This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 23%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
Hi, I am having all sorts of trouble deploying an Enterprise Wi-Fi profile (EAP-TLS) to fully managed Android (OS v13) devices via InTune. From what I have seen online recent security updates to Android now require additional information within Enterprise Wi-Fi profiles.
Specifically:
I have tried deploying profiles that meet all the required criteria, but InTune still reports an error when trying to deploy the profile to Android v13 devices. The Wi-Fi profile also can't be seen locally within Android Settings > User Certificates.
I can't be the only one facing this issue. Has anyone found a configuration which works?
I make sure to deploy a 'Trusted Root' profile first which installs my org's CA certificate on the device. Once that is installed I run the 'SCEP' profile to install a user certificate for Wi-Fi auth. Once those two profiles have succeeded, I deploy the Wi-Fi profile. To ensure each profile applies - and in the correct order - I deploy each profile using a separate security group (Step 1, Step 2, etc).
I am testing configurations with four Samsung devices. All four devices are running Android version 13. Two of the devices (Samsung Tab A's) are running the 1 July 2023 security patch. The other two devices (Samsung A22's) are running the 1 June 2023 security patch.
SSID: (Keeping this Private)
Connect Automatically: Enable
Hidden Network: Disable
Proxy Settings: None
EAP Type: EAP-TLS
Radius Server Name: (FQDN of NPS server), (NPS Server Cert SHA-1 value), (NPS Server Cert SHA-256 value)
Root Certificate for Server Validation: (Linked to the Trusted Root CA profile I deploy prior to Wi-Fi config)
Authentication Method: Certificates
Certificates: (Linked to the SCEP profile I deploy prior to Wi-Fi config)
Identity privacy (outer identity): Not configured
https://developer.android.com/guide/topics/connectivity/wifi-enterprise
I have found that if a 'Root certificate for server validation' is not configured, the Wi-Fi profile fails to deploy and InTune reports error code -942518331 for the setting name 'AndroidDeviceOwnerEnterpriseWiFiConfiguration'.
Looks like Android version 13 requires this setting be configured.
SSID: (Keeping this Private)
Connect Automatically: Enable
Hidden Network: Disable
Proxy Settings: None
EAP Type: EAP-TLS
Radius Server Name: (FQDN of NPS server), (NPS Server Cert SHA-1 value), (NPS Server Cert SHA-256 value)
Root Certificate for Server Validation: (Linked to the Trusted Root CA profile I deploy prior to Wi-Fi config)
Authentication Method: Certificates
Certificates: (Linked to the SCEP profile I deploy prior to Wi-Fi config)
Identity privacy (outer identity): anonymous
InTune reporting did not return any error codes/information about the failure.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 98%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
HI, did you managed to find a resolution to this? i am see the exact behavior in our environment configured the same, with Scep + Root profile deployments and Eap TLS wifi profile which fails on android 13, i have one profile for all our Android Enterprise devices, this profile is deployed to over 450 devices successfully but just recently the Android 13 devices have started to fail the wifi profile deployment when enrolled into intune . Android 9, Android 10, android 11 have no problems at all.
to add, ive found out of 100 identical model devices any device running on this patach level 2023-08-01 it fails install, anything older than this patch level it succeeds and install the wifi profile.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 2%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH1%3C/text%3E%3C/svg%3E)
We have the same issue with Android 13 Security Patchlevel from 01.09.2023.
On older Android devices it works.
Like the previous posts below. I clarify this issue a little bit more with the solution described below.
Android 13 Issue:
The devices currently affected by this issue are Pixel devices running Android 13 and above, with the latest security patches (May 2023 or later). However, it is important to note that Google's planned deployment of this change extends beyond Android 13 Pixel devices with the latest security update.
In the latest Google security patch, a new mandatory validation for server certificate parameters was added for a Wi-Fi profile that uses 802.1x EAP with a certificate. For the validation to succeed, the Wi-Fi profile must have a root certificate set, and either domain prefix match or alternate subject match must be set.
Source: https://www.ibm.com/support/pages/wi-fi-configurations-failed-deploy-android-devices
Solution Summary:
The dns suffix of the NPS Server must be added in the Android Wi-Fi Profile in Radius server name.
This Knowledge article from Microsoft describes it a little bit:
https://learn.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-android-enterprise
@Daniel B Thanks for posting in our Q&A.
For this issue, it seems needed to check some logs based on your specific environment. With Q&A limitation, Q&A is not a good channel for such issue. Given this situation, it is suggested to create an online support ticket to get more help. Here is the support link:
https://learn.microsoft.com/en-us/mem/get-support
Hope everything goes well with you.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I defined the fully qualified domain name of the NPS server within the Wi-Fi profile. The issues I was having were caused by how I chose to deploy the Trusted Root, SCEP and Wi-Fi profiles. I had been deploying them one-by-one, using separate security groups. I did this because I was concerned that the profiles wouldn't apply in the correct order and dependencies wouldn't be met. When I deployed all three profiles using the same security group it worked perfectly without errors. It seems InTune worked out which profile to apply in what order. I haven't had any trouble since.
this was my fix also but i just added the domain suffix of the NPS server in the wifi profile, ive always deployed them to the same security group it now installs correctly.