如何使用 Microsoft Intune 將 WiFi 憑證推送到裝置
針對 IT 主管在透過 Microsoft Intune 部署 802.1X WiFi 憑證時的完整技術參考指南。內容涵蓋 SCEP 與 PKCS 架構、實作步驟、合規性對應,以及企業環境中的實際部署情境。
收聽此指南
查看播客逐字稿
- Executive Summary
- Technical Deep-Dive: Architecture and Protocols
- The 802.1X Authentication Framework
- EAP-TLS and Mutual Authentication
- Intune Certificate Deployment Mechanisms: SCEP vs PKCS
- Implementation Guide: Step-by-Step Deployment
- Step 1: Prepare the Public Key Infrastructure (PKI)
- Step 2: Deploy the Trusted Root Certificate
- Step 3: Deploy the Client Certificate Profile
- Step 4: Configure the WiFi Profile
- Best Practices & Strategic Recommendations
- Device vs. User Certificates
- Network Segmentation and Guest Access
- Addressing the NPS Certificate Mapping Requirement
- Troubleshooting & Risk Mitigation
- Common Failure Modes
- ROI & Business Impact

Executive Summary
For enterprise IT leaders managing large-scale environments across Hospitality , Retail , or public-sector venues, secure wireless access is a baseline operational requirement. Relying on shared PSKs (Pre-Shared Keys) or username/password authentication (PEAP-MSCHAPv2) exposes the network to credential theft, phishing, and compliance failures. The industry standard for robust enterprise WiFi security is 802.1X with EAP-TLS (Extensible Authentication Protocol with Transport Layer Security), which mandates mutual certificate-based authentication between the device and the network.
However, the primary barrier to EAP-TLS adoption has historically been the operational overhead of certificate lifecycle management. Microsoft Intune resolves this by automating the delivery, renewal, and revocation of digital certificates to managed devices at scale.
This technical reference details the architecture, deployment methodologies (SCEP vs PKCS), and implementation steps required to push WiFi certificates via Microsoft Intune. It provides actionable guidance for network architects and systems engineers tasked with securing corporate communications while maintaining strict separation from visitor networks, such as those managed by a Guest WiFi platform.
Technical Deep-Dive: Architecture and Protocols
To implement certificate-based authentication effectively, IT teams must understand the interaction between the Mobile Device Management (MDM) platform, the Public Key Infrastructure (PKI), and the network access control layer.
The 802.1X Authentication Framework
The IEEE 802.1X standard defines port-based network access control. In a wireless context, it prevents a device from passing any traffic (other than EAP authentication frames) until its identity is verified. The architecture consists of three components:
- Supplicant: The client device (laptop, smartphone, tablet) requesting network access.
- Authenticator: The wireless access point or wireless LAN controller that blocks traffic until authentication succeeds.
- Authentication Server: The RADIUS (Remote Authentication Dial-In User Service) server, such as Microsoft Network Policy Server (NPS) or Cisco ISE, which validates the credentials and authorises access.
EAP-TLS and Mutual Authentication
EAP-TLS is the most secure EAP method because it requires mutual authentication. The RADIUS server presents its certificate to the supplicant to prove it is the legitimate corporate network (preventing evil-twin attacks), and the supplicant presents its client certificate to the RADIUS server to prove it is an authorised device or user.

Intune Certificate Deployment Mechanisms: SCEP vs PKCS
Microsoft Intune supports two primary protocols for deploying client certificates to devices. Selecting the appropriate mechanism is a critical architectural decision.
Simple Certificate Enrollment Protocol (SCEP)
With SCEP, the private key is generated directly on the client device. The device creates a Certificate Signing Request (CSR) and submits it via Intune to the Network Device Enrollment Service (NDES) server, which acts as a proxy to the Active Directory Certificate Services (ADCS) infrastructure. The CA issues the certificate, which is returned to the device.
Because the private key never leaves the device, SCEP is considered highly secure and is the recommended approach for BYOD (Bring Your Own Device) deployments and zero-trust architectures.
Public Key Cryptography Standards (PKCS)
With PKCS, the Intune Certificate Connector requests the certificate from the CA on behalf of the device. The CA generates both the public certificate and the private key, which the connector then securely delivers to the device via Intune.
While PKCS simplifies the infrastructure requirements (no NDES server is needed), the private key is transmitted across the network. This model is generally acceptable for corporate-owned, fully managed device fleets where the MDM platform is already a highly trusted component.

Implementation Guide: Step-by-Step Deployment
Deploying Wi-Fi certificates via Intune requires precise sequencing. Deploying profiles out of order is the most common cause of implementation failure.
Step 1: Prepare the Public Key Infrastructure (PKI)
Whether utilising on-premises ADCS or a cloud-native solution like Microsoft Cloud PKI, the Certificate Authority must be configured with the appropriate templates.
- Key Usage: The template must include the
Client AuthenticationOID (1.3.6.1.5.5.7.3.2). - Key Size: Configure a minimum key size of 2048 bits (RSA) to align with modern cryptographic standards.
- Subject Name: For user certificates, the Subject Alternative Name (SAN) should be configured to use the User Principal Name (UPN). For device certificates, use the Azure AD Device ID.
Step 2: Deploy the Trusted Root Certificate
Before a device can authenticate, it must trust the CA that issued the RADIUS server's certificate.
- Export the Root CA certificate (and any intermediate CA certificates) in
.cerformat. - In the Intune admin centre, navigate to Devices > Configuration profiles > Create profile.
- Select the platform and choose the Trusted certificate profile type.
- Upload the
.cerfile and assign the profile to the target device or user groups.
Note: This profile must successfully apply to devices before proceeding to the next steps.
Step 3: Deploy the Client Certificate Profile
Create either a SCEP or PKCS certificate profile to deliver the identity certificate to the supplicant.
- Navigate to Devices > Configuration profiles > Create profile.
- Select the platform and choose either SCEP certificate or PKCS certificate.
- Configure the Subject Name format and SAN according to your identity requirements (User vs. Device).
- Specify the Key Storage Provider (KSP) — typically the Trusted Platform Module (TPM) for hardware-backed security.
- Assign the profile to the same groups targeted in Step 2.
Step 4: Configure the WiFi Profile
The final component binds the certificates to the wireless network settings.
- Navigate to Devices > Configuration profiles > Create profile.
- Select the platform and choose the Wi-Fi profile type.
- Set the Wi-Fi type to Enterprise and enter the exact SSID.
- Set the EAP type to EAP-TLS.
- Under Server Trust, specify the exact name of the RADIUS server certificate and select the Trusted Root certificate profile deployed in Step 2.
- Under Client Authentication, select the SCEP or PKCS certificate profile deployed in Step 3.
- Assign the profile to the target groups.
Best Practices & Strategic Recommendations
Device vs. User Certificates
Network architects must decide whether to issue certificates to the device (machine authentication) or the user (user authentication).
- Device Certificates: Allow the machine to connect to the WiFi network before a user logs in. This is critical for initial device provisioning, Group Policy processing, and password resets at the login screen. Recommended for corporate-owned devices.
- User Certificates: Tie network access to the individual's identity. This provides granular auditing and role-based access control. Recommended for BYOD scenarios.
Network Segmentation and Guest Access
A fundamental security principle is the strict logical separation of the corporate 802.1X network from visitor or public access networks. The Intune-managed infrastructure should be dedicated exclusively to corporate devices and authenticated staff.
For visitor access, organisations should deploy a dedicated Guest WiFi SSID backed by a captive portal. This ensures that unmanaged devices are isolated, while still allowing the business to capture visitor analytics via a WiFi Analytics platform. To learn more about securing DNS infrastructure across both segments, review our guide on how to Protect Your Network with Strong DNS and Security .
Addressing the NPS Certificate Mapping Requirement
For organisations utilising Microsoft Network Policy Server (NPS) with Azure AD-joined devices, a critical configuration change was introduced by Microsoft. NPS now requires strong certificate mapping.
When using device certificates, the computer object in the on-premises Active Directory must have its altSecurityIdentities attribute populated with the certificate's details (typically the X509IssuerSerialNumber). IT teams must implement a scheduled script or event-driven workflow to update this attribute when Intune issues a new certificate, otherwise authentication will fail.
Troubleshooting & Risk Mitigation
When an 802.1X deployment fails, the issue almost always resides in the certificate chain or the Intune profile sequencing.
Common Failure Modes
- Silent WiFi Profile Failure: If the Intune WiFi profile is applied to a device before the client certificate has been successfully provisioned, the WiFi profile will often fail to install or will fail silently. Always verify certificate presence in the device's Personal store (
certmgr.mscon Windows) before troubleshooting the WiFi configuration. - Server Trust Validation Errors: If the device rejects the RADIUS server, verify that the server name specified in the Intune WiFi profile exactly matches the Subject Name or SAN on the RADIUS server's certificate. Additionally, ensure that the entire certificate chain (Root and Intermediate) is present in the device's Trusted Root Certification Authorities store.
- Certificate Revocation List (CRL) Unavailability: If the RADIUS server cannot reach the CA's CRL distribution point to verify the client certificate's status, authentication will be denied. Ensure the CRL URL is highly available and accessible from the RADIUS server.
ROI & Business Impact
Transitioning to certificate-based WiFi authentication via Intune delivers significant operational and security returns.
- Risk Mitigation: Eliminates the risk of credential harvesting, pass-the-hash attacks, and unauthorised network access via shared PSKs.
- Operational Efficiency: Reduces IT helpdesk tickets related to password expirations and WiFi connectivity issues. The automated lifecycle management means certificates are renewed transparently without user intervention.
- Compliance Enablement: Satisfies stringent regulatory requirements. For retail environments, it directly addresses PCI DSS requirements for robust wireless encryption and authentication. For public sector and healthcare, it aligns with zero-trust network access (ZTNA) principles.
By leveraging Microsoft Intune for certificate deployment, IT teams can achieve a frictionless, highly secure wireless experience that operates silently in the background, allowing the business to focus on core operations.
關鍵定義
802.1X
一項用於基於連接埠之網路存取控制的 IEEE 標準,可防止未經授權的裝置存取區域網路 (LAN) 或無線區域網路 (WLAN),直到其成功通過驗證。
在企業環境中,以企業級驗證取代共享 WiFi 密碼的基礎安全性協定。
EAP-TLS
採用傳輸層安全性的可延伸驗證協定。一種驗證架構,要求用戶端和伺服器雙方皆必須使用數位憑證來證明其身分。
在 Intune WiFi 設定檔中設定的特定協定,用於強制執行雙向憑證驗證,消除憑證被盜的風險。
SCEP
簡單憑證登冊協定。一種機制,用戶端裝置會自行產生私鑰,並透過中介伺服器向憑證授權單位 (CA) 要求憑證。
BYOD 環境的首選部署方法,因為私鑰絕不會透過網路傳輸。
PKCS
公鑰加密標準。在 Intune 的情境中,這是一種部署方法,由 CA 產生私鑰,並由 Intune Connector 安全地將其傳遞至裝置。
常用於企業專屬裝置群的較簡單部署架構,因為它不需要 NDES 伺服器。
NDES
網路裝置登冊服務。一種 Microsoft 伺服器角色,充當 Proxy 代理程式,允許在沒有網域認證的情況下執行的裝置從 Active Directory 憑證授權單位取得憑證。
在內部部署 ADCS 環境中透過 SCEP 部署憑證時,不可或缺的基礎架構元件。
RADIUS
遠端使用者撥入驗證服務。一種網路協定,提供集中式的驗證、授權和計費 (AAA) 管理。
從 WiFi 存取點接收驗證要求並驗證裝置憑證的伺服器(例如 Microsoft NPS 或 Cisco ISE)。
Supplicant
終端使用者裝置(筆記型電腦、智慧型手機)上的軟體用戶端,用於啟動 802.1X 驗證程序。
Intune WiFi 設定檔會設定原生作業系統用戶端(例如 Windows WLAN AutoConfig)以使用正確的憑證和 EAP 方法。
Certificate Revocation List (CRL)
由憑證授權單位發佈的數位簽署清單,其中包含已撤銷且不應再受信任的憑證序號。
對於安全性合規至關重要;RADIUS 伺服器必須檢查 CRL,以確保連線的裝置未被回報遺失或遭竊。
範例
一家擁有 400 個據點的零售連鎖店正在部署公司擁有的平板電腦以進行庫存管理。這些裝置完全透過 Intune 管理並加入 Azure AD。裝置在開機後需要立即存取網路以同步庫存資料庫,且必須在任何特定使用者登入之前完成。網路基礎架構使用 Cisco ISE 作為 RADIUS 伺服器。最佳的憑證部署策略是什麼?
IT 團隊應實作 PKCS 裝置憑證。
- 在憑證授權單位 (CA) 上設定裝置憑證範本。
- 透過 Intune 將根 CA 憑證部署到平板電腦。
- 在 Intune 中建立 PKCS 憑證設定檔,將主體名稱格式設定為 Azure AD 裝置識別碼 ({{AAD_Device_ID}})。
- 建立指定 EAP-TLS 的企業 WiFi 設定檔,並參照 ISE 伺服器的憑證名稱和已部署的 PKCS 設定檔。
- 將所有設定檔指派給包含平板電腦的裝置群組。
一家大型教學醫院允許醫療人員使用其個人智慧型手機 (BYOD) 存取臨床排班應用程式。這些裝置透過工作設定檔 (Work Profile) 註冊於 Intune 中。安全性原則規定個人裝置上不得儲存任何公司認證,且如果裝置遭到入侵,必須立即撤銷其網路存取權限。應如何設計 WiFi 驗證?
醫院必須實作 SCEP 使用者憑證,並結合 Intune 合規性原則。
- 部署 NDES 伺服器以將請求代理至 CA。
- 在 Intune 中建立 SCEP 使用者憑證設定檔,並將 SAN 設定為使用者主體名稱 ({{UserPrincipalName}})。
- 建立 Intune 合規性原則,要求最低作業系統版本、啟用的螢幕鎖定,且無越獄/Root 權限。
- 設定 CA 以發佈高可用性的憑證撤銷清單 (CRL)。
- 設定 RADIUS 伺服器,在每次驗證嘗試時嚴格執行 CRL 檢查。
練習題
Q1. 您的組織正在將企業 WiFi 從 PEAP-MSCHAPv2(使用者名稱/密碼)遷移到 EAP-TLS。在試行階段,數台 Windows 11 筆記型電腦成功接收了 Intune 設定設定檔,但無法連線到網路。檢視 Windows 事件檢視器顯示事件識別碼 20271,指出 RADIUS 伺服器憑證遭到拒絕。最可能的原因是什麼?
提示:考慮雙向驗證所需的信任鏈。
查看標準答案
裝置缺少簽發 RADIUS 伺服器憑證的受信任根憑證授權單位(Root CA)憑證。在 EAP-TLS 中,裝置必須驗證 RADIUS 伺服器的身分。IT 團隊必須確保包含根 CA(以及任何中介 CA)的「受信任憑證」設定檔已透過 Intune 部署到裝置並成功安裝,然後 WiFi 設定檔才能嘗試連線。
Q2. 某公部門場域正在使用 Intune 和 PKCS 憑證為員工裝置部署 802.1X。他們還營運一個由 Guest WiFi 平台管理的獨立訪客網路。稽核員指出,如果員工筆記型電腦失竊,該憑證在 12 個月內仍然有效。網路架構師應如何因應此風險?
提示:驗證伺服器如何在憑證過期前得知其已不再有效?
查看標準答案
架構師必須實作健全的憑證撤銷工作流程。首先,確保 CA 將憑證撤銷清單(CRL)發佈到高可用性的發佈點。其次,設定 RADIUS 伺服器(例如 NPS)在每次驗證嘗試期間強制進行 CRL 檢查。最後,建立 Intune 營運程序,明確撤銷任何標記為遺失或遭竊裝置的憑證,這將更新 CRL 並封鎖網路存取。
Q3. 您正在為零售環境中的一批共享 Kiosk 裝置設計 Intune 部署。這些裝置每天都會重新啟動,且必須在任何使用者與其互動之前立即連線到企業網路以下載更新。您應該部署「使用者憑證」還是「裝置憑證」?應使用何種主體別名(SAN)格式?
提示:考慮裝置重新啟動後立即處於的狀態。
查看標準答案
您必須部署「裝置憑證」。因為 Kiosk 裝置在使用者登入前需要網路存取權限,所以使用者憑證在開機時將無法使用。Intune 憑證設定檔中的主體別名(SAN)應設定為使用 Azure AD 裝置識別碼({{AAD_Device_ID}})或裝置的完整網域名稱,以便 RADIUS 伺服器驗證特定的硬體資產。
繼續閱讀本系列
如何在大專院校實施 SCEP 以實現安全的 BYOD 與網路註冊
本技術指南為網路架構師和 IT 經理提供了一個與廠商無關的藍圖,用於部署基於 SCEP 的憑證註冊,以保護大專院校校園網路的安全。它詳細介紹了如何從基於密碼的 PEAP 遷移到 802.1X EAP-TLS、自動化 BYOD 註冊,以及實施強大的 VLAN 區隔。
Server RADIUS:企業的完整指南
本指南為 IT 經理、網路架構師和 CTO 提供企業級 WiFi 的 Server RADIUS 驗證權威技術參考。內容涵蓋 AAA 架構、802.1X 架構、EAP 方法選擇、雲端與地端部署權衡,以及動態 VLAN 分配。飯店、零售、活動和公共部門等場域營運商將能在此獲得實用的實作指南、真實案例研究,以及從不安全的預共用金鑰移轉至安全、識別導向之網路存取控制架構所需的決策框架。
Aruba ClearPass vs. Purple WiFi: 比較功能與協同部署
一份詳盡的技術指南,深入剖析 Aruba ClearPass 與 Purple WiFi 的協同部署架構。內容涵蓋 RADIUS 代理設定、動態 VLAN 分配,以及在企業級網路存取控制(NAC)旁,提供安全且具備分析功能的訪客網路之最佳實踐。