Moving away from MS Certificate Authority and vetting cloud PKIs (SCEPman, SecureW2, EJBCA). So far everything has seemed straight forward but I may have just hit a design snag.
TODAY all of our endpoints will be Hybrid AD Joined so they have computer objects in on-premise AD. If using MS Intune to enroll device cert via cloud PKI, everyone recommends using AAD_Device_ID (Azure AD) or DeviceId (Intune) for the subject name (SN) — presumably for OSCP validation. Those attributes aren’t known to on-premise AD, so how could NPS validate device certs?
View Reddit by Djaesthetic – Source