Can’t get Wi-Fi or VPN profile with certificate based authentication to work on Windows Phone 10?
~ Karan Rustagi
Consider a scenario where a Wi-Fi or VPN profile is pushed either via Configuration Manager or Intune to Windows Phone 10. Profile is configured to use SCEP profile – Certificate for authentication. You can see the profile on device but it fails to connect. Thanks to a colleague in Windows Phone team who suggested this may happen if more than one certificate is present on the device that has at least one same Enhanced Key Usage or an Application Policy as in the certificate pushed via SCEP profile. You can check this by installing Certificates application from Store on device. Look under Personal Store in application.
What’s the solution?
You can add a unique Application Policy to certificate template and configure the profile to use it to fix the problem. See detailed steps below. I’ll use a Wi-Fi profile in Configuration Manager as an example.
1. Edit the certificate template used in SCEP profile.
2. Select Application Policies and click on Edit.
3. Click on Add.
4. Click on New and Type a Name.
Copy and Paste Object Identifier in a txt file. You will need this later. Click on OK and OK again.
5. Select newly added Application Policy and click on OK.
6. You should now see new Application Policy listed along with existing ones. Click on OK.
7. Click on Apply and then OK.
8. Open Configuration Manager console. Refresh Certificate template in SCEP profile linked to Wi-Fi profile. You should now see newly added OID (Step 4) under Enhanced Key usage. Click on Apply and OK.
(To refresh settings – Select some other template, click on Apply and then Select NDES template again.)
9. Edit Wi-Fi profile. Under Security Configuration tab click on Configure.
10. Click on Advanced in Smart card or other Certificate Properties dialog box.
11. Click on Add, Add again, Paste Name and OID of EKU from txt file created in Step 4. Click on OK and OK again.
12. Ensure newly added EKU is listed. Click on OK and wait for ~15 minutes for changes to be uploaded to Intune alternatively you can restart SMS_DMP_Uploader thread from Service Manager.
13. Enrol a WP 10 device and check if it now connects to company Wi-Fi.
Note: Steps would largely be the same for standalone Intune apart from adding an additional EKU in profile. If you use an XML to push Wi-Fi or VPN profile than add new EKU in following section:
<EKUMapping>
<EKUMap>
<EKUName>MobCert</EKUName>
<EKUOID>1.1.1.1.1.1.1.1</EKUOID>
</EKUMap>
</EKUMapping>