This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 87%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Dear PPL,
I need to sort out some confusions about InTune Certificate Connector. I had a bit reading all over the place about setting this connector.
Currently, some of my clients are only deploy GPO & Configuration profile with uploading a rootCA cert file for 802.1x Wifi Domain JOined PC... It works fine.
Now I just learnt that Intune Connector (SCEP & PKCS) with nDES can do the similar with more secure fashion to InTune Enrolled Devices.
Now, I can go ahead setting it up, but when we actually roll out the 801.x wifi policy for Domain Joined PC or Macs (Radius server: MS NPS), would we would still need RootCA cert file ? or We can somehow select PKCS cert that generated on InTune? If we still need RootCa cert, it is kind of pointless to do this, am I right?
In another word, NPS won't be able to authenticate by PKCS certificate to allow Domain Joined Device to connect Wifi, NPS would still need to authenticate with a RootCA preloaded to only AD existed devices (Windows & Mac) Right?
Anyone can help me to understand ?
Thanks a lot
Larry
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Namless Shelter, Thanks for posting in Q&A. For root CA certificate, I would like to say yes, you would still need the Root CA cert file for the 802.1x wifi policy for Domain Joined PC or Macs. The Root CA cert establishes trust from the device to the issuing CA from which the other certificates are issued. While Intune supports SCEP and PKCS certificate profiles, the trusted root certificate must still be deployed to the same devices and users that receive the certificate profiles for SCEP and PKCS. Therefore, it is not pointless to set up the Intune Connector for SCEP and PKCS. NPS would still need to authenticate with a Root CA preloaded to only AD existed devices (Windows & Mac) to allow Domain Joined Devices to connect to Wifi.
SCEP and PKCS are both certificate profiles in Intune used to provision certificates on devices for authentication. The main difference between the two is that SCEP provisions unique certificates for each request, while PKCS provisions each device with a unique certificate. SCEP can also be used to provision certificates on user-less devices like kiosks. On the other hand, PKCS can deploy a certificate type of either user or device, with user certificates requiring user affinity.Here are links with mroe details.
https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure
https://learn.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Namless Shelter, Hope the above information can help. If there's anything else, we can help, feel free to let us know.