IndexLayout.skipToMainContent
English (US)
Pricing

How to Use Microsoft Intune to Push WiFi Certificates to Devices

A comprehensive technical reference for IT leaders on deploying 802.1X WiFi certificates via Microsoft Intune. Covers SCEP vs PKCS architecture, implementation steps, compliance mapping, and real-world deployment scenarios for enterprise environments.

📖 7 GuidesSlugPage.minRead📝 1,541 GuidesSlugPage.words🔧 2 GuidesSlugPage.workedExamples3 GuidesSlugPage.practiceQuestions📚 8 GuidesSlugPage.keyDefinitions

GuidesSlugPage.podcastTitle

GuidesSlugPage.podcastTranscript
HOW TO USE MICROSOFT INTUNE TO PUSH WIFI CERTIFICATES TO DEVICES A Purple Enterprise WiFi Intelligence Briefing [INTRODUCTION & CONTEXT — approximately 1 minute] Welcome back. I'm speaking today on behalf of Purple, the enterprise WiFi intelligence platform, and this episode is a focused briefing on one of the most practical — and honestly, most underrated — capabilities in the Microsoft Intune toolkit: automated certificate deployment for 802.1X WiFi authentication. If you're managing WiFi across a hotel estate, a retail chain, a stadium, or a public-sector estate, you'll know the pain point I'm about to describe. You've got hundreds or thousands of managed devices. You want them to connect to your corporate WiFi automatically, securely, without users typing passwords, without IT touching every single device. And you want that connection to be cryptographically strong — not just a shared password that someone's already emailed to half the organisation. That's exactly what Intune certificate deployment solves. And in the next nine minutes, I'm going to walk you through how it works, how to deploy it, and the pitfalls that catch most teams out on the first attempt. [TECHNICAL DEEP-DIVE — approximately 5 minutes] Let's start with the architecture. The foundation here is IEEE 802.1X — the port-based network access control standard that's been the backbone of enterprise WiFi security for over two decades. When a device connects to your WiFi, 802.1X requires it to authenticate before it gets any network access. The authentication conversation happens between three parties: the device — called the supplicant — your WiFi access point, which acts as the authenticator, and your RADIUS server, which is the authentication server that makes the final decision. Now, 802.1X supports multiple authentication methods. The most secure is EAP-TLS — Extensible Authentication Protocol with Transport Layer Security. EAP-TLS uses mutual certificate authentication: the device presents a certificate to prove its identity, and the RADIUS server presents a certificate to prove its identity. No passwords involved. No credentials that can be phished. This is what we're aiming for. The challenge has always been getting those certificates onto devices at scale. That's where Microsoft Intune comes in. Intune supports two certificate deployment mechanisms: SCEP — Simple Certificate Enrollment Protocol — and PKCS, which stands for Public Key Cryptography Standards. Understanding the difference matters. With SCEP, the private key is generated on the device itself. The device creates a Certificate Signing Request, sends it to your Certificate Authority via an intermediary server called NDES — the Network Device Enrollment Service — and the CA issues the certificate back. The private key never leaves the device. This is the more secure approach and is recommended for BYOD environments and high-security deployments. With PKCS, the Certificate Authority generates the key pair, and the Intune Certificate Connector delivers the private key and certificate to the device. It's simpler to set up — no NDES server required — but the private key does transit through the connector, which is a consideration for your security posture. For most enterprise deployments I'd recommend SCEP for BYOD and mixed-device environments, and PKCS where you have a homogeneous fleet of corporate-owned Windows devices and want to minimise infrastructure complexity. Now, let's talk about the deployment sequence — because the order matters and getting it wrong is the most common cause of failed rollouts. Step one: configure your Certificate Authority. You need a certificate template on your Active Directory Certificate Services instance — or if you're fully cloud-native, Microsoft's Intune Cloud PKI is now generally available and removes the on-premises CA requirement entirely. The template needs the correct key usage extensions: Client Authentication is mandatory. Set the minimum key size to 2048 bits, or 4096 if your organisation's security policy requires it. Step two: deploy the trusted root certificate. Before any device can validate the RADIUS server's certificate, it needs to trust the CA that issued it. You create a Trusted Certificate configuration profile in Intune, upload the root CA certificate, and assign it to your device groups. This must land on devices before any WiFi profile or client certificate profile. If you get the sequencing wrong, devices will reject the RADIUS server and you'll spend an afternoon staring at Event ID 20271 in the Windows event log. Step three: deploy the client certificate profile. This is either your SCEP profile — pointing at your NDES server URL — or your PKCS profile, pointing at your Certificate Authority. The Subject Alternative Name should include the User Principal Name for user certificates, or the AAD Device ID for device certificates. This distinction matters: user certificates authenticate the logged-in user, device certificates authenticate the machine itself, which means the device can connect to WiFi before a user logs in — useful for domain join scenarios and kiosk deployments. Step four: create the WiFi configuration profile. In Intune, this is under Devices, Configuration Profiles, Templates, Wi-Fi. Set the WiFi type to Enterprise, enter your SSID, set EAP type to EAP-TLS, configure the server trust settings — this is where you reference the RADIUS server certificate name — and for client authentication, reference the certificate profile you created in step three. Step five: assign everything to the right groups and validate. Assign your root certificate, client certificate, and WiFi profiles to the same device or user groups. Use Intune's built-in reporting to monitor profile deployment status. A successful deployment shows all three profiles as Succeeded in the device's configuration profile list. One critical point on NPS configuration for Windows Server environments: from early 2024, Microsoft tightened certificate mapping requirements. If you're using device certificates with Azure AD-joined devices authenticating against on-premises NPS, you need to ensure the altSecurityIdentities attribute on the computer object in Active Directory is populated with the certificate's thumbprint. This doesn't happen automatically — you need a script or a workflow to handle it, typically triggered when the CA issues a new certificate. [IMPLEMENTATION RECOMMENDATIONS & PITFALLS — approximately 2 minutes] Let me give you the three pitfalls that I see most frequently in enterprise deployments. Pitfall one: certificate chain gaps. The device needs to trust every certificate in the chain from the root CA down to the RADIUS server's certificate. If your RADIUS server certificate was issued by an intermediate CA, you need to deploy both the root and the intermediate to devices. I've seen deployments fail for weeks because someone deployed the root but not the intermediate. Pitfall two: profile assignment timing. Intune profiles don't land on devices instantaneously. In a large estate, it can take 15 to 30 minutes for profiles to propagate after assignment. Don't test immediately after creating profiles. Use the Sync button in the Intune portal to force a check-in, then wait. Also, client certificate profiles must be deployed and confirmed before the WiFi profile is applied — if the WiFi profile references a certificate that doesn't exist yet, the profile will fail silently on some platforms. Pitfall three: BYOD certificate revocation. When a device is unenrolled from Intune — because an employee leaves, or a device is lost — you need a process to revoke the certificate. If you're using SCEP with ADCS, configure the Certificate Revocation List distribution point correctly and ensure your RADIUS server is checking CRL or OCSP on every authentication. This is a compliance requirement under frameworks like PCI DSS, which mandates that access control mechanisms be revoked promptly when no longer needed. On the topic of compliance: if you're operating in a PCI DSS scope — retail payment environments, for example — certificate-based 802.1X authentication is your strongest control for wireless network access. It satisfies PCI DSS Requirement 1.3 around network access controls and Requirement 8.6 around authentication factors. Document your certificate lifecycle management process as part of your compliance evidence. For GDPR-regulated environments, particularly in hospitality and public-sector, the separation between your corporate 802.1X network and your guest WiFi network is critical. Your corporate Intune-managed network should be on a completely separate VLAN and SSID from any guest or visitor network. Purple's guest WiFi platform handles the visitor-facing side — captive portal, consent capture, analytics — while your Intune-managed corporate network handles staff and operational devices. These two networks should never share authentication infrastructure. [RAPID-FIRE Q&A — approximately 1 minute] Let me run through a few questions that come up regularly. Can I use Intune Cloud PKI instead of on-premises ADCS? Yes. Microsoft's Intune Cloud PKI, released in 2024, provides a fully managed CA in Azure. It removes the NDES server requirement for SCEP and simplifies the connector setup significantly. For greenfield deployments or organisations without existing ADCS infrastructure, it's the recommended path. Does this work for macOS and iOS devices? Yes. Intune supports certificate profiles for Windows, iOS, iPadOS, Android, and macOS. The profile types and configuration options vary slightly by platform, but the core architecture — trusted root, client certificate, WiFi profile — is consistent. What about personal devices in a BYOD programme? SCEP is your friend here. With Intune's device compliance policies, you can require that a device meets minimum security standards before a certificate is issued. If the device falls out of compliance — no screen lock, outdated OS — the certificate can be revoked and network access removed automatically. Can Purple integrate with this architecture? Absolutely. Purple's platform sits on the guest network side, handling captive portal authentication, consent management, and analytics. The corporate 802.1X network and Purple's guest WiFi operate in parallel — same physical infrastructure, different SSIDs and VLANs — giving you complete separation between staff connectivity and visitor engagement. [SUMMARY & NEXT STEPS — approximately 1 minute] To wrap up: deploying WiFi certificates via Intune is a five-step process — CA configuration, trusted root deployment, client certificate profile, WiFi profile, and group assignment. Choose SCEP for BYOD and high-security environments; PKCS for simpler corporate-owned fleets. Get the sequencing right, handle the NPS certificate mapping requirement, and build a certificate revocation workflow from day one. The business case is straightforward: you eliminate shared WiFi passwords, you get per-device and per-user authentication logs, you satisfy PCI DSS and ISO 27001 wireless security requirements, and you reduce the IT overhead of managing WiFi credentials across a large estate. If you're planning a deployment and want to understand how Purple's guest WiFi and analytics platform fits alongside your corporate network architecture, visit purple.ai. We've got detailed guides on Azure Entra ID integration, 802.1X architecture, and guest network design for hospitality, retail, and public-sector environments. Thanks for listening. Until next time.

header_image.png

Executive Summary

For enterprise IT leaders managing large-scale environments across Hospitality , Retail , or public-sector venues, secure wireless access is a baseline operational requirement. Relying on shared PSKs (Pre-Shared Keys) or username/password authentication (PEAP-MSCHAPv2) exposes the network to credential theft, phishing, and compliance failures. The industry standard for robust enterprise WiFi security is 802.1X with EAP-TLS (Extensible Authentication Protocol with Transport Layer Security), which mandates mutual certificate-based authentication between the device and the network.

However, the primary barrier to EAP-TLS adoption has historically been the operational overhead of certificate lifecycle management. Microsoft Intune resolves this by automating the delivery, renewal, and revocation of digital certificates to managed devices at scale.

This technical reference details the architecture, deployment methodologies (SCEP vs PKCS), and implementation steps required to push WiFi certificates via Microsoft Intune. It provides actionable guidance for network architects and systems engineers tasked with securing corporate communications while maintaining strict separation from visitor networks, such as those managed by a Guest WiFi platform.

Technical Deep-Dive: Architecture and Protocols

To implement certificate-based authentication effectively, IT teams must understand the interaction between the Mobile Device Management (MDM) platform, the Public Key Infrastructure (PKI), and the network access control layer.

The 802.1X Authentication Framework

The IEEE 802.1X standard defines port-based network access control. In a wireless context, it prevents a device from passing any traffic (other than EAP authentication frames) until its identity is verified. The architecture consists of three components:

  1. Supplicant: The client device (laptop, smartphone, tablet) requesting network access.
  2. Authenticator: The wireless access point or wireless LAN controller that blocks traffic until authentication succeeds.
  3. Authentication Server: The RADIUS (Remote Authentication Dial-In User Service) server, such as Microsoft Network Policy Server (NPS) or Cisco ISE, which validates the credentials and authorises access.

EAP-TLS and Mutual Authentication

EAP-TLS is the most secure EAP method because it requires mutual authentication. The RADIUS server presents its certificate to the supplicant to prove it is the legitimate corporate network (preventing evil-twin attacks), and the supplicant presents its client certificate to the RADIUS server to prove it is an authorised device or user.

architecture_overview.png

Intune Certificate Deployment Mechanisms: SCEP vs PKCS

Microsoft Intune supports two primary protocols for deploying client certificates to devices. Selecting the appropriate mechanism is a critical architectural decision.

Simple Certificate Enrollment Protocol (SCEP)

With SCEP, the private key is generated directly on the client device. The device creates a Certificate Signing Request (CSR) and submits it via Intune to the Network Device Enrollment Service (NDES) server, which acts as a proxy to the Active Directory Certificate Services (ADCS) infrastructure. The CA issues the certificate, which is returned to the device.

Because the private key never leaves the device, SCEP is considered highly secure and is the recommended approach for BYOD (Bring Your Own Device) deployments and zero-trust architectures.

Public Key Cryptography Standards (PKCS)

With PKCS, the Intune Certificate Connector requests the certificate from the CA on behalf of the device. The CA generates both the public certificate and the private key, which the connector then securely delivers to the device via Intune.

While PKCS simplifies the infrastructure requirements (no NDES server is needed), the private key is transmitted across the network. This model is generally acceptable for corporate-owned, fully managed device fleets where the MDM platform is already a highly trusted component.

certificate_deployment_comparison.png

Implementation Guide: Step-by-Step Deployment

Deploying WiFi certificates via Intune requires precise sequencing. Deploying profiles out of order is the most common cause of implementation failure.

Step 1: Prepare the Public Key Infrastructure (PKI)

Whether utilising on-premises ADCS or a cloud-native solution like Microsoft Cloud PKI, the Certificate Authority must be configured with the appropriate templates.

  • Key Usage: The template must include the Client Authentication OID (1.3.6.1.5.5.7.3.2).
  • Key Size: Configure a minimum key size of 2048 bits (RSA) to align with modern cryptographic standards.
  • Subject Name: For user certificates, the Subject Alternative Name (SAN) should be configured to use the User Principal Name (UPN). For device certificates, use the Azure AD Device ID.

Step 2: Deploy the Trusted Root Certificate

Before a device can authenticate, it must trust the CA that issued the RADIUS server's certificate.

  1. Export the Root CA certificate (and any intermediate CA certificates) in .cer format.
  2. In the Intune admin centre, navigate to Devices > Configuration profiles > Create profile.
  3. Select the platform and choose the Trusted certificate profile type.
  4. Upload the .cer file and assign the profile to the target device or user groups.

Note: This profile must successfully apply to devices before proceeding to the next steps.

Step 3: Deploy the Client Certificate Profile

Create either a SCEP or PKCS certificate profile to deliver the identity certificate to the supplicant.

  1. Navigate to Devices > Configuration profiles > Create profile.
  2. Select the platform and choose either SCEP certificate or PKCS certificate.
  3. Configure the Subject Name format and SAN according to your identity requirements (User vs. Device).
  4. Specify the Key Storage Provider (KSP) — typically the Trusted Platform Module (TPM) for hardware-backed security.
  5. Assign the profile to the same groups targeted in Step 2.

Step 4: Configure the WiFi Profile

The final component binds the certificates to the wireless network settings.

  1. Navigate to Devices > Configuration profiles > Create profile.
  2. Select the platform and choose the Wi-Fi profile type.
  3. Set the Wi-Fi type to Enterprise and enter the exact SSID.
  4. Set the EAP type to EAP-TLS.
  5. Under Server Trust, specify the exact name of the RADIUS server certificate and select the Trusted Root certificate profile deployed in Step 2.
  6. Under Client Authentication, select the SCEP or PKCS certificate profile deployed in Step 3.
  7. Assign the profile to the target groups.

Best Practices & Strategic Recommendations

Device vs. User Certificates

Network architects must decide whether to issue certificates to the device (machine authentication) or the user (user authentication).

  • Device Certificates: Allow the machine to connect to the WiFi network before a user logs in. This is critical for initial device provisioning, Group Policy processing, and password resets at the login screen. Recommended for corporate-owned devices.
  • User Certificates: Tie network access to the individual's identity. This provides granular auditing and role-based access control. Recommended for BYOD scenarios.

Network Segmentation and Guest Access

A fundamental security principle is the strict logical separation of the corporate 802.1X network from visitor or public access networks. The Intune-managed infrastructure should be dedicated exclusively to corporate devices and authenticated staff.

For visitor access, organisations should deploy a dedicated Guest WiFi SSID backed by a captive portal. This ensures that unmanaged devices are isolated, while still allowing the business to capture visitor analytics via a WiFi Analytics platform. To learn more about securing DNS infrastructure across both segments, review our guide on how to Protect Your Network with Strong DNS and Security .

Addressing the NPS Certificate Mapping Requirement

For organisations utilising Microsoft Network Policy Server (NPS) with Azure AD-joined devices, a critical configuration change was introduced by Microsoft. NPS now requires strong certificate mapping.

When using device certificates, the computer object in the on-premises Active Directory must have its altSecurityIdentities attribute populated with the certificate's details (typically the X509IssuerSerialNumber). IT teams must implement a scheduled script or event-driven workflow to update this attribute when Intune issues a new certificate, otherwise authentication will fail.

Troubleshooting & Risk Mitigation

When an 802.1X deployment fails, the issue almost always resides in the certificate chain or the Intune profile sequencing.

Common Failure Modes

  1. Silent WiFi Profile Failure: If the Intune WiFi profile is applied to a device before the client certificate has been successfully provisioned, the WiFi profile will often fail to install or will fail silently. Always verify certificate presence in the device's Personal store (certmgr.msc on Windows) before troubleshooting the WiFi configuration.
  2. Server Trust Validation Errors: If the device rejects the RADIUS server, verify that the server name specified in the Intune WiFi profile exactly matches the Subject Name or SAN on the RADIUS server's certificate. Additionally, ensure that the entire certificate chain (Root and Intermediate) is present in the device's Trusted Root Certification Authorities store.
  3. Certificate Revocation List (CRL) Unavailability: If the RADIUS server cannot reach the CA's CRL distribution point to verify the client certificate's status, authentication will be denied. Ensure the CRL URL is highly available and accessible from the RADIUS server.

ROI & Business Impact

Transitioning to certificate-based WiFi authentication via Intune delivers significant operational and security returns.

  • Risk Mitigation: Eliminates the risk of credential harvesting, pass-the-hash attacks, and unauthorised network access via shared PSKs.
  • Operational Efficiency: Reduces IT helpdesk tickets related to password expirations and WiFi connectivity issues. The automated lifecycle management means certificates are renewed transparently without user intervention.
  • Compliance Enablement: Satisfies stringent regulatory requirements. For retail environments, it directly addresses PCI DSS requirements for robust wireless encryption and authentication. For public sector and healthcare, it aligns with zero-trust network access (ZTNA) principles.

By leveraging Microsoft Intune for certificate deployment, IT teams can achieve a frictionless, highly secure wireless experience that operates silently in the background, allowing the business to focus on core operations.

GuidesSlugPage.keyDefinitionsTitle

802.1X

An IEEE standard for port-based network access control that prevents unauthorized devices from accessing a LAN or WLAN until they successfully authenticate.

The foundational security protocol that replaces shared WiFi passwords with enterprise-grade authentication in corporate environments.

EAP-TLS

Extensible Authentication Protocol with Transport Layer Security. An authentication framework that requires both the client and the server to prove their identities using digital certificates.

The specific protocol configured in the Intune WiFi profile to enforce mutual certificate authentication, eliminating the risk of credential theft.

SCEP

Simple Certificate Enrollment Protocol. A mechanism where the client device generates its own private key and requests a certificate from the CA via an intermediary server.

The preferred deployment method for BYOD environments because the private key is never transmitted across the network.

PKCS

Public Key Cryptography Standards. In the context of Intune, a deployment method where the CA generates the private key and the Intune Connector securely delivers it to the device.

A simpler deployment architecture often used for corporate-owned device fleets, as it removes the need for an NDES server.

NDES

Network Device Enrollment Service. A Microsoft server role that acts as a proxy, allowing devices running without domain credentials to obtain certificates from an Active Directory Certificate Authority.

A mandatory infrastructure component when deploying certificates via SCEP in an on-premises ADCS environment.

RADIUS

Remote Authentication Dial-In User Service. A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management.

The server (like Microsoft NPS or Cisco ISE) that receives the authentication request from the WiFi access point and validates the device's certificate.

Supplicant

The software client on the end-user device (laptop, smartphone) that initiates the 802.1X authentication process.

The Intune WiFi profile configures the native OS supplicant (e.g., Windows WLAN AutoConfig) to use the correct certificates and EAP methods.

Certificate Revocation List (CRL)

A digitally signed list published by the Certificate Authority containing the serial numbers of certificates that have been revoked and should no longer be trusted.

Crucial for security compliance; the RADIUS server must check the CRL to ensure a connecting device hasn't been reported lost or stolen.

GuidesSlugPage.workedExamplesTitle

A 400-location retail chain is deploying corporate-owned tablets for inventory management. The devices are fully managed via Intune and joined to Azure AD. They need immediate network access upon boot to sync inventory databases, before any specific user logs in. The network infrastructure uses Cisco ISE as the RADIUS server. What is the optimal certificate deployment strategy?

The IT team should implement PKCS device certificates.

  1. Configure a device certificate template on the CA.
  2. Deploy the Root CA certificate to the tablets via Intune.
  3. Create a PKCS certificate profile in Intune, setting the Subject Name format to the Azure AD Device ID ({{AAD_Device_ID}}).
  4. Create an Enterprise WiFi profile specifying EAP-TLS, referencing the ISE server's certificate name and the deployed PKCS profile.
  5. Assign all profiles to the device group containing the tablets.
GuidesSlugPage.examinerCommentary PKCS is appropriate here because the devices are corporate-owned and fully managed, reducing the risk associated with private key transit. Device certificates are mandatory because the tablets require network access prior to user login. By targeting the Azure AD Device ID, Cisco ISE can authenticate the specific hardware asset and assign it to the correct restricted inventory VLAN.

A large teaching hospital allows medical staff to use their personal smartphones (BYOD) to access clinical scheduling applications. The devices are enrolled in Intune via a Work Profile. Security policy mandates that no corporate credentials be stored on personal devices, and network access must be revoked immediately if a device is compromised. How should the WiFi authentication be designed?

The hospital must implement SCEP user certificates combined with Intune Compliance Policies.

  1. Deploy an NDES server to proxy requests to the CA.
  2. Create a SCEP user certificate profile in Intune, with the SAN configured to the User Principal Name ({{UserPrincipalName}}).
  3. Create an Intune Compliance Policy requiring a minimum OS version, an active screen lock, and no jailbreak/root access.
  4. Configure the CA to publish a highly available Certificate Revocation List (CRL).
  5. Configure the RADIUS server to strictly enforce CRL checking on every authentication attempt.
GuidesSlugPage.examinerCommentary SCEP is the only acceptable choice for BYOD because the private key is generated on the personal device and cannot be intercepted. User certificates are required to tie network activity to the specific clinician for HIPAA/GDPR auditing. The critical component is the integration with Intune Compliance Policies; if a device becomes non-compliant, Intune can trigger certificate revocation, and the RADIUS server's CRL check will immediately block network access.

GuidesSlugPage.practiceQuestionsTitle

Q1. Your organisation is migrating from PEAP-MSCHAPv2 (username/password) to EAP-TLS for the corporate WiFi. During the pilot phase, several Windows 11 laptops receive the Intune configuration profiles successfully but fail to connect to the network. Reviewing the Windows Event Logs shows Event ID 20271 indicating the RADIUS server certificate was rejected. What is the most likely cause?

GuidesSlugPage.hintPrefixConsider the chain of trust required for mutual authentication.

GuidesSlugPage.viewModelAnswer

The devices lack the Trusted Root CA certificate that issued the RADIUS server's certificate. In EAP-TLS, the device must validate the RADIUS server's identity. The IT team must ensure the 'Trusted certificate' profile containing the Root CA (and any Intermediate CAs) is deployed to the devices via Intune and successfully installed before the WiFi profile attempts to connect.

Q2. A public sector venue is deploying 802.1X for staff devices using Intune and PKCS certificates. They also operate a separate visitor network managed by a Guest WiFi platform. An auditor notes that if a staff laptop is stolen, the certificate remains valid for 12 months. How should the network architect address this risk?

GuidesSlugPage.hintPrefixHow does the authentication server know a certificate is no longer valid before it expires?

GuidesSlugPage.viewModelAnswer

The architect must implement a robust Certificate Revocation workflow. First, ensure the CA publishes a Certificate Revocation List (CRL) to a highly available distribution point. Second, configure the RADIUS server (e.g., NPS) to mandate CRL checking during every authentication attempt. Finally, establish an Intune operational procedure to explicitly revoke the certificate of any device marked as lost or stolen, which updates the CRL and blocks network access.

Q3. You are designing the Intune deployment for a fleet of shared kiosk devices in a retail environment. These devices reboot daily and must immediately connect to the corporate network to download updates before any user interacts with them. Should you deploy User certificates or Device certificates, and what Subject Alternative Name (SAN) format should be used?

GuidesSlugPage.hintPrefixConsider the state of the device immediately after a reboot.

GuidesSlugPage.viewModelAnswer

You must deploy Device certificates. Because the kiosks need network access before a user logs in, a User certificate would be unavailable at boot time. The Subject Alternative Name (SAN) in the Intune certificate profile should be configured to use the Azure AD Device ID ({{AAD_Device_ID}}) or the device's fully qualified domain name, allowing the RADIUS server to authenticate the specific hardware asset.

About us
Careers
B Corp Report
Plans
Guest WiFi Features
Guest WiFi Pricing
Professional Services
Book a Demo
Passwordless WiFi
RADIUS-as-a-Service
WPA-Enterprise
Captive Portal Software
Multi-Tenant WiFi
Staff WiFi
Solutions
WiFi for Marketing Teams
WiFi for IT & Network Teams
WiFi for Small Business
WiFi Marketing & Analytics
Passwordless Onboarding
Industries
WiFi for Hospitality
WiFi for Hotels
WiFi for Retail
WiFi for Healthcare
WiFi for Higher Education
WiFi for Stadiums
WiFi for Restaurants
WiFi for Corporate Offices
Browse all industries
Policies
Legal
Privacy policy
Terms of use
My data
Cookie policy
Standard SLA
Resources
WiFi blog
WiFi guides
WiFi glossary
Case studies
All resources
ROI Calculator
Pricing Calculator
Access Point Calculator
Guest WiFi Feature Checklist
WiFi Tools
Purple Support
Whatsapp
© 2026 Purple. All Rights Reserved.
Manage Cookie Preferences
Metadata.titleTemplate