Support tip: Implementing strong mapping in Microsoft Intune certificates

Kev_Chan : It makes sense to do that in the time frame between the Intune Release that adds the SIDs (expected in September 2024) and the time that strong mapping is enforced (at latest February 11, 2025 according to https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16). It is only required if you are actually using your certificates for on-prem AAD authentication.

You can trigger a revocation and re-enrollment centrally be changing specific values in your Intune SCEP Configuration profile. Here is a list that shows which properties a re-enrollment and which do not: https://docs.scepman.com/other/troubleshooting/re-enrollment-trigger. If you do that, your clients will request new certificates all at once, within a few seconds. I have heard that it delays some requests if it is  more than 5000 clients, but I am not certain. 5000 requests within a few seconds might be too much for your PKI/SCEP Service, so make sure that it can handle this many requests at once or use another technique to enroll new certificates.

For example, you could create a new SCEP enrollment profile and move users in smaller batches from your existing SCEP enrollment profile to the new one.