Intune Certificate Connector and OID 1.3.6.1.4.1.311.25.2

Iron Contributor

Hi,

Way back in May when update KB5014754 broke cert auth for so many orgs it was identified that whilst RPC auto-enrolled certificates will get the new required OID the Intune certificate connector can't do the same.

 

As the timeline on the KB (https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-wind...) states that enforcement will happen from updates released on February 14th 2023 is there any indication that a fix will be deployed for the intune certificate connector ahead of that time?

 

We have many customers using intune enrolled certificates to authenticate for AOVPN, WiFi and more which will stop working once this change is enforced.

 

February doesn't seem like a long time away when a solution likely means needing to get the connectors updated and other possible changes.

9 Replies

@Peter Holland 

 

Hi,

 

Any update on the way?

guessing this may be part of the reason the final change has been pushed back to October/November.

would be good to get some information on the planned change and whether there is a preview that could be signed up for. Lots of our customers would like to get in on that.
Is there any official update/roadmap for this issue ?
good find.
hopefully it trickles down.
slight concern that it states a preview build of Windows Server needed. hopefully it won't end up needing a CA upgrade to work!
Just updated Intune PKCS certificate configuration to add SAN attribute UPN with value {{UserPrincipalName}} and bang: authentication works. It seems that KB5014754 add the requirement to have SAN attribute that contain the UPN in the certficate, but I didn't find any reference for this. This will work until the full enforcement will be in place February 11, 2025. Still waiting for a solution to provide strong certificates to users via Intune.
But one can not (obviously) add CN={{UserPrincipalName}} to DEVICE certificate (and that is what I use for WiFi Radius authentication)
That's correct, but you can easily switch the Radius authentication to USER certificate

I can do whatever, but that does not change anything, this OID still does not get to MSAD CA issued certificates

And user certificate is madness, as at not-logged in state the machine is actually NOT connected!