top of page
Copy of data center.jpg

Welcome to ECS LEAD

Your Trusted Microsoft Partner

5 min read

Streamline Your EAP-TLS WiFi Deployment with Intune: Best Practices for Success

Why EAP-TLS for Secure WiFi?

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is one of the most secure methods for authenticating devices and users on a WiFi network. Unlike traditional methods like WPA2-PSK, which relies on shared passwords, EAP-TLS uses certificate-based authentication. This ensures a higher level of security by verifying the identity of both the user and the network.

The major benefit of EAP-TLS is that it eliminates the need for password management. With certificates, there’s no risk of passwords being guessed, stolen, or shared. EAP-TLS makes the entire authentication process more secure and scalable, especially for businesses that need to manage multiple users and devices on their WiFi networks.


A computer screen displaying lines of colorful code in various programming languages, including HTML and PHP. The code is well-structured and shows different elements of a webpage.

Setting Up Your PKI for EAP-TLS WiFi

A strong EAP-TLS setup relies on having a solid Public Key Infrastructure (PKI) in place. Your PKI should be designed to issue and manage the certificates that your devices and users will use for WiFi authentication.


Preparing Your Internal PKI

To implement EAP-TLS, you first need to ensure that your internal PKI is configured properly. The PKI includes a Certificate Authority (CA) that issues certificates for users and devices. You’ll need both Root and Intermediate Certificates to ensure a full trust chain, allowing your client devices to verify that the certificates are valid and trustworthy.


Understanding Root and Intermediate Certificates

Root certificates are the top-level certificates in a PKI hierarchy and must be trusted by all devices. Intermediate certificates, on the other hand, are signed by the root certificate and help delegate trust. Both of these are crucial for establishing a trusted connection between your WiFi clients and the network.


Key Role of NPS Server in WiFi Authentication

The Network Policy Server (NPS) serves as the authentication server in an EAP-TLS setup. It checks whether the client certificates match the defined policies. Your NPS server should be configured to validate the certificates using trusted Root and Intermediate Certificates from your PKI or a third-party provider, like GoDaddy.


Configuring the EAP-TLS WiFi Profile in Intune

To manage devices and deploy WiFi profiles at scale, Microsoft Intune is a powerful tool. You can create an EAP-TLS WiFi profile and push it to all managed devices, ensuring consistent authentication settings across your organization.

Step-by-Step Guide to Creating a WiFi Profile in Intune

  1. Open Intune: Navigate to the Microsoft Endpoint Manager admin center and create a new WiFi Profile.

  2. Configure Basic WiFi Settings: Set the network name (SSID), security type (EAP-TLS), and other necessary network details.

  3. Add Certificates: Under the Root Certificate for Server Validation section, add the necessary Root and Intermediate certificates from your PKI.

  4. Assign Profile: Once your profile is configured, assign it to user groups or devices in Intune.


Adding and Assigning Certificates in Intune

When configuring the profile, you need to upload your Root and Intermediate Certificates as Trusted Certificate Profiles in Intune. These certificates will be pushed to the devices, ensuring they can trust the WiFi network. Make sure the certificates are in the correct format (like .cer) and are correctly linked to your WiFi profile.


Windows 11 vs. Windows 10: Solving Compatibility Challenges

You may notice that your EAP-TLS WiFi profile behaves differently on Windows 11 and Windows 10 devices. This difference is often related to how these two versions handle trusted certificates.


Differences in Certificate Handling Between Windows 10 and 11

On Windows 11, the GoDaddy root certificates, which are required for your NPS server, may automatically work without additional configuration. However, Windows 10 tends to be more restrictive and requires that certain certificates, like Go Daddy Class 2 Certification Authority and Go Daddy Root Certificate Authority – G2, be explicitly trusted.

This discrepancy often causes the WiFi profile to work smoothly on Windows 11 but fail on Windows 10 until the GoDaddy certificates are manually trusted on each device.


A Quick Fix: Automating Certificate Trust in Windows 10

To address this issue on Windows 10, you can automate the process of trusting the GoDaddy certificates. There are two effective ways to do this:

  1. PowerShell Script: You can deploy a PowerShell script through Intune that automatically trusts the GoDaddy certificates on Windows 10 devices. This script will check the appropriate certificate boxes, ensuring they are trusted.

  2. Configuration Profile: You can create a configuration profile in Intune specifically for Windows 10 devices. This profile will include the trusted certificates and force them to be applied during the profile deployment.

Both options ensure that the certificates are automatically trusted, so you don't have to rely on manual intervention for each device.


A modern workspace featuring an iMac on a wooden desk with a clean and minimalist setup. The computer screen displays the words 'Do More' in bold white text, while a glass of water, plants, and office supplies are neatly arranged in the background.

Importing and Deploying GoDaddy Certificates in Intune

If your NPS server is using a GoDaddy certificate, you’ll need to download the appropriate certificates from GoDaddy and deploy them through Intune.

How to Correctly Extract and Upload the GoDaddy Certificates

  1. Download the SSL ZIP: Go to your GoDaddy account and download the SSL ZIP file for your NPS server.

  2. Extract the Certificates: Inside the ZIP file, you’ll find several certificates, including the Root and Intermediate certificates. Extract these certificates from the gd-g2_iis_intermediates.p7b file.

  3. Upload to Intune: In Intune, create new Trusted Certificate Profiles for the GoDaddy Root and Intermediate certificates. Make sure each certificate is added as a separate profile.


Linking GoDaddy Certificates to the WiFi Profile

Once you’ve uploaded the GoDaddy certificates, go back to the EAP-TLS WiFi profile you created in Intune. Under Root Certificates for Server Validation, add the GoDaddy Root and Intermediate certificate profiles you just created. This step is essential to ensure that your devices can validate the NPS server’s GoDaddy certificate during the authentication process.


Deploying to Multiple Devices: Key Considerations

When deploying WiFi profiles to a large number of devices, especially across different operating systems, you need to take a few key considerations into account. Ensuring smooth deployment requires careful planning and testing.


Managing Large-Scale Deployments with Intune

Intune allows you to manage deployments at scale, making it ideal for companies with a large number of devices. You can assign WiFi profiles to entire groups or specific users. However, when deploying EAP-TLS WiFi profiles with certificates, it’s essential to make sure the correct certificates are pushed to all devices, as missing certificates can cause the WiFi profile to fail.


Here’s where ECS LEAD can help. At ECS LEAD, we specialize in helping organizations streamline their Intune deployments. Whether you’re setting up WiFi profiles, deploying certificates, or configuring security settings, our team has the experience and tools to make sure your deployment is smooth and error-free. Reach out to us if you need expert help with your Intune WiFi profile setup!


Testing Profiles on Different Devices Before Full Rollout

Before pushing the WiFi profile to all devices, it’s important to test it on a small group of users or devices. Test the deployment on both Windows 10 and Windows 11 devices to ensure the certificates are applied correctly and that users can connect to the WiFi network without issues.


Final Tips for a Smooth EAP-TLS WiFi Deployment

Deploying EAP-TLS WiFi profiles with Intune can provide a secure and scalable solution for your organization, but it requires careful attention to detail. Here are a few final tips to ensure your deployment goes smoothly:


Ensuring Regular Certificate Updates

Certificates have an expiration date, and it’s crucial to monitor when they will expire. Set reminders to renew and redeploy certificates before they expire to avoid disruptions in WiFi connectivity.


Keeping Profiles and Certificates Synced Across Environments

When you update your certificates or make changes to your WiFi profiles, ensure that all devices are receiving these updates. Intune provides detailed monitoring and reporting, so use these tools to track the deployment status of your profiles and certificates.


Creating Fallback Plans for Certificate Issues

Even with the best planning, certificate issues can still occur. Have a fallback plan in place, such as a secondary WiFi network that uses a simpler authentication method. This ensures that users can still connect to the network in case of certificate-related problems.

A sleek and modern office environment with a cool blue tone, featuring rows of clean white workstations and comfortable office chairs. The floor has a glossy finish that reflects the light streaming in from the large windows, creating a bright and airy atmosphere. The office is currently empty, highlighting the organized and minimalistic design aesthetic.

Find Your Cloud Fit

Looking for the ideal cloud solution that elevates your business? Our experts are ready to guide you to the perfect match. Whether it’s clarifying options or addressing specific needs, we’re here to streamline your journey to the cloud.

bottom of page