Home
%3CLINGO-SUB%20id%3D%22lingo-sub-659638%22%20slang%3D%22en-US%22%3ESupport%20Tip%3A%20AE%20Work%20Profile%20Device%20%2B%20Wi-Fi%20Profile%20%E2%80%9CError%E2%80%9D%20when%20Using%20Device-Based%20Certs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-659638%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EBy%20Jack%20Poehlman%20%7C%20Service%20Engineer%20on%20the%20Enterprise%20Mobility%20and%20Customer%20Experience%20Team%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EWe%E2%80%99ve%20heard%20from%20a%20few%20customers%20recently%20about%20this%20experience%20setting%20up%20Wi-Fi%20profiles.%20The%20cases%20were%20very%20similar%3B%20the%20customer%20was%20attempting%20to%20setup%20certificate-based%20Wi-Fi%20profiles%20on%20Android%20Enterprise%20work%20profile%20devices%20and%20reported%20that%20the%20Wi-Fi%20profile%20is%20constantly%20reporting%20%E2%80%9CError%E2%80%9D.%26nbsp%3B%20Looking%20into%20these%20reports%2C%20we%20found%20that%20the%20customer%20was%20deploying%20a%20device-based%20certificate%20instead%20of%20a%20user-based%20certificate.%20Furthermore%2C%20the%20device-based%20certificate%20was%20configured%20with%20only%20a%20subject%20name%20such%20as%20CN%3D%7B%7BAAD_Device_ID%7D%7D%20however%20no%20%E2%80%9CSubject%20alternative%20name%E2%80%9D%20was%20defined.%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EReviewing%20this%20scenario%2C%20we%20discovered%20the%20cause%20for%20the%20Wi-Fi%20profile%20error%20in%20the%20processing.%20Currently%2C%20a%20UPN%20attribute%20is%20a%20requirement%20for%20Wi-Fi%20profile%20certificate%20selection.%20%3C%2FFONT%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EWhile%20we%20look%20into%20this%20further%20and%20investigate%20full%20resolution%2C%20we%20have%20tested%20and%20confirmed%20with%20these%20customers%20that%20there%E2%80%99s%20a%20reasonably%20simple%20workaround.%20If%20you%20run%20into%20this%2C%20error%2C%20where%20the%20Wi-Fi%20profile%20on%20Android%20Enterprise%20work%20profile%20errors%20out%20constantly%2C%20simply%20add%20a%20SAN%20with%20a%20UPN%20attribute%20to%20your%20Device%20base%20certificate%20SCEP%20profile%20like%20this%3A%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F116680i952FE18BB793587D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22AEWorkProfileDevices.png%22%20title%3D%22AEWorkProfileDevices.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EWe%20will%20update%20this%20blog%20posted%20as%20we%20investigate%20this%20issue%20further%20and%20hope%20this%20helps%20with%20some%20advanced%20troubleshooting.%20%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-659638%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20support%20tip%2C%20we%20share%20experiences%20from%20a%20few%20recent%20cases%20involving%20Android%20Enterprise%20work%20profile%20devices%2C%20Wi-Fi%20profile%20%E2%80%9Cerror%E2%80%9D%2C%20and%20device-based%20certificates.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-659638%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%20Enterprise%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESupport%20Tip%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-742300%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20AE%20Work%20Profile%20Device%20%2B%20Wi-Fi%20Profile%20%E2%80%9CError%E2%80%9D%20when%20Using%20Device-Based%20Certs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-742300%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20this%20work%20with%20a%20normal%20SCEP%20User%20Cert%20setup%3F%20Because%20it%20doesn't%20seem%20to%20work%20for%20me%20by%20just%20changing%20the%20settings%20in%20the%20profile%20that%20you%20mention.%20There%20is%20no%20documentation%20about%20Device%20Certificates%20in%20Intune%20that%20i%20have%20ever%20found%20(if%20anyone%20knows%20otherwise%20i%20would%20love%20the%20link).%20All%20of%20the%20other%20devices%20that%20we%20manage%20use%20User%20certs%20so%20my%20NDES%20and%20SCEP%20connector%20are%20obviously%20set%20up%20for%20that%20User%20certificate.%20If%20i%20need%20to%20deploy%20Device%20Certs%20to%20AE%20devices%2C%20i%20assume%20i%20would%20need%20to%20stand%20up%20a%20new%20NDES%20and%20SCEP%20connector%20and%20issue%20a%20new%20Device%20cert%20to%20these%20devices%2C%20is%20that%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-770731%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20AE%20Work%20Profile%20Device%20%2B%20Wi-Fi%20Profile%20%E2%80%9CError%E2%80%9D%20when%20Using%20Device-Based%20Certs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-770731%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20are%20asking%20if%20Wi-Fi%20Profiles%20can%20be%20assigned%20and%20work%20with%20Android%20Enterprise%20Work%20Profile%20enrolled%20devices%20using%20Certificate%20based%20Auth%20or%20a%20User%20based%20certificate%20profile%20(that%20was%20a%20mouth%20full)%3F%26nbsp%3B%20Yes%2C%20this%20should%20work%20without%20issue.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20note%2C%20that%20currently%2C%20as%20per%20our%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIntune-Customer-Success%2FArchive-Intune-announces-preview-of-support-for-Android%2Fba-p%2F314747%22%20target%3D%22_self%22%3EAndroid%20Enterprise%20Fully%20Managed%20Preview%20blog%3C%2FA%3E%2C%20Certificate%20and%20Wi-fi%20Profiles%20are%20not%20yet%20available%20for%20Fully%20Managed%20devices.....%20only%20BYOD%20Work%20profile%20enrolled%20devices.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20per%20our%20Docs%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fcertificates-scep-configure%23create-a-scep-certificate-profile%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ECreate%20a%20SCEP%20certificate%20profile%3C%2FA%3E%2C%20Step%206%20details%3A%3C%2FP%3E%0A%3CP%3E...%22%3CSTRONG%3ECertificate%20type%3C%2FSTRONG%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3A%20Choose%20%3C%2FSPAN%3E%3CSTRONG%20style%3D%22box-sizing%3A%20inherit%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20bolder%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EUser%3C%2FSTRONG%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Efor%20user%20certificates.%20A%20%3C%2FSPAN%3E%3CSTRONG%20style%3D%22box-sizing%3A%20inherit%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20bolder%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EUser%3C%2FSTRONG%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ecertificate%20type%20can%20contain%20both%20user%20and%20device%20attributes%20in%20the%20subject%20and%20SAN%20of%20the%20certificate.%20Choose%20%3C%2FSPAN%3E%3CSTRONG%3EDevice%3C%2FSTRONG%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Efor%20scenarios%20such%20as%20user-less%20devices%2C%20like%20kiosks%2C%20or%20for%20Windows%20devices%2C%20placing%20the%20certificate%20in%20the%20Local%20Computer%20certificate%20store.%20%3C%2FSPAN%3EDevice%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ecertificates%20can%20only%20contain%20device%20attributes%20in%20the%20subject%20and%20SAN%20of%20the%20certificate.%20%3C%2FSPAN%3E%3CSTRONG%20style%3D%22box-sizing%3A%20inherit%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20bolder%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EDevice%3C%2FSTRONG%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ecertificates%20are%20available%20for%20the%20following%20platforms%3C%2FSPAN%3E%22....%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20NDES%20Connector%20and%20related%20server%20configuration%20is%20the%20same%20for%20User%20and%20Device%20based%20certificate%20deployments.%26nbsp%3B%20the%20Difference%20is%20in%20the%20settings%20of%20the%20SCEP%20Policy%20define%20in%20the%20Intune%20Admin%20Console.%26nbsp%3B%20When%20selecting%20Device%20based%20certificates%2C%20the%20device's%20attributes%20are%20used%20to%20build%20the%20Subject%20and%20SAN%20for%20the%20certificate%20request%20vs%20the%20User's%20attributes.%26nbsp%3B%20Device%20Based%20CAN%20be%20used%20for%20devices%20that%20do%20not%20have%20User%20Affinity%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20the%20helps%20clear%20up%20the%20confusion.%26nbsp%3B%20If%20you%20are%20facing%20an%20issue%20with%20Profiles%20not%20deploying%20as%20expected%2C%20please%20open%20a%20support%20case%20via%20the%20Intune%20Admin%20console's%20Help%20and%20Support.%26nbsp%3B%20Our%20support%20folks%20would%20be%20happy%20to%20assist%20in%20determine%20what's%20wrong%20with%20your%20configuration.%3C%2FP%3E%3C%2FLINGO-BODY%3E

By Jack Poehlman | Service Engineer on the Enterprise Mobility and Customer Experience Team

 

We’ve heard from a few customers recently about this experience setting up Wi-Fi profiles. The cases were very similar; the customer was attempting to setup certificate-based Wi-Fi profiles on Android Enterprise work profile devices and reported that the Wi-Fi profile is constantly reporting “Error”.  Looking into these reports, we found that the customer was deploying a device-based certificate instead of a user-based certificate. Furthermore, the device-based certificate was configured with only a subject name such as CN={{AAD_Device_ID}} however no “Subject alternative name” was defined.

 

Reviewing this scenario, we discovered the cause for the Wi-Fi profile error in the processing. Currently, a UPN attribute is a requirement for Wi-Fi profile certificate selection. While we look into this further and investigate full resolution, we have tested and confirmed with these customers that there’s a reasonably simple workaround. If you run into this, error, where the Wi-Fi profile on Android Enterprise work profile errors out constantly, simply add a SAN with a UPN attribute to your Device base certificate SCEP profile like this:

 

AEWorkProfileDevices.png

 

We will update this blog posted as we investigate this issue further and hope this helps with some advanced troubleshooting.

2 Comments
Occasional Contributor

Will this work with a normal SCEP User Cert setup? Because it doesn't seem to work for me by just changing the settings in the profile that you mention. There is no documentation about Device Certificates in Intune that i have ever found (if anyone knows otherwise i would love the link). All of the other devices that we manage use User certs so my NDES and SCEP connector are obviously set up for that User certificate. If i need to deploy Device Certs to AE devices, i assume i would need to stand up a new NDES and SCEP connector and issue a new Device cert to these devices, is that correct?

 

Thanks in advance! 

Microsoft

If you are asking if Wi-Fi Profiles can be assigned and work with Android Enterprise Work Profile enrolled devices using Certificate based Auth or a User based certificate profile (that was a mouth full)?  Yes, this should work without issue.

 

Do note, that currently, as per our Android Enterprise Fully Managed Preview blog, Certificate and Wi-fi Profiles are not yet available for Fully Managed devices..... only BYOD Work profile enrolled devices.

 

As per our Docs, Create a SCEP certificate profile, Step 6 details:

..."Certificate type: Choose User for user certificates. A User certificate type can contain both user and device attributes in the subject and SAN of the certificate. Choose Device for scenarios such as user-less devices, like kiosks, or for Windows devices, placing the certificate in the Local Computer certificate store. Device certificates can only contain device attributes in the subject and SAN of the certificate. Device certificates are available for the following platforms"....

 

The NDES Connector and related server configuration is the same for User and Device based certificate deployments.  the Difference is in the settings of the SCEP Policy define in the Intune Admin Console.  When selecting Device based certificates, the device's attributes are used to build the Subject and SAN for the certificate request vs the User's attributes.  Device Based CAN be used for devices that do not have User Affinity as well.

 

Hope the helps clear up the confusion.  If you are facing an issue with Profiles not deploying as expected, please open a support case via the Intune Admin console's Help and Support.  Our support folks would be happy to assist in determine what's wrong with your configuration.