This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 88%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
We have this:
Then we have this:
And also this:
https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep
which states that {{OnPremisesSecurityIdentifier}} :
You can add the variable, formatted as {{OnPremisesSecurityIdentifier}}, to new and existing profiles in the Microsoft Intune admin center. This variable is supported in user certificates for macOS, iOS, and Windows 10/11, and only works with the URI attribute.
But I do NOT authenticate users access via USER certificate but MACHINE certificate
It seems that OnPremisesSecurityIdentifier is not added to the machine certificate (maybe because the machine does not fully exists in AD - I only have ghost objects to be used for Radius authentication)
So what is the deal with it? Another half-baked solution?
Empty instead of not allowed delete
Got my answer here:
So what does one do with machine certificates when strongcertificatebindingenforcement is fully enforced in Sept 2025?
For device certificates, only Microsoft Entra hybrid joined devices will have SID information, so strong mapping changes are applicable only to Windows devices that are Microsoft Entra hybrid joined. For other device types, like iOS or Android, strong mapping is not supported for device certificates, and user certificates should be used instead.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Sebastian Cerazy, Thanks for posting in Q&A. For device certificate, we can also add the variable, formatted as {{OnPremisesSecurityIdentifier}}, to new and existing profiles. You can see the information as below:
And yes, it is only supported in device certificates for Microsoft Entra hybrid joined devices and only works with the URI attribute. For other device types, the device certificates that authenticate with the KDC will be denied when it is fully enforced in Sept 2025 according to the above links. And user certificates should be used instead. For the device certificates that are not authenticated with the KDC, it will not affect, I think.
Hope my above thoughts can give you some help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
User certificates for WiFi access is an unworkable solution!
Device without user logged in, if NOT connected to WiFi. And if there is no connectivity to network, then there is no user authentication (because that relies on the network being connected)
Catch 22?
Sure there must be something better?
Seb
@Sebastian Cerazy, For the WiFi, was it needs to authenticate with Local active directory. If not, it will not affect. The change only affects the certificate authenticated with local active directory.
Ofcourse it authenticates against local AD DC via on-prem NPS Radius
@Sebastian Cerazy, thanks for your reply. For these devices, are they Microsoft Entra Hybrid joined? For this type we can add {{OnPremisesSecurityIdentifier}}. For other join type, it is not supported yet. The only method I can find now is to change WiFi product.
You can feedback under the blog or open case to see if any other suggestion for this scenario can be provided.