如何使用 Microsoft Intune 向设备推送 WiFi 证书
一份面向 IT 领导者的综合技术参考,内容涵盖通过 Microsoft Intune 部署 802.1X WiFi 证书。涉及 SCEP 与 PKCS 架构、实施步骤、合规映射以及企业环境中的实际部署场景。
收听本指南
查看播客转录
- Executive Summary
- Technical Deep-Dive: Architecture and Protocols
- The 802.1X Authentication Framework
- EAP-TLS and Mutual Authentication
- Intune Certificate Deployment Mechanisms: SCEP vs PKCS
- Implementation Guide: Step-by-Step Deployment
- Step 1: Prepare the Public Key Infrastructure (PKI)
- Step 2: Deploy the Trusted Root Certificate
- Step 3: Deploy the Client Certificate Profile
- Step 4: Configure the WiFi Profile
- Best Practices & Strategic Recommendations
- Device vs. User Certificates
- Network Segmentation and Guest Access
- Addressing the NPS Certificate Mapping Requirement
- Troubleshooting & Risk Mitigation
- Common Failure Modes
- ROI & Business Impact

Executive Summary
For enterprise IT leaders managing large-scale environments across Hospitality , Retail , or public-sector venues, secure wireless access is a baseline operational requirement. Relying on shared PSKs (Pre-Shared Keys) or username/password authentication (PEAP-MSCHAPv2) exposes the network to credential theft, phishing, and compliance failures. The industry standard for robust enterprise WiFi security is 802.1X with EAP-TLS (Extensible Authentication Protocol with Transport Layer Security), which mandates mutual certificate-based authentication between the device and the network.
However, the primary barrier to EAP-TLS adoption has historically been the operational overhead of certificate lifecycle management. Microsoft Intune resolves this by automating the delivery, renewal, and revocation of digital certificates to managed devices at scale.
This technical reference details the architecture, deployment methodologies (SCEP vs PKCS), and implementation steps required to push WiFi certificates via Microsoft Intune. It provides actionable guidance for network architects and systems engineers tasked with securing corporate communications while maintaining strict separation from visitor networks, such as those managed by a Guest WiFi platform.
Technical Deep-Dive: Architecture and Protocols
To implement certificate-based authentication effectively, IT teams must understand the interaction between the Mobile Device Management (MDM) platform, the Public Key Infrastructure (PKI), and the network access control layer.
The 802.1X Authentication Framework
The IEEE 802.1X standard defines port-based network access control. In a wireless context, it prevents a device from passing any traffic (other than EAP authentication frames) until its identity is verified. The architecture consists of three components:
- Supplicant: The client device (laptop, smartphone, tablet) requesting network access.
- Authenticator: The wireless access point or wireless LAN controller that blocks traffic until authentication succeeds.
- Authentication Server: The RADIUS (Remote Authentication Dial-In User Service) server, such as Microsoft Network Policy Server (NPS) or Cisco ISE, which validates the credentials and authorises access.
EAP-TLS and Mutual Authentication
EAP-TLS is the most secure EAP method because it requires mutual authentication. The RADIUS server presents its certificate to the supplicant to prove it is the legitimate corporate network (preventing evil-twin attacks), and the supplicant presents its client certificate to the RADIUS server to prove it is an authorised device or user.

Intune Certificate Deployment Mechanisms: SCEP vs PKCS
Microsoft Intune supports two primary protocols for deploying client certificates to devices. Selecting the appropriate mechanism is a critical architectural decision.
Simple Certificate Enrollment Protocol (SCEP)
With SCEP, the private key is generated directly on the client device. The device creates a Certificate Signing Request (CSR) and submits it via Intune to the Network Device Enrollment Service (NDES) server, which acts as a proxy to the Active Directory Certificate Services (ADCS) infrastructure. The CA issues the certificate, which is returned to the device.
Because the private key never leaves the device, SCEP is considered highly secure and is the recommended approach for BYOD (Bring Your Own Device) deployments and zero-trust architectures.
Public Key Cryptography Standards (PKCS)
With PKCS, the Intune Certificate Connector requests the certificate from the CA on behalf of the device. The CA generates both the public certificate and the private key, which the connector then securely delivers to the device via Intune.
While PKCS simplifies the infrastructure requirements (no NDES server is needed), the private key is transmitted across the network. This model is generally acceptable for corporate-owned, fully managed device fleets where the MDM platform is already a highly trusted component.

Implementation Guide: Step-by-Step Deployment
Deploying Wi-Fi certificates via Intune requires precise sequencing. Deploying profiles out of order is the most common cause of implementation failure.
Step 1: Prepare the Public Key Infrastructure (PKI)
Whether utilising on-premises ADCS or a cloud-native solution like Microsoft Cloud PKI, the Certificate Authority must be configured with the appropriate templates.
- Key Usage: The template must include the
Client AuthenticationOID (1.3.6.1.5.5.7.3.2). - Key Size: Configure a minimum key size of 2048 bits (RSA) to align with modern cryptographic standards.
- Subject Name: For user certificates, the Subject Alternative Name (SAN) should be configured to use the User Principal Name (UPN). For device certificates, use the Azure AD Device ID.
Step 2: Deploy the Trusted Root Certificate
Before a device can authenticate, it must trust the CA that issued the RADIUS server's certificate.
- Export the Root CA certificate (and any intermediate CA certificates) in
.cerformat. - In the Intune admin centre, navigate to Devices > Configuration profiles > Create profile.
- Select the platform and choose the Trusted certificate profile type.
- Upload the
.cerfile and assign the profile to the target device or user groups.
Note: This profile must successfully apply to devices before proceeding to the next steps.
Step 3: Deploy the Client Certificate Profile
Create either a SCEP or PKCS certificate profile to deliver the identity certificate to the supplicant.
- Navigate to Devices > Configuration profiles > Create profile.
- Select the platform and choose either SCEP certificate or PKCS certificate.
- Configure the Subject Name format and SAN according to your identity requirements (User vs. Device).
- Specify the Key Storage Provider (KSP) — typically the Trusted Platform Module (TPM) for hardware-backed security.
- Assign the profile to the same groups targeted in Step 2.
Step 4: Configure the WiFi Profile
The final component binds the certificates to the wireless network settings.
- Navigate to Devices > Configuration profiles > Create profile.
- Select the platform and choose the Wi-Fi profile type.
- Set the Wi-Fi type to Enterprise and enter the exact SSID.
- Set the EAP type to EAP-TLS.
- Under Server Trust, specify the exact name of the RADIUS server certificate and select the Trusted Root certificate profile deployed in Step 2.
- Under Client Authentication, select the SCEP or PKCS certificate profile deployed in Step 3.
- Assign the profile to the target groups.
Best Practices & Strategic Recommendations
Device vs. User Certificates
Network architects must decide whether to issue certificates to the device (machine authentication) or the user (user authentication).
- Device Certificates: Allow the machine to connect to the WiFi network before a user logs in. This is critical for initial device provisioning, Group Policy processing, and password resets at the login screen. Recommended for corporate-owned devices.
- User Certificates: Tie network access to the individual's identity. This provides granular auditing and role-based access control. Recommended for BYOD scenarios.
Network Segmentation and Guest Access
A fundamental security principle is the strict logical separation of the corporate 802.1X network from visitor or public access networks. The Intune-managed infrastructure should be dedicated exclusively to corporate devices and authenticated staff.
For visitor access, organisations should deploy a dedicated Guest WiFi SSID backed by a captive portal. This ensures that unmanaged devices are isolated, while still allowing the business to capture visitor analytics via a WiFi Analytics platform. To learn more about securing DNS infrastructure across both segments, review our guide on how to Protect Your Network with Strong DNS and Security .
Addressing the NPS Certificate Mapping Requirement
For organisations utilising Microsoft Network Policy Server (NPS) with Azure AD-joined devices, a critical configuration change was introduced by Microsoft. NPS now requires strong certificate mapping.
When using device certificates, the computer object in the on-premises Active Directory must have its altSecurityIdentities attribute populated with the certificate's details (typically the X509IssuerSerialNumber). IT teams must implement a scheduled script or event-driven workflow to update this attribute when Intune issues a new certificate, otherwise authentication will fail.
Troubleshooting & Risk Mitigation
When an 802.1X deployment fails, the issue almost always resides in the certificate chain or the Intune profile sequencing.
Common Failure Modes
- Silent WiFi Profile Failure: If the Intune WiFi profile is applied to a device before the client certificate has been successfully provisioned, the WiFi profile will often fail to install or will fail silently. Always verify certificate presence in the device's Personal store (
certmgr.mscon Windows) before troubleshooting the WiFi configuration. - Server Trust Validation Errors: If the device rejects the RADIUS server, verify that the server name specified in the Intune WiFi profile exactly matches the Subject Name or SAN on the RADIUS server's certificate. Additionally, ensure that the entire certificate chain (Root and Intermediate) is present in the device's Trusted Root Certification Authorities store.
- Certificate Revocation List (CRL) Unavailability: If the RADIUS server cannot reach the CA's CRL distribution point to verify the client certificate's status, authentication will be denied. Ensure the CRL URL is highly available and accessible from the RADIUS server.
ROI & Business Impact
Transitioning to certificate-based WiFi authentication via Intune delivers significant operational and security returns.
- Risk Mitigation: Eliminates the risk of credential harvesting, pass-the-hash attacks, and unauthorised network access via shared PSKs.
- Operational Efficiency: Reduces IT helpdesk tickets related to password expirations and WiFi connectivity issues. The automated lifecycle management means certificates are renewed transparently without user intervention.
- Compliance Enablement: Satisfies stringent regulatory requirements. For retail environments, it directly addresses PCI DSS requirements for robust wireless encryption and authentication. For public sector and healthcare, it aligns with zero-trust network access (ZTNA) principles.
By leveraging Microsoft Intune for certificate deployment, IT teams can achieve a frictionless, highly secure wireless experience that operates silently in the background, allowing the business to focus on core operations.
关键定义
802.1X
一种 IEEE 标准,用于基于端口的网络访问控制,可防止未经授权的设备在成功进行身份验证之前访问 LAN 或 WLAN。
在企业环境中替代共享 WiFi 密码,采用企业级身份验证的基础安全协议。
EAP-TLS
可扩展身份验证协议 - 传输层安全。一种身份验证框架,要求客户端和服务器都使用数字证书证明其身份。
在 Intune WiFi 配置文件中配置的特定协议,用于强制执行相互证书身份验证,从而消除凭据被盗的风险。
SCEP
简单证书注册协议。一种机制,客户端设备生成自己的私钥,并通过中介服务器向 CA 请求证书。
BYOD 环境中首选的部署方法,因为私钥永远不会通过网络传输。
PKCS
公钥加密标准。在 Intune 上下文中,一种部署方法,其中 CA 生成私钥,Intune 连接器将其安全地传递给设备。
通常用于公司自有设备群的一种更简单的部署架构,因为它消除了对 NDES 服务器的需求。
NDES
网络设备注册服务。一种 Microsoft 服务器角色,充当代理,允许在没有域凭据的情况下运行的设备从 Active Directory 证书颁发机构获取证书。
在本地 ADCS 环境中通过 SCEP 部署证书时的必要基础设施组件。
RADIUS
远程身份验证拨入用户服务。一种网络协议,提供集中的身份验证、授权和计费 (AAA) 管理。
从 WiFi 接入点接收身份验证请求并验证设备证书的服务器(如 Microsoft NPS 或 Cisco ISE)。
Supplicant
最终用户设备(笔记本电脑、智能手机)上发起 802.1X 身份验证过程的软件客户端。
Intune WiFi 配置文件将本机 OS 请求者(例如 Windows WLAN AutoConfig)配置为使用正确的证书和 EAP 方法。
Certificate Revocation List (CRL)
由证书颁发机构发布的数字签名列表,包含已吊销且不再受信任的证书的序列号。
对于安全合规至关重要;RADIUS 服务器必须检查 CRL 以确保连接设备没有被报告丢失或被盗。
应用实例
一家拥有 400 个门店的零售连锁店正在部署用于库存管理的公司自有平板电脑。这些设备完全通过 Intune 管理并加入了 Azure AD。它们需要在启动后立即获得网络访问权限,以便在任何特定用户登录之前同步库存数据库。网络基础设施使用 Cisco ISE 作为 RADIUS 服务器。最佳的证书部署策略是什么?
IT 团队应实施 PKCS 设备证书。
- 在 CA 上配置设备证书模板。
- 通过 Intune 将根 CA 证书部署到平板电脑。
- 在 Intune 中创建 PKCS 证书配置文件,将使用者名称格式设置为 Azure AD 设备 ID({{AAD_Device_ID}})。
- 创建一个指定 EAP-TLS 的企业 WiFi 配置文件,引用 ISE 服务器的证书名称和已部署的 PKCS 配置文件。
- 将所有配置文件分配给包含平板电脑的设备组。
一家大型教学医院允许医务人员使用其个人智能手机 (BYOD) 访问临床排班应用程序。这些设备通过工作配置文件在 Intune 中注册。安全策略要求不得在个人设备上存储公司凭据,并且如果设备遭到入侵,必须立即撤销网络访问权限。应如何设计 WiFi 身份验证?
医院必须实施结合 Intune 符合性策略的 SCEP 用户证书。
- 部署 NDES 服务器以代理请求到 CA。
- 在 Intune 中创建 SCEP 用户证书配置文件,将 SAN 配置为用户主体名称 ({{UserPrincipalName}})。
- 创建一个要求最低操作系统版本、启用屏幕锁定且无越狱/root 访问的 Intune 符合性策略。
- 配置 CA 以发布高可用的证书吊销列表 (CRL)。
- 配置 RADIUS 服务器以在每次身份验证尝试时严格执行 CRL 检查。
练习题
Q1. 您的组织正在将企业 WiFi 从 PEAP-MSCHAPv2(用户名/密码)迁移到 EAP-TLS。在试点阶段,几台 Windows 11 笔记本电脑成功接收了 Intune 配置文件,但无法连接到网络。查看 Windows 事件日志显示事件 ID 20271,指示 RADIUS 服务器证书被拒绝。最可能的原因是什么?
提示:考虑相互身份验证所需的信任链。
查看标准答案
设备缺少颁发 RADIUS 服务器证书的受信任的根 CA 证书。在 EAP-TLS 中,设备必须验证 RADIUS 服务器的身份。IT 团队必须确保包含根 CA(以及任何中间 CA)的“受信任的证书”配置文件通过 Intune 部署到设备,并在 WiFi 配置文件尝试连接之前成功安装。
Q2. 一个公共部门场所正在使用 Intune 和 PKCS 证书为员工设备部署 802.1X。他们还运营着一个由 Guest WiFi 平台管理的单独访客网络。审计员指出,如果员工笔记本电脑被盗,证书仍然有效 12 个月。网络架构师应如何应对这一风险?
提示:身份验证服务器如何在证书过期前知道证书不再有效?
查看标准答案
架构师必须实施健壮的证书吊销工作流程。首先,确保 CA 将证书吊销列表 (CRL) 发布到高可用的分发点。其次,配置 RADIUS 服务器(例如 NPS)以在每次身份验证尝试时强制进行 CRL 检查。最后,建立 Intune 操作程序,以明确吊销标记为丢失或被盗的任何设备的证书,从而更新 CRL 并阻止网络访问。
Q3. 您正在为零售环境中的共享信息亭设备群设计 Intune 部署。这些设备每天重新启动,并且必须在任何用户与它们交互之前立即连接到公司网络以下载更新。您应该部署用户证书还是设备证书,以及应使用什么使用者备用名称 (SAN) 格式?
提示:考虑设备重启后立即的状态。
查看标准答案
您必须部署设备证书。由于信息亭需要在用户登录之前访问网络,因此在启动时用户证书将不可用。Intune 证书配置文件中的使用者备用名称 (SAN) 应配置为使用 Azure AD 设备 ID ({{AAD_Device_ID}}) 或设备的完全限定域名,从而允许 RADIUS 服务器验证特定的硬件资产。
继续阅读本系列
如何面向高等教育机构实施 SCEP 以实现安全的 BYOD 和网络注册
本技术指南为网络架构师和 IT 经理提供了一个与厂商无关的蓝图,用于部署基于 SCEP 的证书注册,以保障高等教育校园网络的安全。它详细介绍了如何从基于密码的 PEAP 迁移到 802.1X EAP-TLS、自动执行 BYOD 引导以及实施强大的 VLAN 细分。
Server RADIUS:面向企业的全面指南
本指南为 IT 经理、网络架构师和 CTO 提供关于企业 WiFi 的 server RADIUS 身份验证的权威技术参考。它涵盖了 AAA 框架、802.1X 架构、EAP 方法选择、云端与本地部署的权衡以及动态 VLAN 分配。酒店、零售、活动和公共部门的场所运营商将获得可行的实施指导、真实案例研究以及从不安全的预共享密钥迁移到安全的、身份驱动的网络访问控制架构所需的决策框架。
Aruba ClearPass vs. Purple WiFi: 比较功能与协同部署
一份全面的技术指南,详细介绍了 Aruba ClearPass 和 Purple WiFi 的协同部署架构。内容涵盖 RADIUS 代理配置、动态 VLAN 分配,以及在企业级 NAC 旁部署安全且由数据分析驱动的访客网络的最佳实践。