Step-by-Step Guide: Migrating Certificate-Based Wi-Fi Authentication from GPO to Microsoft Intune (2025 Edition)
Migrating from Group Policy (GPO) and on-premises PKI to Microsoft Intune for certificate-based Wi-Fi authentication can seem complex. But with Microsoft’s 2025 enhancements — including Microsoft Cloud PKI and improvements to the Intune Certificate Connector — this process is now more streamlined and secure than ever.
This guide provides detailed, step-by-step instructions to help administrators transition from traditional GPO deployments to Intune-managed certificate-based Wi-Fi authentication using EAP-TLS.
🔍 Step 1: Assess Your Current Certificate and Wi-Fi Setup
Before you migrate, gather key details about your existing infrastructure.
1.1 Review Current Components
- Certificate Authority (CA): Note whether you’re using an Enterprise CA or Standalone CA.
- RADIUS Server: Identify which Network Policy Server (NPS) or RADIUS service handles Wi-Fi authentication.
- Certificate Templates: Review templates used for Wi-Fi certificates (e.g., User or Computer Authentication).
- GPOs in Use:
- Locate Group Policies that deploy Wi-Fi profiles or certificates.
- Export configuration settings for reference.
1.2 Document Authentication Flow
Map how certificates are currently used for authentication:
- Devices request certificates via GPO auto-enrollment.
- RADIUS validates certificates against the CA’s root and issuing CAs.
- Wi-Fi network enforces EAP-TLS (certificate-based authentication).
☁️ Step 2: Choose Your Intune Certificate Deployment Method
Microsoft Intune supports three main certificate deployment models. Choose based on your organization’s infrastructure and future plans.
| Deployment Option | Description | Best For |
| Microsoft Cloud PKI | Fully managed cloud-based CA service built into Intune. No on-prem infrastructure required. | Cloud-first or hybrid organizations. |
| SCEP via Intune Certificate Connector | Uses on-prem CA with NDES integration for scalable certificate issuance. | Large hybrid organizations with existing PKI. |
| PKCS via Intune Certificate Connector | Direct connector-to-CA communication, no NDES required. | Smaller or specific certificate deployments. |
🏗️ Step 3: Set Up Microsoft Cloud PKI (Recommended Cloud-First Method)
If you’re migrating to a modern cloud-first setup, Microsoft Cloud PKI simplifies deployment by removing dependency on on-prem servers.
3.1 Prerequisites
- Intune Suite or Cloud PKI Add-on license.
- Intune admin or Global admin permissions.
- Wi-Fi network must support EAP-TLS.
3.2 Configure Microsoft Cloud PKI
- Go to: Intune Admin Center → Tenant Administration → Cloud PKI.
- Click + Create Cloud PKI.
- Define your hierarchy:
- Root CA Name – e.g., “Contoso Root CA – Cloud”.
- Issuing CA Name – e.g., “Contoso Issuing CA 01”.
- Choose Cloud Managed Root or integrate with existing on-prem trust.
- Configure certificate lifetime (default 1 year) and renewal period.
3.3 Deploy the Root Certificate
- Navigate to Devices → Configuration Profiles → + Create Profile.
- Platform: Windows 10 and later.
Profile type: Trusted certificate. - Upload the exported Cloud PKI root certificate.
- Assign to All Devices or specific device groups.
🔑 Step 4: Create and Deploy a SCEP or PKCS Certificate Profile in Intune
Depending on your setup (Cloud PKI, SCEP, or PKCS), you’ll need to create a certificate deployment profile.
Option A: SCEP Certificate Profile (With NDES)
Requirements:
- On-prem Enterprise CA.
- NDES and Intune Certificate Connector installed.
- HTTPS certificate for NDES endpoint.
Setup Steps
- Install the Intune Certificate Connector on a Windows Server.
- Download from the Intune Admin Center → Tenant Administration → Connectors and Tokens → Certificate Connector.
- Run installer → Sign in with a Global or Intune Administrator account.
- Verify the connector status under Connectors and Tokens.
- Install and configure NDES:
- Add the Network Device Enrollment Service role via Server Manager.
- Specify your Enterprise CA.
- In Intune, go to:
Devices → Configuration Profiles → + Create → Windows → SCEP certificate. - Configure:
- Subject name format: CN={{DeviceName}} or CN={{UserPrincipalName}}.
- Key usage: Digital signature, key encipherment.
- Root certificate: Choose the Trusted Root profile you created earlier.
- Renewal period: e.g., 6 months before expiry.
- Assign the profile to target device groups.
Option B: PKCS Certificate Profile (Without NDES)
Requirements:
- On-prem Enterprise CA.
- Intune Certificate Connector installed (no NDES).
Setup Steps
- Install and register the Intune Certificate Connector as described above.
- In Intune:
- Navigate to Devices → Configuration Profiles → + Create → Windows → PKCS certificate.
- Configure:
- Subject name format: CN={{UserPrincipalName}}.
- Select CA and Certificate Template.
- Add Extended Key Usages (e.g., Client Authentication).
- Assign to users or devices that need certificates.
- Validate certificate issuance via Certificates (Local Computer) → Personal → Certificates.
📶 Step 5: Configure and Deploy the Wi-Fi Profile in Intune
Once certificates are configured, create a Wi-Fi profile that uses EAP-TLS authentication.
Steps
- Navigate to Devices → Configuration Profiles → + Create → Windows → Wi-Fi.
- Enter:
- Network name (SSID): Your corporate Wi-Fi SSID.
- Connection type: Enterprise.
- Security type: WPA2-Enterprise or WPA3-Enterprise.
- Under EAP type, choose EAP-TLS.
- In the Server Trust section:
- Add your RADIUS/NPS server FQDN.
- Upload your Trusted Root Certificate (from Cloud PKI or CA).
- Under Client Authentication, select:
- Certificate profile: The SCEP or PKCS profile created earlier.
- Assign the profile to target device or user groups (e.g., “All Corporate Laptops”).
🧠 Step 6: Configure RADIUS or NPS for Intune Certificates
For the Wi-Fi authentication to succeed, your RADIUS/NPS must trust the issuing CA.
Steps
- On your NPS/RADIUS server:
- Open Network Policy Server → Policies → Network Policies.
- Edit the Wi-Fi policy used for authentication.
- Under Conditions, ensure:
- NAS Port Type: Wireless – IEEE 802.11.
- Authentication method: EAP (PEAP) or EAP-TLS.
- Under EAP Configuration, ensure:
- Smart Card or other certificate (EAP-TLS) is selected.
- The CA certificate matches the one used by Intune (Cloud PKI or On-Prem CA).
- If using Cloud PKI, import the Cloud PKI Root CA certificate into the NPS server’s Trusted Root Certification Authorities store.
🔍 Step 7: Validate and Test
After profiles are deployed, verify that certificates and Wi-Fi connections work as expected.
Testing Checklist
- On a managed device, open Certificates → Personal Store:
- Confirm that a valid certificate was issued by your CA or Cloud PKI.
- Connect to your Wi-Fi:
- The connection should authenticate silently (EAP-TLS).
- In Intune:
- Navigate to Devices → Monitor → Configuration profiles.
- Check for successful deployments or errors.
- In Event Viewer:
- Review logs under Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider.
- Look for Event ID 208 or Event ID 301 for successful certificate deployment.
🧰 Step 8: Decommission Legacy GPO Certificate Policies
Once you confirm successful authentication:
- Disable old GPOs that deploy Wi-Fi or certificate policies.
- Remove auto-enrollment settings from Group Policy (under Computer Configuration → Windows Settings → Security Settings → Public Key Policies).
- Update documentation to reflect new Intune-based certificate management.
🛡️ Step 9: Apply Security and Monitoring Best Practices (2025 Updates)
- Enable Certificate Lifecycle Monitoring:
In Cloud PKI, enable automatic certificate renewal alerts and expiration reports. - Use Conditional Access Policies:
Require certificate-based authentication for device access to critical resources. - Automate Certificate Revocation:
Integrate Cloud PKI with Microsoft Defender for Endpoint to revoke certificates if a device is compromised. - Deploy Redundant Certificate Connectors:
For hybrid setups, install multiple connectors in different data centers for high availability. - Audit Certificate Activity:
Regularly review Intune audit logs and PKI issuance logs for anomalies.
✅ Final Verification and Maintenance
Once migrated:
- Test connectivity across device types (Windows, macOS, iOS, Android).
- Ensure RADIUS continues to validate Cloud PKI or SCEP-issued certificates.
- Review Intune reporting for certificate deployment metrics.
- Periodically back up certificate templates, CA configuration, and Intune policy exports.
🧭 Summary: Choosing the Right Certificate Path
| Deployment Type | Requires On-Prem CA | Requires NDES | Best For | 2025 Feature Highlights |
| Microsoft Cloud PKI | ❌ No | ❌ No | Cloud-first organizations | Auto-renewal, built-in monitoring, zero-trust integration |
| SCEP with NDES | ✅ Yes | ✅ Yes | Hybrid enterprises | Large-scale automation, works with existing CA |
| PKCS | ✅ Yes | ❌ No | Small or user-specific use cases | Simpler setup, limited scalability |
🔗 Helpful Resources
- Microsoft Cloud PKI Overview
- Configure SCEP with NDES in Intune
- Deploy PKCS Certificates in Intune
- Configure Wi-Fi Profiles in Intune
By following this detailed step-by-step approach, you can modernize your certificate deployment and Wi-Fi authentication using Intune — ensuring a secure, scalable, and fully cloud-integrated solution that aligns with Microsoft’s Zero Trust security model for 2025 and beyond.
