Share via

Windows dot1.x

Handian Sudianto 6,886 Reputation points
2026-03-10T07:44:15.5333333+00:00

What dot1.x where the user not prompting to sign to enter the credentials from company devices which already joined to AAD?

We are moving from unsecure wired connection to dot.1x but with no impact to the user experience.

Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harry Phan 17,510 Reputation points Independent Advisor
    2026-03-10T08:47:19.48+00:00

    Hello Handian,

    What you need is machine-based or computer authentication with SSO in IEEE 802.1X rather than user-prompt authentication. When company devices are already joined to Microsoft Entra ID (Azure AD), the usual design is EAP-TLS using device certificates, which allows the workstation to authenticate automatically to the switch before the user signs in. The switch acts as the authenticator, the backend RADIUS service (typically Network Policy Server) validates the certificate, and the endpoint uses a certificate deployed through Microsoft Intune or AD CS. On the client side the wired profile is configured with Computer Authentication or Single Sign-On (pre-logon) so Windows supplies the machine credential automatically and no user prompt appears. This design is the standard enterprise approach to move from open wired networks to 802.1X while keeping the user experience unchanged.

    I hope it's helpful. If it is, please give it a thump up or an accept answer, appreciate it :)

    Harry.

  2. Q&A Assist
    2026-03-10T07:44:24.85+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For company devices that are already joined to Microsoft Entra ID (Azure AD), configure 802.1X so that the device (machine) authenticates to the wired network instead of the user. This avoids prompting users for credentials and keeps the experience seamless.

    In Intune, this is done by using a wired network configuration profile and setting:

    1. Authentication mode = Machine or User or machine
      • Machine: Uses the device’s own credentials to authenticate to the 802.1X network. Users are not prompted.
      • User or machine: Uses device credentials when no user is signed in, and user credentials when a user is signed in. If the goal is zero prompts, prefer Machine with appropriate certificate/device auth.
    2. Remember credentials at each logon
      • If user-based authentication is required, set Remember credentials at each logon to Enable so that users are not repeatedly prompted after the first sign-in.

    These settings allow moving from an unsecured wired network to 802.1X while minimizing or eliminating user credential prompts on Entra ID–joined devices.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.