This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 93%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hey Everyone,
We are looking into looking deploying a wifi config profile through Intune for our shared devices. The option to use SSO prologon caught our attention. (https://learn.microsoft.com/nl-nl/mem/intune/configuration/wi-fi-settings-windows).
We prefer the the connection to the 802.1x wifi network to use the user credentials and to connect before users logon to the device.
When testing this feature on an Azure AD and Intune enrolled device, no connection to the wifi network was established.
In the device wlan-autoconfig logs I noticed the following error :
The operational criteria were not met.
The machine was not joined to a domain.
It seems an on-premises domain memberhip is required.
Is there a way to get this to work without joining an on-premises AD?
We've looked into a Hybrid-join and NDES\certificate based authentication but we prefer to use user credentials based authentication fo audit purposes.
Thanks!
It seems a on-premises domain membership is required. I'm hoping Microsoft makes SSO using shared logon and 802.1x available soon since it helps in deploying mobile devices with minimum on-premises requirements.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
I have done a lot of research but haven’t found any other way to get it work without joining an on-premises AD. It seems to be because that the SSO prelogon needs the certificate, which is necessary for device to domain joined.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 88%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Technically it is possible to make it work with Device / User authentication, but you would need 2 SSIDs. It's somewhat messy, however.
I ended up using a Guest network with auth-bypass for the login screen and then wrote scheduled tasks that use WLAN filters to hide/unhide the Guest SSID on login.
Once the user is logged in, the task triggers to block the Guest network and unhide the our 802.1x network for user login. The same task runs on shutdown or logoff as well.
The profile has the following information in it (you can just manually add the Wi-Fi network and then put in the user auth information) The singleSignOn piece is important, however:
<cacheUserData>true</cacheUserData>
<authMode>user</authMode>
<singleSignOn>
<type>postLogon</type>
<maxDelay>10</maxDelay>
<allowAdditionalDialogs>true</allowAdditionalDialogs>
<userBasedVirtualLan>false</userBasedVirtualLan>
</singleSignOn>
<EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod>
This method works, but it occasionally messes up due to systems getting powered off incorrectly or just general flakiness - but we have it deployed on about 250 student laptops.
The question is - has anyone tried to give official feedback to Microsoft about this? We need the ability to specify 802.1x credentials for the device level and user level. I always hated on Chromebooks for not correctly supporting this and now Google has it and Microsoft doesn't.