@user-mbQTRaLJlG wrote:
Hi All,
In light of Microsoft security updates KB5014754: Certificate-based authentication changes on Windows domain controllers and the 2/12/2025 KB5051979 which toggled Full Enforcement Mode as promised for February 2025 (which you can temporarily delay until September 2025):
What is Jamf's best practice guidance for implementation of Jamf SCEP Proxy? SCEP requests issued using the proxy supply RFC822 name in SCEP request and utilize a certificate template that allows that - but the resulting certificate does not have the necessary SID to work with the new Microsoft security posture outlined in the the security updates.
Any thoughts or guidance from anyone? Thanks!
You're right to be concerned. Microsoft's KB5014754 and KB5051979 updates, culminating in full enforcement in February (or September, with the grace period) 2025, significantly impact certificate-based authentication, especially for SCEP. 1 The core issue is that the updates prioritize Subject Alternative Name (SAN) values (specifically, the userPrincipalName or rfc822Name) for user mapping, and many SCEP implementations (including some Jamf SCEP Proxy setups) don't include the necessary Security Identifier (SID) in the certificate. This prevents Windows from properly associating the certificate with the user account.
