Intune WIFI Network Profiles and Root Certificate for Validation

shockoMS 281 Reputation points
2022-11-04T23:09:17.04+00:00

I'm creating profiles for my corporate WIFI networks. These use EAP-TLS and are signed with certificates from my PKI. When I create the WIFI profile there's an option to specify the root certificate for server validation as per this guide. If set this references a Trusted Certificate profile. Questions:

  1. If the trusted certificate profile is already being deployed outside if the WIFI profile is there any need to set it here?
  2. If the trusted certificate profile is not already being applied outside if the WIFI profile and I set it in the WIFI profile will Intune deploy it?
  3. If I do both will the certificates contained therein show twice in the IOS under Settings -> General -> VPN and Device Management -> Management Profile ?
Microsoft Security | Intune | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 53,991 Reputation points Microsoft External Staff
    2022-11-07T04:30:30.98+00:00

    @shockoMS , From your description, it seems you are deploying WiFI profile with certificate authentication. In General, if you use certificate based authentication for your Wi-Fi profile, deploy the Wi-Fi profile, certificate profile, and trusted root profile to the same groups to ensure that each device can recognize the legitimacy of your certificate authority.

    For your questions, here are my answers:
    Q1: If the trusted certificate profile is already being deployed outside if the WIFI profile is there any need to set it here?
    A1: In general, to make it works well. we will deploy the Wi-Fi profile, certificate profile, and trusted root profile to the same group to avoid issue. But if the trusted CA certificate is already deployed to the device. Based on my experience, I think if we set "Root certificates for server validation" not configure in WiFi profile, it can also work. You can try.

    Q2: If the trusted certificate profile is not already being applied outside if the WIFI profile and I set it in the WIFI profile will Intune deploy it?
    A2: You need to deploy a trusted certificate profile before you added it into WiFI profile. Then the trusted certificate will be installed on the device before the WiFI connect.

    Q3: If I do both will the certificates contained therein show twice in the IOS under Settings -> General -> VPN and Device Management -> Management Profile ?
    A3: After researching, I didn't find any link mention duplicate root CA certificate with the same thumbprint. So I think it will display once.

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.