Microsoft Cloud PKI
This document describes the configuration steps necessary to implement certificate-based WiFi authentication using Microsoft Cloud PKI with Intune.
Last updated
Was this helpful?
This document describes the configuration steps necessary to implement certificate-based WiFi authentication using Microsoft Cloud PKI with Intune.
Last updated
Was this helpful?
Before you can issue certificates to managed devices, you need to create a root CA in your tenant to act as the trust anchor. To create a root CA in Intune admin center, please follow Microsoft guide.
An issuing CA is required to issue certificates for Intune-managed devices. Cloud PKI automatically provides a SCEP service that acts as a certificate registration authority. It requests certificates from the issuing CA on behalf of Intune-managed devices using a SCEP profile. To create an issuing CA, please follow Microsoft guide.
Configure RADIUSaaS to trust client authentication certificates issued by the Microsoft Cloud PKI. Since the cloud PKI requires a tiered CA structure, you must upload both, Root CA and Issuing CA (i.e. the complete chain of trust). To achieve this, please follow below steps:
As verification method select CRL along with DER encoding.
Upload the Contoso Cloud PKI Issuing CA selecting Client Authentication in the upload process.
Again, select CRL as verification method along with DER encoding.
To set up certificate-based WiFi authentication, we need to create a number of profiles and deploy them via Intune. These profiles are:
Trusted certificate
Deploy the Root CA certificate.
Trusted certificate
Deploy the Issuing CA certificate.
Trusted certificate
Deploy the Root CA certificate that has issued the RADIUS Server Certificate.
SCEP certificate
Enroll the client authentication certificate.
Wi-Fi
Deploy the wireless network adapter settings.
Platform = Windows 10 and later
Profile type = Template
Template name = Trusted certificate.
Upload the relevant certificate file (*.cer) in the respective profile:
This must be repeated for every device platform that shall be using the service (e.g. Windows, macOS, ...)
Next, push the root CA certificate that has issued your RADIUS Server Certificate as described here:
To create a SCEP certificate profile in Intune admin center, first take a copy of the SCEP URI from Home > Tenant admin > Cloud PKI > Contoso Issuing CA > Properties > SCEP URI.
Next, go to Home > Devices > Windows > Configuration profiles > Create > New Policy with the following parameters:
Platform = Windows 10 and later
Profile type = Template
Template name = SCEP certificate
Next, configure the template according to the screenshot below making sure you attached the Contoso Root Certificate created earlier in step 1 and the SCEP URI you took a copy of above.
This must be repeated for every device platform that shall be using the service (e.g. Windows, macOS, ...)
Deploy the WiFi adapter settings to your devices by following this article:
Navigate to .
the Contoso Cloud PKI Root CA selecting Client Authentication in the upload process.
Use the copied CRL distribution point URL of the Root CA in the CRL Distribution Points URL input field.
Use the copied CRL distribution point URL of the Issuing CA in the CRL Distribution Points URL input field.
To establish server trust between your endpoint devices and RADIUSaaS, follow .
To configure your networking equipment (WiFi access points, switches, or VPN gateways), follow .
After successful completion of Steps 2 - 4, the Trusted Certificates page of your RADIUSaaS instance will look similar to the one below. Please note that in our example we have used a RadSec-enabled access point.
Deploy the root CA and issuing CA certificates created in via a Trusted certificate profile to your devices by navigating to the Intune admin center and then to Home > Devices > Windows > Configuration profiles > Create > New Policy with the following parameters:
Root CA certificate created
Issuing CA certificate created
