InTune fails to deploy Enterprise Wi-Fi profile to fully managed Android (OS 13) devices.

Daniel B 35 Reputation points

Hi, I am having all sorts of trouble deploying an Enterprise Wi-Fi profile (EAP-TLS) to fully managed Android (OS v13) devices via InTune. From what I have seen online recent security updates to Android now require additional information within Enterprise Wi-Fi profiles.


  • DNS name that's used in the certificate presented by the Radius Server during client authentication to the Wi-Fi access point.
  • Root certificate for server validation.
  • Depending on your Android OS version and your Wi-Fi authentication infrastructure, the certificate requirements can vary. You may need to add your secure hash algorithm(s) (SHA) from the certificate used by your network policy server (NPS).

I have tried deploying profiles that meet all the required criteria, but InTune still reports an error when trying to deploy the profile to Android v13 devices. The Wi-Fi profile also can't be seen locally within Android Settings > User Certificates.


I can't be the only one facing this issue. Has anyone found a configuration which works?

Further information about my configurations:

I make sure to deploy a 'Trusted Root' profile first which installs my org's CA certificate on the device. Once that is installed I run the 'SCEP' profile to install a user certificate for Wi-Fi auth. Once those two profiles have succeeded, I deploy the Wi-Fi profile. To ensure each profile applies - and in the correct order - I deploy each profile using a separate security group (Step 1, Step 2, etc).

I am testing configurations with four Samsung devices. All four devices are running Android version 13. Two of the devices (Samsung Tab A's) are running the 1 July 2023 security patch. The other two devices (Samsung A22's) are running the 1 June 2023 security patch.

My latest Wi-Fi configuration was as follows (and failed):

SSID: (Keeping this Private)

Connect Automatically: Enable

Hidden Network: Disable

Proxy Settings: None


Radius Server Name: (FQDN of NPS server), (NPS Server Cert SHA-1 value), (NPS Server Cert SHA-256 value)

Root Certificate for Server Validation: (Linked to the Trusted Root CA profile I deploy prior to Wi-Fi config)

Authentication Method: Certificates

Certificates: (Linked to the SCEP profile I deploy prior to Wi-Fi config)

Identity privacy (outer identity): Not configured


Microsoft Intune Android
Microsoft Intune Android
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Android: An open-source mobile platform based on the Linux kernel, developed by Google, and maintained by the Open Handset Alliance.
242 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,476 questions
{count} votes

Accepted answer
  1. Lu Dai-MSFT 28,356 Reputation points

    @Daniel B Thanks for posting in our Q&A.

    For this issue, it seems needed to check some logs based on your specific environment. With Q&A limitation, Q&A is not a good channel for such issue. Given this situation, it is suggested to create an online support ticket to get more help. Here is the support link:

    Hope everything goes well with you.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Daniel B 35 Reputation points

    I defined the fully qualified domain name of the NPS server within the Wi-Fi profile. The issues I was having were caused by how I chose to deploy the Trusted Root, SCEP and Wi-Fi profiles. I had been deploying them one-by-one, using separate security groups. I did this because I was concerned that the profiles wouldn't apply in the correct order and dependencies wouldn't be met. When I deployed all three profiles using the same security group it worked perfectly without errors. It seems InTune worked out which profile to apply in what order. I haven't had any trouble since.