Intune: Wi-Fi 802.1x, NPS, and user PKCS certificates (2023)

By Katy Nicholson, posted on September 23, 2021

One of the things I dislike most about Azure AD joined devices on our corporate network (using NPS on Windows Server for authentication) is that entering my credentials on every connection is a poor user experience compared to, say, a traditional device-joined domain that can seamlessly authenticate per device or user. While there isn't really a way to replicate device-based authentication with Azure AD joined devices (in short, there's no computer object in AD for NPS to look up), you can configure things to use a user certificate.

There are some prerequisites for this:

  • Wireless network with WPA2-Enterprise (or any variant that uses 802.1x)
  • Active Directory domain already configured
  • AD Certificate Authority already configured (Enterprise CA)
  • User accounts synchronized with Azure AD
  • NPS installed and configured
  • Devices joined to Azure AD and enrolled in Intune

As part of this process, we set up a certificate template, installed the Intune Certificate Connector for Intune on a server of your choice, and created some configuration profiles.

(Video) Create and Deploy Wifi profile in Microsoft Intune

Configuring the certificate authority

The first step is to set up a template on the CA server:

  • Open the certificate authority console, expandcertificate templates, right click and select the folderAdministrator🇧🇷 This will open the certificate template console.
  • Find themof the userCertificate template, right click and select itDuplicate.
  • On the General tab, give the template a name, and on the Compatibility tab, set the Certification Authority to Windows Server 2008 R2 and the Certificate Subject to Windows 7/Server 2008 R2.
  • On the Request Management tab, select the Allow private key export check box. This is required for the Intune connector to install the private key on the end user's device.
  • On the Encryption tab, make sure the minimum key length is 2048.
  • On the Request Subject Name tab, verify that Deliver is selected.
  • On the Extensions tab, under Application Policies, make sure there are three entries: Client Authentication, Secure Email, and Encrypting File System.
  • On the Security tab, add the server computer account you're using for the Intune connector with read and write permissions. Click Apply to save the template and close the console.
  • Back in the AC console, right clickcertificate templatesand catchNew > Certificate template to issue🇧🇷 Select the template you just created.
  • Finally, we need to allow the server to manage the certificates: open the CA properties and add the account of the server computer that will host the connector.Issue and manage certificatesmirequest certificatespermissions
  • If you have not yet exported your root CA certificate, open the CA's properties, select the current certificate from the list, and click View Certificate. From there, you can go to the Details tab, click Copy to File, and export it as a Base64-encoded .cer file.

Install the certificate connector for Intune

We need a service account to run the connector, assuming you don't want it to run as SYSTEM. I haven't tested it as SYSTEM, but unfortunately the documentation isn't very clear on permissions; it basically says that it has to be an administrator account on the server, with rights to login as a service. If you're trying to put this on a domain controller, your only option is to add the account to the domain administrators group. Don't forget to configure login as a service directly in gpedit.msc.

Open the Intune portal and go toTenant administration > Connectors and tokens > Certificate connectors🇧🇷 Click Add and follow the link and instructions to download the installer.

Run the installer with administrator privileges on the server. Follow the steps and make sure you have at least PKCS selected in the list of features. At a minimum, you must select PKCS and Certificate Revocation.

After successfully completing and completing the wizard, you should be able to refresh the Certificate Connectors page and see your connector listed.

(Video) Microsoft Endpoint Manager Intune Configuration Profiles Part XII Wi Fi Profiles

Deploy AD CA root certificate

You must install the root CA certificate from the Trusted Root Store on your end user devices. We can do this using a configuration profile: go to the Intune portalDevices > Configuration Profilesand click Create Profile. Select the platform (Windows 10+) and then Profile Type: Templates > Trusted Certificate. If you try to implement this on other devices, the profile type might be slightly different, but it should be obvious which one is a trusted certificate.

Follow the steps and upload the root CA certificate .cer file that you exported earlier. Complete the tasks as required and complete the wizard. In my case, I assigned this to a device group that contained my Surface devices.

NPS Network Policy

Assuming you already have a working 802.1x WiFi setup, you should at least have a network policy in NPS. Make sure that one of the authentication methods is "Microsoft: smart card or other certificate". You don't need to remove the other options: if you leave PEAP and strong password enabled, users will still be able to log in with their username/password as usual. We'll use a client-side configuration profile to force the client to use a certificate.

Check which certificate NPS uses to identify itself: Under Conditions > Authentication Methods, click the different options and click Edit. This should open a window indicating the current certificate. Having this issued by your AD CA makes configuring the profiles easier, but it doesn't have to be: mine is issued by DigiCert, so I need to get the root CA certificate used (DigiCert Global Root CA in this case ) and redo the steps above to deploy that certificate to the devices.

provide the certificate

Now we need to create a PKCS certificate configuration profile: go to the Intune portalDevices > Configuration Profilesand click Create Profile. Select Platform (Windows 10+) and then Profile Type: Templates > PKCS Certificate.

(Video) Device configuration Profiles Create Android Enterprise Wi Fi Profile creation - Intune No#65

Complete the fields as follows; leave the default settings, except:

  • Key Storage Provider - Login to KSP Software
  • Certification Authority: The FQDN of the CA server that issues the certificates. This can be the root server or a secondary server (preferably secondary as the company's corporate root CA must be offline).
  • Certificate Authority Name: The name that appears in the CA console, usually DOMAIN-COMPUTERNAME-ca
  • Certificate Template Name: The name of the certificate template created above
  • Certificate Type: User
  • Subject Alternative Name: User Principal Name (UPN), Value: {{UserPrincipalName}}
  • Advanced Key Usage: Client Authentication, Secure Email (these two can be added using the Preset dropdown), and finally Encrypting File System, I'm not sure if you need the secure email and EFS entries here, but I had a lot of trouble getting the certificate to be automatically picked up by the Windows 10 device, and since they're in the certificate, they can be entered here as well.

Assign the profile to the appropriate groups (you can target a device if you want to select "all users on these devices"). Wait a moment for your devices to update their configuration profiles (or click Sync in the portal) and you should see your CA issuing certificates. If you open mmc and add the Certificates (Users) snap-in on a client device, you should see the certificate displayed on the device.

A quick note here: if your usernames and UPNs don't match, you may not be able to authenticate, ie H. Your pre-Win2000 username should match the beginning of your UPN. DOMAIN\myusername and[Email protected]

Creating the Wi-Fi profile

Go to the Intune portal nowDevices > Configuration Profilesand click Create Profile. Select the platform (Windows 10 and later) and then the profile type: Templates > Wi-Fi. Follow the steps and complete the following settings:

(Video) ClearPass integration with Intune and Azure AD - Part 4

  • Wi-Fi Type: Business
  • WiFi Name (SSID): Your WiFi SSID
  • Connection Name – The name displayed in Windows, usually the same as the SSID
  • Automatically connect when in range: Yes
  • Authentication mode: user
  • EAP Type: EAP-TLS (this is the "Microsoft: Smart Card or Other Certificate" you saw in NPS)
  • Server Trust: Certificate Server Names: The name of the certificate used by the NPS server, for example,
  • Server Validation Root Certificates – Find the root CA certificate that issued the NPS server certificate (which you should have previously uploaded as a trusted certificate). If your server's certificate is from AD CA, use the AD CA root certificate.
  • Client Authentication: Authentication Method: PKCS Certificate
  • Client Certificate (Identity Certificate): Select the PKCS certificate profile created above
  • Client Authentication Root Certificate: Select the previously uploaded AD CA root certificate

Complete the steps and assign them as needed. In my case, I assigned the surfaces to the group. While you can assign this to devices (as I did), don't expect this connection to work while no one is connected. A suitable certificate should already exist in the user's personal store; if no one is logged in, you probably expect SYSTEM to have a certificate.

testing your device

Now for the fun part (hopefully!): Make sure your device has some sort of network connection, e.g. connected through a port and synchronize with it. Wait a few minutes and verify that the profiles were applied successfully in the Intune portal.

You can verify that your certificate has been seen through the Certificates snap-in (within mmc.exe) or in PowerShellGet-ChildItem Cert:\CurrentUser\Mywhich should display a list of fingerprints and subjects.

(Video) Getting started with RADIUSaaS

The device must also have a wireless profile, which can be seen in Windows Settings > Wi-Fi > Known networks or by running itshow netsh wifi profileat a command prompt.

If you click the Wi-Fi connection menu in Action Center, you can connect to the network without entering any credentials and without confirming anything.

It doesn't work, help!

I had a lot of trouble getting this to work because of certificates. Make sure you have the correct certificate in the Wi-Fi profile. There are some troubleshooting methods you can use here:

  • Export device profile - runnetsh wlan export profileto export saved profiles to XML, which you can review in a text editor.
  • If you keep getting "Can't connect because you need a certificate to sign in," and you definitely have the certificate on your device, unassign the Wi-Fi profile from Intune and manually create it once the device has gone Wi-Fi. Fi profile: Go to Control Panel (control.exe, not new settings), Network and Sharing Center, Set up a new connection or network, Configure and edit advanced settings manually. Play around with it until the connection works or it throws another error.
  • If you manually created a profile on the device, export it as soon as it works. Try putting the same settings in the Intune profile. You can verify this by re-exporting the profile after it has been applied to the device and comparing the two files. This allowed me to determine if I was using the correct CA certificate for server validation.
  • Enable monitoring on the NPS server - run at command promptauditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enableand check the security log in Event Viewer. You should filter this to only show NPS related entries. Try connecting again and hopefully you'll see something useful in the log.
  • And finally, another niche case: If you can get NPS to forward billing packets to a filtering application to identify who is who, you can manipulate the attributes that NPS is passing. In my case we are using Fortigate and you cannot assign a UPN to a user, you have to provide a sAMAccountName/Pre-Win2000 login. By manipulating attributes, we can replace "@domain.tld" with an empty string. This only works if the first part of the UPN matches the sAMAccountName. This setting can be found in the connection request policy under "Attributes".

Other reading


How do I manage certificates with Intune? ›

Automating Certificate Generation for Managed Devices with MEM Intune
  1. Create a Custom Private Intermediate CA.
  2. Create a Signing CA, signed by the Intermediate CA.
  3. Generate the SCEP Gateway API URL and Shared Secret.
  4. Optional: Configure Custom Certificate Templates and Enrollment Policies.
Jan 10, 2022

How do I deploy certificates with Intune? ›

To deploy this certificate, you use the trusted certificate profile, and deploy it to the same devices and users that will receive the certificate profiles for SCEP, PKCS, and imported PKCS. Intune also supports use of Derived credentials for environments that require use of smartcards.

How do device certificates work? ›

A device certificate is an electronic document that is embedded into a hardware device and can last for the life of the device. The certificate's purpose is similar to that of a driver's license or passport: it provides proof of the device's identity and, by extension, the identity of the device owner.

What is PKCS certificate Intune? ›

Microsoft Intune includes built-in settings to use PKCS certificates for access and authentication to your organizations resources. Certificates authenticate and secure access to your corporate resources like a VPN or a WiFi network. You deploy these settings to devices using device configuration profiles in Intune.

How do I manually add certificates? ›

In order to import the certificate you need to access it from the Microsoft Management Console (MMC).
  1. Open the MMC (Start > Run > MMC).
  2. Go to File > Add / Remove Snap In.
  3. Double Click Certificates.
  4. Select Computer Account.
  5. Select Local Computer > Finish.
  6. Click OK to exit the Snap-In window.

What are certificates for Wi-Fi? ›

Wi-Fi certificates are used to secure visitors connecting to public networks. They protect the process of registering and logging on to the network. For this purpose, manufacturers require special TLS certificates from publishers certified by the Wi-Fi Alliance (Passpoint™ program).

Why does Wi-Fi need a certificate? ›

The Wi-Fi CERTIFIED logo gives consumers confidence that a product will deliver a good user experience. Service providers and enterprise IT managers specify Wi-Fi CERTIFIED to reduce support costs and ensure a product has met industry-agreed requirements.

What are user certificates used for? ›

User certificates specify which resources a given user can have access to. They are sometimes used on devices that several users share. When different users log in, their profile and certificate are automatically loaded, granting them access to their required information.

How to generate PKCS12 certificate? ›

  1. Copy the CRT and KEY files to the OpenSSL installation directory. ...
  2. Open a Windows command prompt and, if necessary, navigate to the OpenSSL installation directory.
  3. Generate a PKCS#12 (PFX) keystore file from the certificate file and your private key. ...
  4. Type an export password to protect the PKCS#12 (PFX) file.
May 31, 2019

What does PKCS stand for? ›

PKCS stands for Public Key Cryptography Standards.

How use PKCS12 certificate? ›

At Enter name of PKCS12 file, type the full path to the PKCS12 file that has the certificate and private key information and press Enter. You can type DamlSrvr. pfx . At Enter password, type the password to access the file and press Enter.

How do I bypass certificate verification? ›

Windows 10/11
  1. Navigate to Control Panel > Network and Sharing Center > Change adapter settings. ...
  2. Double-click the interface/network in question and choose Properties.
  3. On the Authentication tab, click Settings.
  4. Along the top, uncheck the box for Verify the server's identity by validating the certificate.
Nov 21, 2022

How do I install a Wi-Fi certificate? ›

Install a certificate
  1. Open your phone's Settings app.
  2. Tap Security Advanced settings. Encryption & credentials.
  3. Tap Install a certificate. Wi-Fi certificate.
  4. In the top left, tap Menu .
  5. Tap where you saved the certificate.
  6. Tap the file. If needed, enter the key store password. ...
  7. Enter a name for the certificate.
  8. Tap OK.

How do I force a certificate update? ›

On the machine without internet access...
  1. Click Start>Run. ...
  2. Type: certmgr.msc - this opens the certificate manager.
  3. Right click on the item "Trusted Root Certification Authorities.
  4. Select All Tasks>Import.
  5. Click Next.
  6. Click "Browse", change the file type in the lower right selection drop-down to "All Files"
Dec 20, 2019

What are the 3 types of certificates? ›

There are three recognized categories of SSL certificate authentication types:
  • Extended Validation (EV)
  • Organization Validation (OV)
  • Domain Validation (DV)

How do I find my Wi-Fi certificates? ›

Go to Settings > Privacy and security > Manage Certificate.

2. Click on Import, locate the Certificate and click Open.
For an alternate method:
  1. Press the Windows Logo Key or the search icon and type certificate. ...
  2. Right Click on Trusted Root Certification Authority > All Tasks > Import.

Can someone use my Wi-Fi without me knowing? ›

Can a Wi‑Fi router be hacked? It's entirely possible that your router might have been hacked and you don't even know it. By using a technique called DNS (Domain Name Server) hijacking, hackers can breach the security of your home Wi‑Fi and potentially cause you a great deal of harm.

What devices should never be connected to Wi-Fi? ›

Five things that should never be connected to the internet
  • Medical devices. Advertisement. ...
  • Vehicles. ...
  • Weapons. ...
  • Home appliances. ...
  • Smoke and security alarms.
Aug 3, 2015

How do I fix my Wi-Fi certificate? ›

Step 1: Open the Network & Internet part in Settings. Step 2: On the Status page, scroll down and click Network reset. Step 3: Click the Reset now button. Try to connect your Wi-Fi to see if the Wi-Fi certificate error exists.

What are examples of certificates? ›

For example, a Certified Public Accountant can practice as a CPA across the accounting profession.
Other examples might include:
  • CFA (Chartered Financial Analyst)
  • CIPM (Certificate in Investment Performance Measurement)
  • RA (Registered Architect)
  • CPL (Commercial Pilot License)
  • CMP (Certified Meeting Professional)
Feb 25, 2020

How do I find out what certificates are being used? ›

To check an SSL certificate on any website, all you need to do is follow two simple steps.
  1. First, check if the URL of the website begins with HTTPS, where S indicates it has an SSL certificate.
  2. Second, click on the padlock icon on the address bar to check all the detailed information related to the certificate.

What happens if I remove all certificates from my phone? ›

Important: Removing certificates you've installed doesn't remove the permanent system certificates that your phone needs to work. But if you remove a certificate that a certain Wi-Fi connection requires, your phone may not connect to that Wi-Fi network anymore.

How do security certificates get on my phone? ›

Go to your phone settings. Click on security. Navigate to advanced encryption & credentials. Under credential storage, click on install certificate.

How do certificates work in authentication? ›

Certificate-based authentication uses the information within said document to verify the user, device or machine, in contrast to the classic username and password combination which is strictly limited to verifying only those who are in possession, i.e. potentially not just the user who should have access.

How do IOS certificates work? ›

Using certificates with Apple devices

These digital certificates can be used to securely identify a client or server, and to encrypt the communication between them using the public and private key pair. A certificate contains a public key, information about the client (or server), and is signed (verified) by a CA.

Should I clear all credentials on my phone? ›

You should not normally have reason to do this. Most users will not have any user-installed trusted credentials on their device.

Why is my network being monitored? ›

This warning indicates that a device has at least one user-installed certificate, which could be used by malware to monitor encrypted network traffic.

Is it OK to delete certificates? ›

Removing these certificates could limit the functionality of the operating system or cause the computer to fail. Therefore, even expired certificates must not be removed from the Windows certificate store. This is because these certificates are required for backward compatibility.

Where are certificates stored on Android phones? ›

Open Settings. Tap “Security” Tap “Encryption & credentials” Tap “Trusted credentials.” This will display a list of all trusted certs on the device.

What are security certificates on an Android phone? ›

Trusted secure certificates are used when connecting to secure resources from the Android operating system. These certificates are encrypted on the device and may be used for Virtual Private Networks, Wi-Fi and ad-hoc networks, Exchange servers, or other applications found in the device.

How do I fix my security certificate? ›

How to Fix SSL Certificate Error
  1. Diagnose the problem with an online tool.
  2. Install an intermediate certificate on your web server.
  3. Generate a new Certificate Signing Request.
  4. Upgrade to a dedicated IP address.
  5. Get a wildcard SSL certificate.
  6. Change all URLS to HTTPS.
  7. Renew your SSL certificate.
Nov 18, 2021

How does a certificate verify identity? ›

Certificate authorities use asymmetric encryption to issue certificates. Asymmetric encryption creates a pair of cryptographic keys — one public and one private. The public key can be known to anyone and is used to encrypt a message and to verify identity-based on the corresponding private key.

How many types of certificates are there in iOS? ›

There are 4 main types of iOS certificates: 1. Apple App Development: Used to install development applications on test devices. This provisioning profile type is matched with a development certificate to enable app deployment during development.

What is iPhone root certificate? ›

About trust and certificates

Trusted certificates establish a chain of trust that verifies other certificates signed by the trusted roots — for example, to establish a secure connection to a web server.

What are certificates on iPhone? ›

A certificate is an attachment to an electronic document that allows the safe transfer of information over the internet. Certificates are used by web browsers and mail and texting apps. When you communicate with a secure site, the information exchanged with the site is encrypted.


1. Apple: How do I configure an iPad to use EAP-TLS?
(Roel Van de Paar)
2. Apple: How to use RADIUS with macOS Server?
(Roel Van de Paar)


Top Articles
Latest Posts
Article information

Author: Delena Feil

Last Updated: 06/21/2023

Views: 6395

Rating: 4.4 / 5 (65 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Delena Feil

Birthday: 1998-08-29

Address: 747 Lubowitz Run, Sidmouth, HI 90646-5543

Phone: +99513241752844

Job: Design Supervisor

Hobby: Digital arts, Lacemaking, Air sports, Running, Scouting, Shooting, Puzzles

Introduction: My name is Delena Feil, I am a clean, splendid, calm, fancy, jolly, bright, faithful person who loves writing and wants to share my knowledge and understanding with you.