Introduction
This guide helps you understand and troubleshoot Wi-Fi profile issues that you may encounterwhen you use Microsoft Intune.
This article is divided into the following sections:
-
Overview of Wi-Fi profiles
-
Creating Wi-Fi profiles
-
Assigning Wi-Fi profiles
-
What successful Wi-Fi profiles look like on your device
-
Entries in Company Portal logs of successful Wi-Fi profile deployment
-
Troubleshooting common issues
The examples in this guide useSCEP certificate authentication for these profiles and assumethat the Trusted Root and SCEP profiles work correctly on the device. In the examples, the Trusted Root and SCEP profiles are named as follows.
Android | iOS | Windows | |
---|---|---|---|
Trusted Root Profile | AndroidRoot | iOSRoot | WindowsRoot2 |
SCEP profile | AndroidSCEP | iOSSCEP | WindowsSCEP2 |
Overview of Wi-Fi profiles
Wi-Fi is a wireless network that's used by many mobile devices to get network access. Microsoft Intune includes built-in Wi-Fi settings that can be deployed to users and devices in your organization. This group of settings is called a profile.It can be assigned to different users and groups. After the profile is assigned, your users get access your organization's Wi-Fi network without configuring it themselves.
For example, you install a new Wi-Fi network that is named Contoso Wi-Fi. Then, you want to set up all iOS devices to connect to this network. This process includes the followingsteps:
-
You create a Wi-Fi profile that includes the settings that connect to the Contoso Wi-Fi wireless network.
-
You assign the profile to a group that includes all users of iOS devices.
-
Users find the new Contoso Wi-Fi network in the list of wireless networks on their device. They can then connect to the network byusing the authentication method of your choice.
Wi-Fi profiles support the following device platforms and versions:
-
Android 4 and later
-
Android Enterprise and kiosk
-
iOS 8.0 and later
-
macOS X 10.11 and newer
-
Windows 10 and later, Windows 10 Mobile, and Windows Holographic for Business
Creating Wi-Fi profiles
To create a Wi-Fi profile, follow the steps in the "Create a device profile" section of the following Microsoft Docs article:
Add and use Wi-Fi settings on your devices in Microsoft Intune
The Properties screen on the supported platforms resembles thefollowingexamples.
Assigning Wi-Fi profiles
After you create the Wi-Fi profile, assign the profile to selected groups.
See the following Assignments screen examples.
What successful Wi-Fi profiles look like on your device
The following is an example of Nokia 6.1 device. In thisexample, you must install the Trusted Root and SCEP profiles before the Wi-Fi profile can be installed on the device.
-
You receive a notification to install the Trusted Root certificate profile.
-
You receive a notification to install the SCEPcertificate profile.
Note If you use a device administrator-managed Android device, there may be multiple certificates. This is because the certificates aren’t revoked or removed when a certificate profile is changed or removed. In this case, select the latest certificate. Usually, this isthe last one in the list of certificates.
This situation doesn’t occur on Android Enterprise and Samsung Knox devices. For more information, seeManage Android work profile devices with IntuneandRemove SCEP and PKCS certificates in Microsoft Intune.
-
You receive a notification to install the Wi-Fi profile.
-
The Wi-Fi connection is successfully created.
After the Wi-Fi profile is installed on the device, you can see it in the Management Profilescreen.
After the Wi-Fi profile is installed on the device,go toSettings>Accounts>Access work or school, select your work or school account, and then selectInfo.
You can see WiFiunder the Areas managed by Microsoft.
The Wi-Fi profile is listed underSettings>Network & Internet> Wi-Fi.
Entries in Company Portal logs of successful Wi-Fi profile deployment
On an Android device, theOmadmlog.log file logs detail activities of the Wi-Fi profile when it's processed on the device. Depending on how long the Company Portal app has been installed, you may have up to five Omadmloglog files. You can use the timestamp of the last syncto help find the related entries.
The following example usesCMTraceto read the logs and uses “wifimgr” as the search string filter.
The following sample log snippet shows a successful processing of the Wi-Fi profile:
2019-08-01T19:22:46.7340000 VERB com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118 04142 Starting to parse Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:46.7490000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142 Starting to parse OneX from Wifi XML.
2019-08-01T19:22:46.8100000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142 Completed parsing OneX from Wifi XML.
2019-08-01T19:22:46.8209999 VERB com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118 04142 Completed parsing Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:46.8240000 INFO com.microsoft.omadm.utils.CertificateSelector 15118 04142 Selected ca certificate with alias: 'user:205xxxxx.0' and thumbprint '<thumbprint>'.
2019-08-01T19:22:47.0990000 VERB com.microsoft.omadm.platforms.android.certmgr.CertificateChainBuilder 15118 04142 Complete certificate chain built with Complete certs.
2019-08-01T19:22:47.1010000 VERB com.microsoft.omadm.utils.CertUtils 15118 04142 1 cert(s) matched criteria: User<ID>[i:<ID>,17CECEA1D337FAA7D167AD83A8CC7A8FCBF9xxxx;eku:1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2]
2019-08-01T19:22:47.1090000 VERB com.microsoft.omadm.utils.CertUtils 15118 04142 0 cert(s) excluded by criteria:
2019-08-01T19:22:47.1110000 INFO com.microsoft.omadm.utils.CertificateSelector 15118 04142 Selected client cert with alias 'User<ID>' and requestId 'ModelName=<ModelName>%2FLogicalName_<LogicalName>;Hash=-912418295'.
2019-08-01T19:22:47.4120000 VERB com.microsoft.omadm.Services 15118 04142 Successfully applied, enabled and saved wifi profile '<profile ID>'
2019-08-01T19:22:47.4240000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142 Starting to parse OneX from Wifi XML.
2019-08-01T19:22:47.4910000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142 Completed parsing OneX from Wifi XML.
2019-08-01T19:22:47.4970000 VERB com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118 04142 Starting to parse Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:47.5080000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142 Starting to parse OneX from Wifi XML.
2019-08-01T19:22:47.5820000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142 Completed parsing OneX from Wifi XML.
2019-08-01T19:22:47.5900000 VERB com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118 04142 Completed parsing Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:47.5910000 INFO com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager 15118 04142 Applied profile <profile ID>
On an iOS device, the Company Portal log doesn'tcontain any information about Wi-Fi profiles. To see details about the installation of the Wi-Fi profiles, examine theConsole and Device logs. To do this, follow these steps:
-
Connect the iOS device to Mac, and then go to Applications > Utilitiesto open the Console app.
-
Under Action, selectInclude Info Messages and Include Debug Messages.
-
After the problem is reproduced, save the logs to a text file. To do this, selectEdit > Select All to select all the messages on the current screen, and then selectEdit > Copy to copy the messages to the clipboard. Next, open the TextEdit application, paste the copied logs into a new text file, and then save the file.
You can search the file that has the Wi-Fi profile name to view detailed information.
Sample log snippet:
Line 390870: debug 11:19:58.994815 -0400 profiled Adding dependent www.windowsintune.com.wifi.Contoso to parent Microsoft.Profiles.MDM in domain ManagingProfileToManagedProfile to system\
Line 390872: debug 11:19:58.995210 -0400 profiled Adding dependent Microsoft.Profiles.MDM to parent www.windowsintune.com.wifi.Contoso in domain ManagedProfileToManagingProfile to system\
Line 392346: default 11:19:59.360460 -0400 profiled Profile \'93www.windowsintune.com.wifi.Contoso\'94 installed.\
On a Windows device,the details about Wi-Fi profiles are logged in the following locationinEvent Viewer:
-
Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin
Note You mustselect the Show Analytic and Debug Logsoption in Event Viewer to see these logs.
Sample log snippet:
Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date: 8/7/2019 8:01:41 PM
Event ID: 1506
Task Category: (1)
Level: Information
Keywords: (2)
User: SYSTEM
Computer: <Computer Name>
Description:
WiFiConfigurationServiceProvider: Node set value, type: (0x4), Result: (The operation completed successfully.).
Troubleshooting common issues
Issue 1: The Wi-Fi profile isn't deployed to the device
-
Verify that the Wi-Fi profile is assigned to the correct group.
In the Intune portal, go toDevice configuration>Profiles,selectAssignments,andthen examine the selected groups.
Also review the Assignments information in the Troubleshootpane.
-
Verify that the device can sync with Intune by checking the Last Check In time in the Troubleshoot pane.
-
If the Wi-Fi profile is linked to the Trusted Root and SCEP profiles, verify that both profiles have been deployed to the device. The Wi-Fi profile has a dependency on theseprofiles.
If the Trusted Root and SCEP profiles aren't installed on the device, you will see the following entry in the Company Portal Omadmlog file:2019-08-01T19:18:13.5120000 INFO com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager 15118 04105 Skipping Wifi profile <profile ID> because it is pending certificates.
Note There is a scenario in which the Trusted Root and SCEP profiles are on the device and compliantbut the Wi-Fi profile is still not on the device. This situation occurs when the CertificateSelector provider from the Company Portal app doesn't find a certificate that matches the specified criteria.The specific criteria can be on the Certificate Template or in the SCEP profile. If a matching certificate isn't found, the certificates on the device will be excluded. This will cause the Wi-Fi profile to be skipped because it doesn’t have the correct certificate. In this scenario, you see the following entry in theCompany Portal Omadmlog file:
Skipping Wifi profile <profile ID> because it is pending certificates.
The following is a sample log snippet in whichcertificates are excluded because the Any PurposeExtended Key Usage
(EKU) criteria was specified but the certificates that are assigned to the device don’t have that EKU:2018-11-27T21:10:37.6390000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948 Excluding cert with alias User<ID1> and requestId <requestID1> as it does not have any purpose EKU.
2018-11-27T21:10:37.6400000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948 Excluding cert with alias User<ID2> and requestId <requestID2> as it does not have any purpose EKU.
2018-11-27T21:10:37.6400000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948 0 cert(s) matched criteria:
2018-11-27T21:10:37.6400000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948 2 cert(s) excluded by criteria:
2018-11-27T21:10:37.6400000 INFO com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager 14210 00948 Skipping Wifi profile <profile ID> because it is pending certificates.In this example, the SCEP profile has the option of Any PurposeEKU specified, but it is not specified in the Certificate Template on the certificate authority (CA).To fix the issue, add the Any Purpose option to the certificate template, or remove the Any Purpose option from the SCEP profile.
-
Verify that all required certificates in the complete certificate chain are on the device.Otherwise, the Wi-Fi profile can't be installed on the device.For more information, seeMissing intermediate certificate authority.
-
Filter Omadmlog with keyword to look for useful information, such as what certificateis used for the Wi-Fi profile and whether it was applied or not.
For example, you can use CMTrace to read the logs and use the search string filter of “wifimgr”.
Sample log snippet:
If you see an error in the log, copy the time stamp of the error and un-filter the log. Then use the “find” option with the time stamp to see what happened right before the error occurred.
-
Verify that the Wi-Fi profile is assigned to the correct group.
In the Intune portal, go toDevice configuration>Profiles,select theprofile >Assignments,verify the selected groups.
Also review the Assignments information in the Troubleshootpane.
-
Verify that the device can sync with Intune by checking the Last Check In time in the Troubleshoot pane.
-
If the Wi-Fi profile is linked to the Trusted Root and SCEP profiles, verify that both profiles have been deployed to the device. The Wi-Fi profile has a dependency on theseprofiles.
-
Verify that the Wi-Fi profile is assigned to the correct group.
In the Intune portal, go toDevice configuration>Profiles,select theprofile >Assignments,verify the selected groups.
Also review the Assignments information in the Troubleshootpane.
-
Verify that the device can sync with Intune by checking the Last Check In time in the Troubleshoot pane.
-
If the Wi-Fi profile is linked to the Trusted Root and SCEP profiles, verify that both profiles have been deployed to the device. The Wi-Fi profile has a dependency on theseprofiles.
-
Examine the MDM Diagnostic Information log from Windows 10 devices.
To do this, download the MDM Diagnostic Information log. Then, open File Explorer, and navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
Issue 2: The Wi-Fi profile is deployed to the device, but the device can't connect to the network
Typically this is not an Intune issue. There can be multiple causes ofa connectivity issue. The following items may help you understand and troubleshoot theissue:
-
Can you manually connect to the network by using a certificate that has the same criteria that's specified in the Wi-Fi profile?
If so, examine the properties of the certificate that you used in the manual connection and make changes to the Intune Wi-Fi profile accordingly.
-
Did the Radius server log show that the device tried to connect by usingthe Wi-Fi profile? Usually, connectivity errors are logged in the Radius server log.
More information
If you’re still looking for a solution to a related problem, or if you want more information about Intune,post a question in ourMicrosoft Intune forum. Many support engineers, MVPs, and members of our development team visit the forums. So, there’s a good chance that you canfind someone who has the information that you need.
If you want to open a support request with the Microsoft Intune Support team, see the following article:
How to get support for Microsoft Intune
Formore information about Wi-Fi profiles inMicrosoft Intune, see the following articles:
-
Add Wi-Fi settings for devices running Android in Microsoft Intune
-
Add Wi-Fi settings for iOS devices in Microsoft Intune
-
Add Wi-Fi settings for Windows 10 and later devices in Intune
-
Support Tip - How to configure NDES for SCEP certificate deployments in Intune
-
Troubleshooting SCEP certificate profile deployment in Microsoft Intune
-
Troubleshooting NDES configuration for use with Microsoft Intune certificate profiles
For all the latest news, information, and tech tips, visit our official blogs:
-
The Microsoft Intune Support Team Blog
-
The Microsoft Enterprise Mobility and Security Blog