Blog Post

Intune Customer Success
6 MIN READ

Support tip: Implementing strong mapping in Microsoft Intune certificates

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Feb 09, 2024
Updated 11/25/24: Strong mapping for SCEP certificates has now been fully rolled out, with support available on Windows, iOS, macOS, and Android operating systems.   With the May 10, 2022 Windows...
A screenshot of the SID variable added to the SCEP profile in Microsoft Intune admin center.
Updated Dec 09, 2024
Version 11.0
Certificates
denkz's avatar
denkz
Copper Contributor
Feb 21, 2025

We have an issue where the PKCS certificates are issued with the SID on already installed clients. But when a certificate is issued during pre-provision the certificate is missing the SID. This causes alot of issues since we are rolling out and the devices need to be able to connect to Wifi/LAN and VPN during this process.

henkka_fi's avatar
henkka_fi
Copper Contributor
Mar 18, 2025

We encountered similar issues with SCEP certificates and Autopilot pre-provisioning with Entra hybrid joined devices. During provisioning phase, the computer object gets created with ODJ, but the device only gets a certificate without AD object SID in SAN URI even if the SCEP certificate profile includes the configuration. The device thus cannot establishish a connection/trust relationship to AD through Microsoft NPS because of 802.1X certificate strong mapping requirement and it has no SID which is required for Intune strong mapping enabled SCEP certificate deployment.

I do know that Entra hybrid join requirements for Autopilot deployment state that the device must have "access to an Active Directory domain controller of the domain being joined", but this was never an issue using 802.1X EAP-TLS before strong mapping enforcement AFAIK. At the moment, compatibility mode seems to be the only way to resolve this temporarily until September 2025.

Interested to hear, if you get some resolution for the issues from MS support.

  • denkz's avatar
    denkz
    Copper Contributor
    Mar 26, 2025

    Well we submitted a support ticket with the Intune Support team and since Intune is able to request a certificate without errors the ticket was archived by Microsoft since it's a Windows Server Issue most likely. I hoped they could escalate the ticket to Windows support team but that wasn't possible. So now I'm trying to figure out how to submit a support ticket to the Windows team instead. So no resolution yet.