Event banner
Event details
Hi guys, thanks for the opportunity to submit a question.
I run a large network of AAD-joined, Intune-managed, Autopilot-deployed devices. We've switched to Windows 11 and now I want to phase out enforced password resets since we are largely passwordless with our devices and cloud resources. Wifi is the weak link as we're still reliant on passwords (via PEAP) so I need to switch to certificates. I need both device and user certs - the former to provide connectivity from the logon screen and the latter so that users can be identified on the network in the same way as they are currently (this is needed for firewall rules and logging).
I have created two SCEP profiles (one for user and one for device) plus a wifi profile (using 'user or machine' auth). This combination seems a tricky one since although the device gets a cert when it's provisioned, the user doesn't (because they don't exist on the device yet). When the device is handed to a user and they log in for the first time, there's no grace period during which they are allowed to continue using the device cert connection in order to fetch their own cert for subsequent auth; it simply drops the moment they log in.
Support have responded that this behaviour is by design and there is no configurable grace period or other workaround. The only alternative we've found is to ensure the availability of a backup network connection on first logon (have the device connected to a dock with an ethernet link) but this is impractical at scale for a large mobile fleet of which less than 10% would be regularly connected to a dock.
If this is indeed the design, how is it then possible for a user to fetch a certificate at their first logon or renew it at a later point if their cert has expired?
Thanks!
- Hi Chris, great question. I'm going to bring in an additional engineer or three to help us troubleshoot! Thanks for your patience.
- Hey Thomas, was there ever a response on this or is it in the too-hard basket? Thanks!
Thanks, really appreciate that. I’m still scratching my head after a further chat with support this morning; they acknowledged that this is a problem yet explained that this authentication mode is in widespread enterprise use. Given the obvious shortcomings I’m at a loss as to how that would be the case. Perhaps the difference is that in my scenario we’re provisioning devices for initial use within our network and subsequent use off-site whereas others may send devices to users’ homes, in which case their first use would be on a non-work connection which would allow the Intune profile to be provisioned and the SCEP request to complete so that when the device then later arrives on the work network, it has the needed user cert to connect. I have spoken with several colleagues in other edu orgs my size (1000+ users) and they all have the exact same issue and are very interested in the response.
- Jason_Sandys
Microsoft
Hi Chris. Just, just to clarify, you have 802.1x implemented here to gate access to your wifi, correct?
