[BTS] – How Certificate-based Wi-Fi Profile from Intune Works?

November 12, 2025 Joymalya Basu Roy General, Microsoft Intune Comments Off on [BTS] – How Certificate-based Wi-Fi Profile from Intune Works?
BTS - Certificate-based Wi-Fi authentication with Microsoft Intune and EAP-TLS

Modern enterprises depend on secure wireless connectivity, and WPA2-Enterprise with EAP-TLS authentication is one of the most robust methods for ensuring network security without relying on user credentials.

WPA2 EAP TLS overview

When combined with Microsoft Intune Wi-Fi configuration, this process becomes seamless for end users and enables zero-touch Wi-Fi onboarding.

A simplified overview of how WPA2 EAP-TLS WiFi profile from Intune Works

At its core, EAP-TLS uses mutual certificate-based authentication between the device and the RADIUS server. Here’s the simplified workflow:

  1. Intune deploys profiles: Wi-Fi configuration, trusted root certificate, and SCEP/PKCS certificate profiles.
  2. Device applies settings and attempts to connect to the SSID.
  3. Access Point forwards the request to the RADIUS server.
  4. Server presents its certificate, which the device validates using its trusted CA.
  5. Device presents its client certificate (issued via SCEP/PKCS) to the RADIUS server.
  6. Mutual TLS handshake completes, granting network access.
Microsoft Intune WPA2 EAP-TLS Wifi profile workflow

Key Components

1. Intune (Cloud Service)

  • Role: Deploys configuration profiles to managed Android devices.
  • Profiles Delivered:
    • Wi-Fi Profile: Contains SSID, EAP-TLS settings, and domain name.
    • Trusted Root Certificate Profile: Ensures the device trusts the RADIUS server certificate.
    • SCEP/PKCS Certificate Profile: Issues a client certificate for device authentication.

2. Device

  • Role: Receives profiles from Intune and applies them.
  • Certificates Installed:
    • Trusted Root CA: Used to validate the RADIUS server certificate during TLS handshake.
    • Client Certificate: Used for mutual authentication with the RADIUS server.

3. Access Point & RADIUS Server

  • Role: Acts as the authentication point for WPA2-Enterprise.
  • Certificate Requirements:
    • Server Certificate: Signed by the enterprise CA and trusted by the device.
    • Validation: Confirms the client certificate is valid and issued by a trusted CA.

Certificate Roles

  • Trusted Root CA:
    • Installed on the device to validate the RADIUS server certificate.
  • Client Certificate:
    • Installed via SCEP/PKCS profile.
    • Contains Client Authentication EKU for EAP-TLS.
  • Server Certificate:
    • Presented by the RADIUS server during handshake.
    • Must match the domain specified in the Wi-Fi profile.

Profile Deployment order from Intune

Provided that the necessary configurations are already in place, when a device gets enrolled in Intune, Intune pushes the required profiles in scope for the device/user to the device.

For a cert-based Wi-Fi configuration, the profile deployment occurs in the order as shown below.

Correct profile deployment order from Intune for WPA2 EAP-TLS WiFi profile

It’s important to note that this deployment order matters!

Why does order matter?
The device must trust the server before presenting its own certificate.

Breaking down the WPA2 EAP-TLS connection flow

  1. Device Initiates Connection:
    • The device detects the SSID and applies the Intune Wi-Fi profile settings.
    • It selects EAP-TLS as the authentication method.
  1. Server Validation:
    • The RADIUS server sends its certificate to the device.
    • The device validates this certificate against its trusted CA store or certificate profile (configured via MDM or OS settings). This ensures the device is talking to a legitimate authentication server.
    • If the domain name and certificate chain match, the handshake continues.
  1. Client Certificate Presentation:
    • After validating the server, the device presents its SCEP/PKCS certificate to the RADIUS server.
    • This certificate includes the Client Authentication EKU and is signed by the enterprise CA.
    • The RADIUS server validates the certificate presented by the device against its configured trusted CA and checks if it matches the expected identity.
  1. Mutual TLS Handshake:
    • Both sides establish a secure TLS tunnel.
    • No username/password is required because authentication relies on the certificate.
  1. Network Access Granted:
    • Once the TLS session is established, the device is authorized for network access based on RADIUS policies.
EAP-TLS Handshake for WPA2 Enterprise WiFi

Key Points

  • Server certificate validation happens first (device checks RADIUS).
  • Client certificate validation happens next (RADIUS checks device).
  • Both sides must trust the issuing CA of the other party’s certificate for the handshake to succeed.

Key Requirements

  • Intune Wi-Fi profile configured for EAP-TLS.
  • SCEP/PKCS certificate profile deployed to device.
  • Trusted Root CA installed on device.
  • RADIUS server configured for EAP-TLS and trusts enterprise CA.

User Experience

The process is seamless for the end user:

  • No manual entry of credentials.
  • The device automatically connects when in range if the profile is set to auto-connect. [learn.microsoft.com]

The Big Picture: Complete IT Landscape Visual Workflow of WPA2 EAP-TLS connection in context of Intune

Here is a visual workflow sequence explaining the end-to-end WPA2-Enterprise EAP-TLS certificate-based Wi-Fi onboarding process in an enterprise environment using:

  • Microsoft Intune for profile deployment
  • NDES and Issuing CA for certificate issuance
  • Access Point and RADIUS Server for authentication
Complete IT Landscape Visual Workflow of WPA2 EAP-TLS connection in context of Intune

Why This Matters

Implementing certificate-based Wi-Fi authentication with Microsoft Intune and WPA2 EAP-TLS ensures:

  • Strong security for enterprise networks.
  • Elimination of password-based vulnerabilities.
  • Simplified onboarding with zero-touch Wi-Fi provisioning.