Hybrid to Entra ID WiFi Certificate Authentication NPS via WHfB Cloud Trust & Cloud PKI-Replace ADCS

Hello Team, We are working in moving our devices Hybrid Entra ID Joined to Intune autopilot Entra ID Joined Current scenario: Hybrid Entra ID Joined devices (joined to both on-prem AD and Ent...

adcs

Autopilot

Network Policy Server

nps

Windows Hello for Business

Bogdan_Guinea

Iron Contributor

Aug 02, 2025

sergioandreslq

Hy,

the Option 2 is more reliable and work very good if you target to switch on Cloud Only.

Good luck!

sergioandreslq

Copper Contributor

Aug 03, 2025

Hello Bogdan_Guinea ,

If I deploy cloud PKI root CA, Cloud PKI Issuing CA and the SCEP configuration profile to the autopilot.
The autopilot device receive:

1. The cloud PKI root CA
2. Cloud PKI Issuing CA using configuration profile "trust certificate"
3. Computer certificate issued from the Cloud PKI issuing CA.
4. Wifi configuration profile doing reference to the cloud PKI root CA.

Then, the new Entra ID joined device is in the office and detect the WIFI. the end-user try to connect to this WIFI which will check the NPS.

What do I need to do in the NPS? Should I install the Cloud PKI Root CA and Cloud PKI Issuing CA in the NPS server to keep the trust and warranty that NPS will trust the Cloud PKI which issue the computer CA?

Forum Discussion

Hybrid to Entra ID WiFi Certificate Authentication NPS via WHfB Cloud Trust & Cloud PKI-Replace ADCS

Resources