This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 87%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Dear PPL,
I need to sort out some confusions about InTune Certificate Connector. I had a bit reading all over the place about setting this connector.
Currently, some of my clients are only deploy GPO & Configuration profile with uploading a rootCA cert file for 802.1x Wifi Domain JOined PC... It works fine.
Now I just learnt that Intune Connector (SCEP & PKCS) with nDES can do the similar with more secure fashion to InTune Enrolled Devices.
Now, I can go ahead setting it up, but when we actually roll out the 801.x wifi policy for Domain Joined PC or Macs (Radius server: MS NPS), would we would still need RootCA cert file ? or We can somehow select PKCS cert that generated on InTune? If we still need RootCa cert, it is kind of pointless to do this, am I right?
In another word, NPS won't be able to authenticate by PKCS certificate to allow Domain Joined Device to connect Wifi, NPS would still need to authenticate with a RootCA preloaded to only AD existed devices (Windows & Mac) Right?
Anyone can help me to understand ?
Thanks a lot
Larry
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Namless Shelter, Thanks for posting in Q&A. For root CA certificate, I would like to say yes, you would still need the Root CA cert file for the 802.1x wifi policy for Domain Joined PC or Macs. The Root CA cert establishes trust from the device to the issuing CA from which the other certificates are issued. While Intune supports SCEP and PKCS certificate profiles, the trusted root certificate must still be deployed to the same devices and users that receive the certificate profiles for SCEP and PKCS. Therefore, it is not pointless to set up the Intune Connector for SCEP and PKCS. NPS would still need to authenticate with a Root CA preloaded to only AD existed devices (Windows & Mac) to allow Domain Joined Devices to connect to Wifi.
SCEP and PKCS are both certificate profiles in Intune used to provision certificates on devices for authentication. The main difference between the two is that SCEP provisions unique certificates for each request, while PKCS provisions each device with a unique certificate. SCEP can also be used to provision certificates on user-less devices like kiosks. On the other hand, PKCS can deploy a certificate type of either user or device, with user certificates requiring user affinity.Here are links with mroe details.
https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure
https://learn.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Namless Shelter, Hope the above information can help. If there's anything else, we can help, feel free to let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 59%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
@Crystal-MSFT I may be asking this on the wrong question or should have put this on it's own and I may be asking a silly question.
Background: I am currently in the process of utilizing Microsoft's new Cloud PKI to publish the certificates to be used for 802.1x authentication. I have the Root CA and Issuing CA set up and a successful SCEP Certificate Profile created to generate the certificate for the end user device.
I get authentication failed from the Radius Server.
Error 1: The error in the Radius event view is the 65 error code stating "The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission." I have checked to find that the NPS policy has the checkbox set to ignore the dial in properties and the user's dial in properties are set to "control access through nps policy". How do I fix this error?
Error 2: The other error seems that the certificate is not validated as the certificate on the machine is provided via scep and is different than the certificate expected by the radius server. I installed the certificate downloaded from the issuing ca in the Cloud PKI Dashboard. What am I missing here?
Thank you for any assistance.