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Kdc" -Name "StrongCertificateBindingEnforcement" -Value "1" -PropertyType "DWORD" -Force

This setting enables Audit mode, where authentication will occur as expected but warning messages will be logged for weak mappings.

Monitor these Event IDs in the System log:

• Event ID 39: Weak mapping detected
• Event ID 41: Mapping failure that would occur in enforcement mode
• Event ID 40: Additional authentication context (OS dependent)

Step 4: Certificate Re-enrollment

Once you've updated your SCEP profiles, you need to ensure all devices receive new certificates with the SID extension.

Methods for re-enrollment:

1. Increase renewal threshold: Modify existing profiles to trigger automatic renewal
2. Create new profiles: Deploy entirely new SCEP profiles and phase out old ones
3. Manual re-enrollment: Force certificate renewal on specific devices

Verification steps:

• Check that new certificates contain the SID in the URI SAN
• Test VPN authentication with pilot devices
• Monitor DC event logs for compliance

Step 5: Implementation Validation

Certificate verification:

# PowerShell command to check certificate SAN
Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Extensions.Oid.Value -contains "2.5.29.17"} | ForEach-Object {$_.Extensions | Where-Object {$_.Oid.Value -eq "2.5.29.17"}}

Test scenarios:

• VPN connection attempts using device certificates
• Wi-Fi authentication for hybrid Azure AD joined devices
• Any other certificate-based authentication workflows

Technical Considerations

Certificate Authority Extension Requirements

The May 2022 KB5014754 update modified Certificate Authorities to embed the principal's Security Identifier (SID) in issued certificates with the OID extension 1.3.6.1.4.1.311.25.2. This change initially applied only to online certificate templates.

Intune SCEP and PKCS profiles use offline templates, which do not automatically receive this extension. The October 2024 Intune update addressed this limitation by allowing manual inclusion of SID information.

Common Implementation Issues

Windows Server 2016 DCs cannot read the URL tag format used by Intune's OnPremisesSecurityIdentifier variable. Organizations with 2016 DCs should prioritize upgrading to Windows Server 2019 or later.

PKCS vs SCEP Configuration

The {{OnPremisesSecurityIdentifier}} value is only required for SCEP Intune device configuration profiles.

Mobile Device Limitations

For other device types, like iOS or Android, strong mapping is not supported for device certificates, and user certificates should be used instead.

Compatibility and Rollback Options

If you encounter issues during implementation, temporary rollback options are available:

Enable compatibility mode:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Kdc" -Name "StrongCertificateBindingEnforcement" -Value "0" -PropertyType "DWORD" -Force

Important warnings:

• This is only a short-term solution, as Microsoft will fully implement strong mapping after September 2025
• When the September 2025 update is released on patch Tuesday - if you have not completed these steps and tested them by then, the only way you can prevent outages is not install the patch on all your domain controllers (highly not recommended, but this is your only option if you have not completed the remediation)
• Plan for full compliance before the September 2025 deadline
• Monitor authentication closely during the transition period

Conclusion

Microsoft's strong certificate mapping enforcement requires updates to both Certificate Authority infrastructure and Intune SCEP profile configurations. The critical components are:

1. Certificate Authority patching with KB5014754 to add OID 1.3.6.1.4.1.311.25.2 extension
2. Intune SCEP profile updates with {{OnPremisesSecurityIdentifier}} variable
3. Domain Controller monitoring configuration to identify non-compliant certificates
4. Certificate re-enrollment to ensure all devices receive updated certificates

Organizations have until September 2025 to complete the transition, after which compatibility mode will be removed. Authentication failures will occur for certificates without strong mapping after this deadline (unless you are considering the unthinkable option)