Forum Discussion
Windows Hello for Business - Multi-Factor Unlock - Wireless Trusted Signal WPA3
I have been experimenting with WiFi trusted signal for Windows Hello for Business due to an issue that appears to have popped up after changing access point security to WPA3. I cannot seem to get the trusted signal configuration XML to properly validate the wireless trusted signal when WPA3 is the security type (With security being a required property). It works fine on WPA2, but no syntax for WPA3 seems to work. The official KB article from Microsoft about multi-factor unlock/trusted signals only lists the following as options:
| Open | The wireless network is an open network that doesn't require any authentication or encryption. |
| WEP | The wireless network is protected using Wired Equivalent Privacy. |
| WPA-Personal | The wireless network is protected using Wi-Fi Protected Access. |
| WPA-Enterprise | The wireless network is protected using Wi-Fi Protected Access-Enterprise. |
| WPA2-Personal | The wireless network is protected using Wi-Fi Protected Access 2, which typically uses a pre-shared key. |
| WPA2-Enterprise | The wireless network is protected using Wi-Fi Protected Access 2-Enterprise. |
Just worried this may just be straight up incompatible. Has anyone had luck using WPA3 for WHfB with wireless as a trusted signal?
3 Replies
It's very strange, no matter how I do it, I cannot get the wireless trusted signal to work if it includes "WPA3-xxxxxxx". If I switch the security type in XML back to WPA2 and set the AP's network to WPA2 again, it does work. My syntax is correct, I'm very certain of that at this point since all of the other signals work as expected. I, like you of course, would expect that WPA3 be fully supported across all features and systems within Windows/M365, but that doesn't appear to be the case.
Your XML example is correct by the way.
yes, of course my xml is correct 😉
I fully understand your frustration and at this point I can only recommend you to open a ticket directly from your tenant and try to get further with Microsoft support.
Just don't forget to update the information here.
Good luck!
Hy,
Windows 10 and 11 natively support WPA3 networks, and the trusted signal configuration allows for custom security types.
In practice, if your Windows devices can connect to a WPA3 network, you can use the SSID and other Wi-Fi parameters as part of your trusted signal rules for multi-factor unlock.
Requirements
Windows 10 or 11 Pro/Enterprise, fully updated
Device must support Windows Hello for Business and be managed (e.g., via Intune)
TPM and biometric hardware (if using biometrics)
Proper licensing (Microsoft Intune P1 or higher)
Example
The xml should look something like that i think:
<signal type="wifi">
<ssid>YourCorporateSSID</ssid>
<security>WPA3-Enterprise</security>
</signal>Good luck!
