In this blog post, we are going to Deploy WPA2 Enterprise Wifi with Intune. In my previous post, we looked at how to configure WPA2 Enterprise Wifi with user authentication. This was based on Active Directory, Group Policy and AD joined laptops. In this blog post, we will continue based on the previous setup. Now we are going to configure WPA2 Enterprise Wifi with User authentication for Azure AD joined Laptops using Intune.
Prerequisites
As indicated earlier, we are going to use the configuration from the previous blog post. To issue certificates through Intune, we need to make some changes to this configuration. For example, we need to add an Intune Certificate connector that handles certificate requests from Intune. In addition, the network policy on the Network Policy Server must be modified. In addition, profiles for the certificates and Wifi configuration in Intune must be added to configure the laptop. In summary, we need:
- A working CA server (eg two tier PKI)
- A working Wifi with WPA2 Enterprise and a working Networking Policy Server (NPS)
- A server which can be used for the Intune Certificate Connector
- Laptop enrolled in Intune to test Wifi connection
Intune Certificate Connector
Before we can deploy WPA2 Enterprise Wifi with Intune we need to configure certificate distribution. To distribute certificates with Intune we need to use the Intune certificate connector. Its operation is briefly explained below in the diagram.
- An Admin creates a PKCS certificate profile in Intune.
- The Intune service requests that the on-premises Intune Certificate Connector create a new certificate for the user.
- The Intune Certificate Connector sends a PFX Blob and Request to your Microsoft Certification Authority.
- The Certification Authority issues and sends the PFX User Certificate back to the Intune Certificate Connector.
- The Intune Certificate Connector uploads the encrypted PFX User Certificate to Intune.
Intune decrypts the PFX User Certificate and re-encrypts for the device using the Device - Management Certificate. Intune then sends the PFX User Certificate to the Device.
The device reports the certificate status to Intune.
Preparations
Before we can begin configuration to deploy WPA2 Enterprise WiFi with Intune, we need to make some preparations. For example, to configure the Certificate connector, we need a service account. In addition, we need to configure a certificate template that can be issued by Intune.
Service Account
An account is required to use the Intune configuration connector. You can use the system account or a domain account for this purpose. Unfortunately, it is not possible to use a Group Managed Service Account (GMSA). In my example, I use a domain account (for more info). For this you can use a standard user account and give it local permissions on the server.
Certificate Template
Now we need to create certificate template that we can use in Intune. You need to perform these steps on the issuing certificate server.
1. Open the Certification Authority console, expand Certificate Templates, right click on the folder and pick Manage. This will open the Certificate Templates Console.
2. Select the User certificate template, right click on it and select Duplicate.
3. Select the general tab and give the template a recognizable name.
4. On the Compatibility tab set the Certification Authority to Windows Server 2008 R2, and the Certificate Recipient to Windows 7/Server 2008 R2.
5. On the Subject Name tab, make sure you selected Supply in the request.
6. In the Extensions tab select “Application Policies” and press “Edit”. Remove the “Encrypting File System” and “Secure Email”. For WiFi we only need “Client Authentication” and press “OK”.
7. • On the Security tab, add the computer account Service Account of the server you will be using for the Intune connector, with Read and Enroll permissions. Click Apply to save the template, then close the console.
8. Back in the Certification Authority console, right click on Certificate Templates and pick New > Certificate Template to issue. Select the template you just created.
9. Finally we need to allow the server to manage certificates – open the CA properties and add the Service Account of the intune connector, assign Issue and Manage Certificates and Request Certificates permissions. The certificate template is now ready to be used in Intune.
Adjust Network Policy on NPS
The Network Policy need to be adjusted to allow “Microsoft: Smart Card or other certificate”. It’s not required to remove other authentication methods.
10. On the NPS Server expand the “Network Policies” and open the “Secure Wireless Connections” by double clicking
11. Select “Constraints” (1) and edit the “Microsoft: Protected EAP (PEAP)” type (2).
12. Press Add to add an Eap Type and add “Smart Card or other certificate”. Close the screens by pressing “OK”
Setup Intune Certificate Connector
As mentioned earlier before we can distribute PKCS certificates with Intune, we first need to configure the Intune Certificate Connector.
13. Create a Server for the Certificate Connector or use an existing one with the following prerequisites
General prerequisites
Requirements for the computer where you install the connector software:
- Windows Server 2012 R2 or later. Note The Server installation must include the Desktop Experience and support use of a browser. For more information, see Install Server with Desktop Experience in the Windows Server 2016 documentation.
- .NET 4.7.2
- Transport Layer Security (TLS) 1.2. For more information, see Enable support for TLS 1.2 in your environment in the Azure Active Directory documentation.
- The server must meet the same network requirements as managed devices. See Network endpoints for Microsoft Intune, and Intune network configuration requirements and bandwidth
- To support automatic updates of the connector software, the server must have access to the Azure update service:
- Port: 443
- Endpoint: autoupdate.msappproxy.net
- The Enhanced Security Configuration must be deactivated
14. Add the service account created for the intune certificate connector to the local administrator group.
15. Add the service account to the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
16. Download the Intune Certificate Connector -> Open the Intune portal and go to Tenant administration > Connectors and tokens > Certificate connectors. Click on Add, then follow the link and instructions to download the installer.
17. Run the installer with administrative privileges on the server and select “Configure now”.
18. Run through the steps and make sure you have selected at least PKCS on the list of features. As a minimum you should be picking PKCS and Certificate Revocation.
19. Enter the Service account created at the beginning for the Intune Connector Service.
20. At the Azure AD Sign in login with an Intune administrator account with a Intune license. If you use an Intune Administrator account without an Intune License you will get an Access Denied error. Add a license wait a few minutes and try again. After you completed the setup you can remove the license.
21. Once you’ve completed the wizard and it has completed successfully, you should be able to refresh the Certificate connectors page and see your connector listed.
Configure Intune
Now that all conditions are configured, we can configure the device profiles in Intune. We are going to configure the following items: the certificates for the root and issuing CA, the certificate profile for the user certificate and finally the WiFi profile.
22. In the Intune portal go to Devices -> Windows -> Configuration profiles. Press “Create Profile” select “Windows 10 and Profile type “Templates”. Select the “Trusted certificate” and press “Create”.
23. Give the template a name like Root CA and press “Next”. Now select the Root CA certificate and change Destination store to “Computer certificate store – Root”. Assign the profile to a group and create the profile.
24. Repeat the previous step but now select the Subordinate CA and select “Computer certificate store – Intermediate”
25. Before we can deploy the PKCS certificate you need some additional information. You need the FQDN of the issuing certificate server. This you can find in the server manager for my server that’s CA-SUB-02-2022.vmlabblogdemo.com. You also need the Certification Authority name, this you can find in the Certification Authority tool for my server it’s “VMLabBlogDemo-CA-SUB-02-2022-CA”.
26. Now you can create a new profile. Press “Create Profile” select “Windows 10 and Profile type “Templates”. Select PKCS certicate and Create.
27. Enter the following information
Key storage provider (KSP) | Enroll to Software KSP |
Certification authority | FQDN issuing server (1) |
Certification authority name | Certification authority name (2) |
Certificate template name | Name of template step 4 |
Certificate type | User |
User principal name (UPN) | {{UserPrincipalName}} |
28. Scroll down and select at Extended Key usage in the predefined values “Client Authentication”. Press “Next”. Assign the profile to a group and create the profile.
29. Now you need to create the WiFi profile. Press “Create Profile” select “Windows 10 and Profile type “Templates”. Select “Wi-Fi” and Create.
30. Select Wi-Fi type “Enterprise” and enter the following information
Wi-Fi type | Enterprise |
Wi-Fi name | SSID of you Wi-Fi network |
Connection Name | Name of the connection in Wifi settings |
Connect Automatically | (Optional) yes |
Authentication Mode | User |
31. Now scroll down and configure the following settings. Press “Next”. Assign the profile to a group and create the profile.
EAP type | Protected EAP (PEAP) |
Root certificates for server authentication | Select root CA |
Authentication method | PKCS certificate |
Client certificate for client authentication | PKCS certificate created in previous step |
Root certificate for client authentication | Select Root CA |
32. You should now have 4 profiles configured. These 4 configuration profiles make up the Wi-Fi including authentication configuration. The next step is to test the configuration.
Test Configuration
Now we are going to test the configuration. Before testing, make sure that the configuration profiles configured for this are assigned to your test user/device. For testing, I will use a physical laptop running Windows 10 Enterprise.
33. Open the certificate plugin in mmc and go to personal certificates. Here see the user certificate which is used to authenticate with the WiFi network. This is the PKCS Certificate we configured in step 26.
34. If you then go to “Trusted Root Certificate Authorities” you will find the Root CA certificate we configured in step 23.
35. Next, we go to “Intermediate Certification Authorities.” Here we find the Subordinate CA certificate we configured in step 24.
36. Now that we know the certificates have been properly added we are going to look at the WiFi networks by pressing the network icon in the system tray. Right now the wired network is still connected (1), but we also see the network “Test Wifi Profile” (2) this is the name of the WiFi network we added in step 30.
37. To test whether authentication is going well, we only need to remove the network cable. The WiFi network will then connect automatically. This is the case allowing us to determine with certainty that the configuration is working.
Thank you for reading this blog post “Deploy WPA2 Enterprise Wifi with Intune”. If you have any questions, comments or additions please let me know by leaving a comment in the comment section.
Hi Aad, i have been following you guide and everything has been working great. I am at the testing stage now but running into a problem. I can get my Intune Profile to push the PKCS Certificate. It fails to push to end user pc, but the root ca, sub ca, and wifi profile are fine and pushed. Just can’t authenticate without the PKCS. In intune, the device shows no results when clicking on the account with error. Can you assist?
Hi Travis, I would suggest you take a look in the log of the Intune Certificate Connector (https://learn.microsoft.com/en-us/troubleshoot/mem/intune/certificates/troubleshoot-pkcs-certificate-profiles) There may be an issue with the certificate template configuration.
Hope this will help you!
regards Aad