使用自訂裝置設定檔建立包含預先共用金鑰的 Wi-Fi 設定檔 - IntuneUse a custom device profile to create a WiFi profile with a pre-shared key - Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請參閱本 Intune 簡介Read the introduction to Intune.

預先共用的金鑰 (PSK) 通常用來驗證 WiFi 網路或無線區域網路的使用者。Pre-shared keys (PSK) are typically used to authenticates users in WiFi networks, or wireless LANs. 使用 Intune,您可以建立使用預先共用金鑰的 WiFi 設定檔。With Intune, you can create a WiFi profile using a pre-shared key. 若要建立設定檔,請使用 Intune 中的自訂裝置設定檔功能。To create the profile, use the Custom device profiles feature within Intune. 本文也包含如何建立 EAP 型 Wi-Fi 設定檔的一些範例。This article also includes some examples of how to create an EAP-based Wi-Fi profile.

重要

  • 搭配 Windows 10 使用預先共用金鑰會導致在 Intune 中出現補救錯誤。Using a pre-shared key with Windows 10 causes a remediation error to appear in Intune. 發生這種情況時,系統會將 Wi-Fi 設定檔適當地指派給裝置,而該設定檔將如預期般運作。When this happens, the Wi-Fi profile is properly assigned to the device, and the profile works as expected.
  • 如果您要匯出包含預先共用金鑰的 Wi-Fi 設定檔,請確定該檔案受到保護。If you export a Wi-Fi profile that includes a pre-shared key, be sure the file is protected. 該金鑰會採用存文字格式,因此您需負責保護該金鑰。The key is in plain text, so it's your responsibility to protect the key.

開始之前Before you begin

  • 從連線到該網路的電腦複製程式碼可能比較容易,如本文稍後所述。It may be easier to copy the code from a computer that connects to that network, as described later in this article.
  • 若是 Android,您也可以使用 Android PSK 產生器For Android, you can also use the Android PSK Generator.
  • 您可以新增更多 OMA URI 設定,以新增多個網路和金鑰。You can add multiple networks and keys by adding more OMA-URI settings.
  • 若為 iOS,請使用 Mac 站上的 Apple Configurator 來設定設定檔。For iOS, use Apple Configurator on a Mac station to set up the profile. 或者使用 iOS PSK 行動設定產生器Or, use iOS PSK Mobile Config Generator.

建立自訂設定檔Create a custom profile

您可以為 Android、Windows 或 EAP 型 Wi-Fi 設定檔建立包含預先共用金鑰的自訂設定檔。You can create a custom profile with a pre-shared key for Android, Windows, or an EAP-based Wi-Fi profile. 若要使用 Azure 入口網站建立設定檔,請參閱建立自訂裝置設定To create the profile using the Azure portal, see Create custom device settings. 當您建立裝置設定檔時,請選擇 [自訂] 您的裝置平台。When you create the device profile, choose Custom for your device platform. 請勿選取 Wi-Fi 設定檔。Don't select the Wi-Fi profile. 當您選擇自訂時,請務必:When you choose custom, be sure to:

  1. 輸入設定檔的名稱和描述。Enter a name and description of the profile.

  2. 新增具有下列屬性的新 OMA-URI 設定:Add a new OMA-URI setting with the following properties:

    a.a. 輸入此 Wi-Fi 網路設定的名稱Enter a name for this Wi-Fi network setting

    b.b. (選擇性) 輸入 OMA-URI 設定的描述,或者保留空白(Optional) Enter a description of the OMA-URI setting, or leave it blank

    c.c. 將 [資料類型] 設定為 StringSet the Data Type to String

    d.d. OMA-URIOMA-URI:

    • 適用於 Android:./Vendor/MSFT/WiFi/Profile//SettingsFor Android: ./Vendor/MSFT/WiFi/Profile//Settings

    • 適用於 Windows:./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXmlFor Windows: ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml

      注意

      開頭務必包含點號字元。Be sure to include the dot character at the beginning.

      SSID 是您要建立原則的 SSID。SSID is the SSID for which you’re creating the policy. 例如,輸入 ./Vendor/MSFT/WiFi/Profile/Hotspot-1/SettingsFor example, enter ./Vendor/MSFT/WiFi/Profile/Hotspot-1/Settings.

    e.e. 值欄位是貼上 XML 程式碼的位置。Value Field is where you paste your XML code. 請參閱本文中的範例。See the examples within this article. 更新每個值使符合您的網路設定。Update each value to match your network settings. 程式碼的註解區段包含一些指標。The comments section of the code includes some pointers.

  3. 選取 [確定] 並儲存,然後指派原則。Select OK, save, and then assign the policy.

    注意

    此原則僅能指派給使用者群組。This policy can only be assigned to user groups.

每個裝置下一次簽入時,都會套用此原則,並在裝置上建立 Wi-Fi 設定檔。The next time each device checks in, the policy is applied, and a Wi-Fi profile is created on the device. 然級裝置就可以自動連線到網路。The device can then connect to the network automatically.

Android 或 Windows Wi-Fi 設定檔範例Android or Windows Wi-Fi profile example

下例包含 Android 或 Windows Wi-Fi 設定檔的 XML 程式碼。The following example includes the XML code for an Android or Windows Wi-Fi profile.

重要

<protected>false</protected> 務必設定為 false<protected>false</protected> must be set to false. 設定為 true 時,可能會使裝置預期有加密的密碼,然後嘗試將它解密,而導致連線失敗。When true, it could cause the device to expect an encrypted password, and then try to decrypt it; which may result in a failed connection.

<hex>53534944</hex> 應設定為 <name><SSID of wifi profile></name> 的十六進位值。<hex>53534944</hex> should be set to the hexadecimal value of <name><SSID of wifi profile></name>. Windows 10 裝置可能會傳回誤報的 0x87D1FDE8 補救失敗錯誤,但將置仍會包含設定檔。Windows 10 devices may return a false 0x87D1FDE8 Remediation failed error, but the device still contains the profile.

<!--
<Name of wifi profile> = Name of profile
<SSID of wifi profile> = Plain text of SSID. Does not need to be escaped, could be <name>Your Company's Network</name>
<nonBroadcast><true/false></nonBroadcast>
<Type of authentication> = Type of authentication used by the network, such as WPA2PSK.
<Type of encryption> = Type of encryption used by the network
<protected>false</protected> do not change this value, as true could cause device to expect an encrypted password and then try to decrypt it, which may result in a failed connection.
<password> = Password to connect to the network
x>53534944</hex> should be set to the hexadecimal value of <name><SSID of wifi profile></name>
-->
<WLANProfile
xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
  <name><Name of wifi profile></name>
  <SSIDConfig>
    <SSID>
      <hex>53534944</hex>
 <name><SSID of wifi profile></name>
    </SSID>
    <nonBroadcast>false</nonBroadcast>
  </SSIDConfig>
  <connectionType>ESS</connectionType>
  <connectionMode>auto</connectionMode>
  <autoSwitch>false</autoSwitch>
  <MSM>
    <security>
      <authEncryption>
        <authentication><Type of authentication></authentication>
        <encryption><Type of encryption></encryption>
        <useOneX>false</useOneX>
      </authEncryption>
      <sharedKey>
        <keyType>networkKey</keyType>
        <protected>false</protected>
        <keyMaterial>MyPassword</keyMaterial>
      </sharedKey>
      <keyIndex>0</keyIndex>
    </security>
  </MSM>
</WLANProfile>

EAP 型 Wi-Fi 設定檔範例EAP-based Wi-Fi profile example

下例包含 EAP 型 Wi-Fi 設定檔的 XML 程式碼:The following example includes the XML code for an EAP-based Wi-Fi profile:

    <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
      <name>testcert</name>
      <SSIDConfig>
        <SSID>
          <hex>7465737463657274</hex>
          <name>testcert</name>
        </SSID>
        <nonBroadcast>true</nonBroadcast>
      </SSIDConfig>
      <connectionType>ESS</connectionType>
      <connectionMode>auto</connectionMode>
      <autoSwitch>false</autoSwitch>
      <MSM>
        <security>
          <authEncryption>
            <authentication>WPA2</authentication>
            <encryption>AES</encryption>
            <useOneX>true</useOneX>
            <FIPSMode     xmlns="http://www.microsoft.com/networking/WLAN/profile/v2">false</FIPSMode>
          </authEncryption>
          <PMKCacheMode>disabled</PMKCacheMode>
          <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
            <cacheUserData>false</cacheUserData>
            <authMode>user</authMode>
            <EAPConfig>
              <EapHostConfig     xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                <EapMethod>
                  <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
                  <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
                  <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
                  <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
                </EapMethod>
                <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                  <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                    <Type>13</Type>
                    <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
                      <CredentialsSource>
                        <CertificateStore>
                          <SimpleCertSelection>true</SimpleCertSelection>
                        </CertificateStore>
                      </CredentialsSource>
                      <ServerValidation>
                        <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
                        <ServerNames></ServerNames>
                      </ServerValidation>
                      <DifferentUsername>false</DifferentUsername>
                      <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>
                      <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
                      <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
                        <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
                          <AllPurposeEnabled>true</AllPurposeEnabled>
                          <CAHashList Enabled="true">
                            <IssuerHash>75 f5 06 9c a4 12 0e 9b db bc a1 d9 9d d0 f0 75 fa 3b b8 78 </IssuerHash>
                          </CAHashList>
                          <EKUMapping>
                            <EKUMap>
                              <EKUName>Client Authentication</EKUName>
                              <EKUOID>1.3.6.1.5.5.7.3.2</EKUOID>
                            </EKUMap>
                          </EKUMapping>
                          <ClientAuthEKUList Enabled="true"/>
                          <AnyPurposeEKUList Enabled="false">
                            <EKUMapInList>
                              <EKUName>Client Authentication</EKUName>
                            </EKUMapInList>
                          </AnyPurposeEKUList>
                        </FilteringInfo>
                      </TLSExtensions>
                    </EapType>
                  </Eap>
                </Config>
              </EapHostConfig>
            </EAPConfig>
          </OneX>
        </security>
      </MSM>
    </WLANProfile>

從現有的 Wi-Fi 連線建立 XML 檔案Create the XML file from an existing Wi-Fi connection

您也可以使用下列步驟,從現有的 Wi-Fi 連線建立 XML 檔案:You can also create an XML file from an existing Wi-Fi connection using the following steps:

  1. 在已連線到或最近已連線到無線網路的電腦上,開啟 \ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{guid} 資料夾。On a computer that is connected to, or has recently connected to the wireless network, open the \ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{guid} folder.

    最好使用未連線至太多無線網路的電腦。It’s best to use a computer that hasn't connected to many wireless networks. 否則,您可能必須搜尋每個設定檔才能找到正確的設定檔。Otherwise, you may have to search through each profile to find the correct one.

  2. 搜尋 XML 檔案,找出有名稱正確的檔案。Search through the XML files to locate the file with the correct name.

  3. 找到正確的 XML 檔案後,將 XML 程式碼複製並貼入 OMA-URI 設定頁面的 [資料] 欄位。After you have the correct XML file, copy and paste the XML code into the Data field of the OMA-URI settings page.

最佳做法Best practices

  • 以 PSK 部署 Wi-Fi 設定檔之前,請確認裝置可以直接連接至端點。Before you deploy a Wi-Fi profile with PSK, confirm that the device can connect to the endpoint directly.

  • 當輪替金鑰 (密碼或複雜密碼) 時,預期據此停機和規劃您的部署。When rotating keys (passwords or passphrases), expect downtime and plan your deployments accordingly. 請考慮在非工作時間推送新的 Wi-Fi 設定檔。Consider pushing new Wi-Fi profiles during non-working hours. 此外,警告使用者連線可能會受到影響。Also, warn users that connectivity may be impacted.

  • 為確保轉換順利,請確定使用者的裝置具備其他網際網路連線。To ensure a smooth transition, make sure the end user’s device has an alternate connection to the Internet. 例如,使用者必須能夠切換回客體 WiFi (或某些其他 WiFi 網路),或能夠使用行動電話與 Intune 連線通訊。For example, the end user must be able to switch back to Guest WiFi (or some other WiFi network) or have cellular connectivity to communicate with Intune. 當裝置更新公司的 WiFi 設定檔時,額外的連線可讓使用者接收原則更新。The extra connection allows the user to receive policy updates when the corporate WiFi Profile is updated on the device.