Updated 6/23/2025: Intune is currently rolling out support for "Given Name" and "Surname" attributes in the SCEP profile and is expected to be available for all customers by end of week.
By July 16, 2025, all public Certification Authorities (CAs) will enforce new S/MIME Baseline Requirements as announced in the CA/Browser Forum. This requires all Sponsor-validated S/MIME certificates issued by public CAs to include "Given Name" and "Surname" attributes in the certificate Subject Name. If these attributes are missing, public CAs will reject certificate requests. The timeline of this enforcement is non-negotiable and applies to all public CAs.
Microsoft is a member of the CA/Browser Forum and has been working closely with several third-party CA providers to align with the updated S/MIME Baseline Requirements. Several third-party CAs have confirmed that they will block issuance of noncompliant certificates starting July 16, 2025.
Important: Intune is actively working to support the new attributes in the Subject Name and is expected to be available in mid-June 2025. We’ll update this blog once it has been rolled out.
Impact to Intune SCEP certificate profiles with third-party CAs
This change directly impacts customers using Intune SCEP certificate profiles with third-party public CAs to issue S/MIME certificates anchored to a public root CA (the issued certificate is part of a trust chain that ultimately leads to a publicly trusted root Certificate Authority) for secure email. This includes using a third-party CA provider via the Intune SCEP API for S/MIME certificates.
Note: You’re not impacted by this change if you aren’t using S/MIME certificates for email or if you use a private CA, such as Active Directory Certificate Services or Intune Cloud PKI.
If affected:
- Certificate requests (new or renewals) for S/MIME (signing or encryption) from Intune-enrolled devices that do not include “Given Name” and “Surname” in the Subject Name will be rejected by public CAs which may prevent users from reading or signing emails.
- Editing an existing certificate profile to include these attributes will cause a reissuance of all certificates, which may incur additional costs depending on your CA agreement.
For a list of third-party CAs refer to: Use third-party certification authorities (CA) with SCEP in Microsoft Intune | Microsoft Learn
Action required to avoid service disruption:
- Contact your third-party CA provider to ensure they’re aware of the change and will reissue S/MIME Sponsor-validated certificates per the CA/Browser forum requirements.
- Review your Intune SCEP certificate profiles used for S/MIME scenarios.
- Update the SCEP profile’s Subject Name field to include the following two variables:
- G={{GivenName}}
- SN={{SurName}}
Note: Intune is actively working to support these variables in the Subject Name and is expected to rollout in mid-June 2025.
A screen capture of the Intune SCEP profile with the two variables added to the Subject Name field. - Test the changes by creating a new profile and targeting a small user group before broader deployment.
For more detailed background specifics to the S\MIME requirement refer to the CA/B Forum S/MIME Baseline Requirements.
If you have any questions, leave a comment below or reach out to us on X @IntuneSuppteam.
