Updated 11/25/24: Strong mapping for SCEP certificates has now been fully rolled out, with support available on Windows, iOS, macOS, and Android operating systems.
With the May 10, 2022 Windows...
Updated Dec 09, 2024
Version 11.0
Blog Post
6 MIN READ
Support tip: Implementing strong mapping in Microsoft Intune certificates
Any reason why PKCS managed to get away with just a connector change?
SCEP is going to be quite painful in comparison. The original rollout proposal where it automatically added the SAN was a lot more favourable imo.
I’m guessing the best course of action would be to rollout the new SCEP certificate first gradually, then make the switch in associated VPN/Wi-Fi profiles to avoid a chicken/egg situation where it kills the profile entirely due to lack of cert whilst transitioning.
Biggest problem I see is AOVPN not taking kindly to config changes for Entra Joined devices. Talking specifically about the https://directaccess.richardhicks.com/2021/09/20/always-on-vpn-short-name-access-failure. Any config changes will reapply the profile and wipe the modified value - meaning you’ll have to wait for scheduled remediation.
All in all, not going to be a fun rollout.