Remember that blog we wrote back in the beginning June 2023 about the KB5014754 update when we were trying to make everyone aware for the enablement of strong mapping? Well after that they pushed it to 2024 and now they are going to enforce it in 2025. What does that mean? If you are using a modern Intune CA such as EZCA you were already prepared for this, but if you are using a legacy CA such as ADCS with offline templates, you must add the SID to the certificate to prevent issues with the KB5014754 update.
To see if your certificate already has the strong mapping for Active Directory, you can check by searching for the field “1.3.6.1.4.1.311.25.2” and see if it exists such as the picture below:
If it doesn’t have it, it might also be a URL in the subject alternative name field, you can check this by searching for the field that starts with “URL=tag:microsoft.com,2022”
Well you checked your certificates, and you see that they don’t have the strong mapping, what can you do? First make sure you disable strong mapping on your domain controllers, then you must enable it in Intune, to do this you must add a “URI” Subject alternative name to the certificate with the value . This will add the SID to the certificate and prevent issues with the KB5014754 update.
If you are tired of managing your legacy ADCS CA, and want to move to something modern that updates itself and stop dealing with these headaches, you can move to a modern CA such as EZCA, which is a cloud-native certificate authority (CA) with an easy-to-use API to help developers seamlessly issue and manage X.509 certificates in Azure. With EZCA, you can automate certificate issuance via industry-standard protocols like EST, SCEP, and ACME, and leverage a REST API for custom integrations. Whether you’re securing IoT devices, web applications, or enterprise infrastructure, EZCA makes certificate management simple, scalable, and secure. Explore our documentation to learn more about EZCA’s features and integrations, or schedule a free consultation with one of our PKI experts to get started with your cloud certificate authority today.
