question

Abdelhafid-7764 avatar image
0 Votes"
Abdelhafid-7764 asked AMDMan64 published

intune wifi sso prelogon user credentials

Hey Everyone,

We are looking into looking deploying a wifi config profile through Intune for our shared devices. The option to use SSO prologon caught our attention. (https://docs.microsoft.com/nl-nl/mem/intune/configuration/wi-fi-settings-windows).

We prefer the the connection to the 802.1x wifi network to use the user credentials and to connect before users logon to the device.

When testing this feature on an Azure AD and Intune enrolled device, no connection to the wifi network was established.

In the device wlan-autoconfig logs I noticed the following error :

The operational criteria were not met.
The machine was not joined to a domain.

It seems an on-premises domain memberhip is required.

Is there a way to get this to work without joining an on-premises AD?

We've looked into a Hybrid-join and NDES\certificate based authentication but we prefer to use user credentials based authentication fo audit purposes.

Thanks!


intune-generalintune-device-configuration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Abdelhafid-7764 avatar image
0 Votes"
Abdelhafid-7764 answered

It seems a on-premises domain membership is required. I'm hoping Microsoft makes SSO using shared logon and 802.1x available soon since it helps in deploying mobile devices with minimum on-premises requirements.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CiciWu-MSFT avatar image
0 Votes"
CiciWu-MSFT answered

I have done a lot of research but haven’t found any other way to get it work without joining an on-premises AD. It seems to be because that the SSO prelogon needs the certificate, which is necessary for device to domain joined.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AMDMan64 avatar image
0 Votes"
AMDMan64 answered AMDMan64 published

Technically it is possible to make it work with Device / User authentication, but you would need 2 SSIDs. It's somewhat messy, however.

I ended up using a Guest network with auth-bypass for the login screen and then wrote scheduled tasks that use WLAN filters to hide/unhide the Guest SSID on login.
Once the user is logged in, the task triggers to block the Guest network and unhide the our 802.1x network for user login. The same task runs on shutdown or logoff as well.

The profile has the following information in it (you can just manually add the Wi-Fi network and then put in the user auth information) The singleSignOn piece is important, however:

          <cacheUserData>true</cacheUserData>
          <authMode>user</authMode>
          <singleSignOn>
              <type>postLogon</type>
              <maxDelay>10</maxDelay>
              <allowAdditionalDialogs>true</allowAdditionalDialogs>
              <userBasedVirtualLan>false</userBasedVirtualLan>
          </singleSignOn>
          <EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod>

This method works, but it occasionally messes up due to systems getting powered off incorrectly or just general flakiness - but we have it deployed on about 250 student laptops.

The question is - has anyone tried to give official feedback to Microsoft about this? We need the ability to specify 802.1x credentials for the device level and user level. I always hated on Chromebooks for not correctly supporting this and now Google has it and Microsoft doesn't.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.