By July 16, 2025, all public CAs will enforce new S/MIME Baseline Requirements mandating “Given Name” and “Surname” in certificate Subject Names. Intune users with SCEP profiles must update settings to avoid certificate rejections and email disruptions. Intune support for this rolls out mid-June 2025. Unique :
Update Your Intune SCEP Profiles for New S/MIME Rules
Heads up, tech pros! By July 16, 2025, all public Certification Authorities (CAs) will enforce updated S/MIME Baseline Requirements. This means your Intune SCEP certificate profiles need a refresh to stay compliant and avoid service disruptions.
What’s New with S/MIME Certificates?
The CA/Browser Forum now requires Sponsor-validated S/MIME certificates to include both “Given Name” and “Surname” in the certificate Subject Name. If these attributes are missing, public CAs will reject the certificate requests outright. No exceptions.
“If these attributes are missing, public CAs will reject certificate requests.”
Microsoft is aligned with this update and working closely with third-party CAs to ensure smooth adoption. Many third-party CAs will start blocking noncompliant certificates from July 16, 2025.
Major Impact on Intune SCEP Certificate Profiles
This update mainly affects organizations using Intune SCEP profiles with third-party public CAs for issuing S/MIME certificates. These certificates are crucial for secure email signing and encryption.
Note that if you don’t use S/MIME certificates or rely on private CAs like Active Directory Certificate Services or Intune Cloud PKI, you’re not impacted.
For affected users, any certificate requests without the new attributes will be rejected. This could block users from reading or signing emails, causing major headaches.
“Certificate requests…that do not include ‘Given Name’ and ‘Surname’…will be rejected by public CAs.”
Also, updating existing profiles to include these attributes triggers a reissuance of all certificates, which might add costs depending on your CA agreement.
Action Steps to Stay Ahead
- Contact your third-party CA provider to confirm they’re ready to comply with the new requirements.
- Review and update your Intune SCEP certificate profiles for S/MIME usage.
- Modify the Subject Name field to include
G={{GivenName}}andSN={{SurName}}variables. - Test changes with a small user group before a full rollout.
Microsoft plans to support these new Subject Name variables in Intune by mid-June 2025. Keep an eye out for their official rollout announcement.
Why This Matters
Failing to update your profiles means certificate requests will fail, disrupting secure email workflows. Staying compliant ensures uninterrupted email signing and encryption.
For more details, check out Microsoft’s guide on using third-party CAs with Intune SCEP and the CA/Browser Forum’s S/MIME Baseline Requirements.
Got questions? Reach out to the Intune Support Team on Twitter @IntuneSuppteam or leave a comment on Microsoft’s community hub.
From the New blog articles in Microsoft Community Hub
Windows Server Devices Now Recognized as a New OS in Intune Microsoft has announced that Windows Server devices are Read more
Microsoft Power Platform is leading the way in AI-generated low-code app development. With the help of AI, users can quickly Read more
Microsoft Intune is an enterprise mobility management platform that helps organizations manage mobile devices, applications, and data. The October edition Read more
Microsoft Intune has released its November edition, featuring new updates to help IT admins better manage their organization’s mobile devices. Read more
