This post is a brief summary of establishing network connection (wired or wireless network) on Intune managed devices, from my experience.


-Azure AD only joined devices are not present in Active Directory and therefore certificates can not be issued by the PKI, resulting that clients can not authenticate with a certificate.

-Your network is one layer of your security perimeter and should be protected.

-Additionally, the configuration must be accomplished with Intune.

Solutions for network authentication

  • Open (no authentication)
  • Pre-shared key (password)
  • Certificate authentication <- this posts focus
  • User authentication with username + password
User authentication by providing credentials with SSO will not work if you have Credential Guard activated. It is recommended to move from MSCHAPv2-based connections to certificate-based authentication.

Background: Kerberos unconstrained delegation cloud allow attackers to extract Kerberos keys from the isolated LSA process. NTLMv1 classic authentication is attackable. Learn more from the Microsoft docs

Certificate-based authentication

My recommendation is to achieve authentication to your corporate network through certificates, because it is the most secure way. Even though you need some technical prerequisites in place:

  • Certificate deployment to clients - PKCS or NDES Intune
My recommendation is to implement PKCS, read the blog post:
Intune certificate deployment overview
💡Microsoft announced “cloud certification management” capabilities for the Intune suite to come in the second half of 2023. This could significantly simplify Intune certificate management.Introduction Authentication with certificates is considered as very secure and seamless for the user. Simply pu…
  • Network profile configuration deployed from Intune
  • Trusted Root certificate deployed to your clients (from the CA and authentication service server certificate)
  • Configuration from your network devices / RADIUS setup

Network authentication

Another challenge is the configuration from the network side. Your clients typically talk EAP (TLS) with the end network device which could be an access point or switch and these then forward the request to a central component, that can handle RadSec or RADIUS protocols in order to validate the authentication request.
There are multiple validation techniques available, depending on the product and vendor. But to verify the request, the network component can do one or more of these checks:

  • Verify the client certificate if it was issued by a trusted certification authority
  • Check the Subject (Alternative) Name -> here it is important to configure these right in the Intune profile (correct attribute such as DNS)
  • Confirm if an Azure AD device object exists (requires integration, usually Enterprise Application to view devices)
  • Check the compliance state of the device (also requires an integration to Azure AD)

Intune profiles

You need the following profile types:

  • Trusted Root and Intermediate certificates (trust chain must be complete)
  • PKCS or SCEP for certificate deployment
  • Wi-Fi or wired network

See some samples:

Endpoint Management with Microsoft Intune
Ever wanted a full tutorial how to deal with Microsoft Autopilot Intune Technology? Well here it is!
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.