Forum Discussion
Hybrid to Entra ID WiFi Certificate Authentication NPS via WHfB Cloud Trust & Cloud PKI-Replace ADCS
Hello Team,
We are working in moving our devices Hybrid Entra ID Joined to Intune autopilot Entra ID Joined
Current scenario:
- Hybrid Entra ID Joined devices (joined to both on-prem AD and Entra ID)
- Active Directory with Entra ID Connect for object synchronization
- AD Certificate Services (ADCS) issuing user and device certificates via GPO auto-enrollment
- Group Policies to push Wi-Fi configuration (EAP-TLS using device certificate)
- NPS RADIUS server using EAP-TLS ("Smart Card or Other Certificate") for secure 802.1X authentication
- On-prem SSO enabled through standard Kerberos authentication
Now, I am testing Autopilot Win11 Entra ID Joined with WHfB using Cloud trust to SSO to on-prem resources. The autopilot is working, however, the WIFI is not working as the autopilot device doesn't have any certificate from the on-prem ADCS.
What is the best practice to try be as much cloud and begin to decommision on-prem services.
I have 2 options to push the User and computer certificate to the AUtopilot device:
Option 1: Intune Certificate Connector that will bridge on-prem ADCS and Intune, In Intune a PKCS profile to install the certificate to the autopilot device.
Option 2: Intune Cloud PKI and configuration profile PKCS profile to install the certificate to the autopilot device. on-prem install the root CA from the Intune cloud PKI.
https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-cloud-pki-deployment
For the on-prem SSO I will contine using Cloud Trust.
| Component | Target |
| Device Identity | Autopilot + Entra ID Joined only (no domain join) |
| User Sign-In | Windows Hello for Business (WHfB) with Cloud Kerberos Trust |
| Certificate Issuance | Replace ADCS/GPO with Microsoft Cloud PKI and Intune PKCS |
| Wi-Fi Authentication | Retain existing NPS RADIUS using EAP-TLS, but trust both ADCS and Cloud PKI root CAs |
| On-prem SSO | Enabled by AzureADKerberos on domain controllers |
| Hybrid Devices | Continue current operation during the transition — no immediate impact |
The 2 network environment needs to coexist: the on-prem and the cloud.
| Device Type | Certificate Issuer | Wi-Fi Auth | SSO |
| Hybrid AD-joined | ADCS via GPO | EAP-TLS (device cert) | Native Kerberos |
| Autopilot Entra ID Joined | Cloud PKI via Intune | EAP-TLS (device cert) | WHfB + Cloud Trust (AzureADKerberos) |
How the New Wi-Fi Auth Works:
- Autopilot devices receive:
- A device certificate from Cloud PKI via Intune
- A Wi-Fi profile using EAP-TLS authentication
- NPS RADIUS server:
- Validates the device cert
- Issues access to Wi-Fi
- WHfB Cloud Trust provides a Kerberos ticket from AzureADKerberos, enabling seamless access to file shares, print servers, etc.
This allows Autopilot Entra ID Joined devices to:
- Connect to Wi-Fi without GPO
- Access on-prem resources without passwords
High-Level Implementation Steps
- Deploy Microsoft Cloud PKI in Intune
- Configure PKCS profiles for user and device certificates
- Deploy WHfB Cloud Trust via Intune + Entra ID (no AD join needed)
- Configure AzureADKerberos on domain controllers
- Install Cloud PKI Root CA in NPS server trust store
- Update NPS policy to accept certificates from both ADCS and Cloud PKI
- Deploy Wi-Fi profiles to Autopilot devices via Intune (EAP-TLS using device cert)
Based on it, what is the best practice to move the device to the cloud as much possible.
3 Replies
Hy,
the Option 2 is more reliable and work very good if you target to switch on Cloud Only.
Good luck!
Hello Bogdan_Guinea ,
If I deploy cloud PKI root CA, Cloud PKI Issuing CA and the SCEP configuration profile to the autopilot.
The autopilot device receive:1. The cloud PKI root CA
2. Cloud PKI Issuing CA using configuration profile "trust certificate"
3. Computer certificate issued from the Cloud PKI issuing CA.
4. Wifi configuration profile doing reference to the cloud PKI root CA.
Then, the new Entra ID joined device is in the office and detect the WIFI. the end-user try to connect to this WIFI which will check the NPS.
What do I need to do in the NPS? Should I install the Cloud PKI Root CA and Cloud PKI Issuing CA in the NPS server to keep the trust and warranty that NPS will trust the Cloud PKI which issue the computer CA?Hy,
so... yes with that you should be ready to go, ant the Trust for your NPS should also look like that:
- Install the Cloud PKI Root CA certificate on the NPS server. This should be imported into the "Trusted Root Certification Authorities" store on the local computer.
- Install the Cloud PKI Issuing CA certificate on the NPS server. This should be imported into the "Intermediate Certification Authorities" store on the local computer.
- Publish the Issuing CA certificate to the NtAuthCA store in order to be able to validate client certificates.
- Don’t forget to obtain the necessary licenses for Cloud PKI. Consider using the available trial licenses first so you can test the service before committing, and assign this to your devices/users based on your configuration and WiFi Profile.
Good luck!
