All good my friend.  We're all on the same team with this stuff 🙂 ... View more

Sorry for my pointless post.   More pointless than PhilipDAth's (great) post:   "You'll need to configure Intune to issue certificates from the on-premise CA server using SCEP/NDES.  These certificates are authenticated against the user in AD (they have the username embedded in the certificate)...   ...When the user connects to WiFi and presents their certificate RADIUS extracts out the username and then continues to process as normal."   (User certs)   More pointless than RonaldBs (very useful) post:   "I used this method for always on vpn configurations and WPA2 Enterprise PEAP Wifi Configurations based on user certificates."   (User certs)   OP makes no reference to only using device certs.  Are user certs not a valid approach to his desire to prevent his staff connecting personal devices to his Meraki Wifi?   OP says in various replies:   "Apparently it's seemingly impossible find any sort of documentation to explain this from the ground up and work through it step by step.... (i.e. what sort of certificate, what settings do we need in InTune, on the NPS box etc)"   and:   "I actually had a blazing row with MS support cos they were like "oh you need to do this, this and this" but missing vital steps on actually HOW you do those things along the way."   Chabs says:   "Did you ever work this out? I can't believe such a simple part of the puzzle isnt really in any documentation anywhere- how do you configure Microsoft's NPS server to use these cloud SCEP certs for authentication?"   No mention of device certs anywhere?  My psychic powers are letting me down again (i have a similar problem with the wife.......)   So i was trying to be helpful by providing a link to a blog by an Azure senior PFE containing step-by-step instructions on how to set this up, that i know to work as i used it myself when first setting this up.  Yes, it is user-based certs.   RE: device certs, as i think you already know, you are unlikely to get native NPS doing cert auth for non-domain-joined devices.  It is from an era where this requirement was inconceivable and the on-prem domain is the security boundary etc.  I'm sure every guide you have googled starts with 'Create an AD account and....' or 'From a domain-joined machine...'.  Having Meraki auth against a 3rd party RADIUS solution may do the job though, or something like PhilipDAth's nifty idea with Systems Manager agent.   Microsoft's new Always-On VPN (replacing Direct Access) will do machine-based vpn tunnel initialisation, pre-logon, but - unsurprisingly - requires hybrid join so the computer object exists on-prem, for the cert auth to work.  So i think this is also suggestive of the idea you can't do device-based cert auth on a non-hybrid device, using only Microsoft stack.   Good luck with it.  It will be interesting to see what solutions appear.  No doubt an AAD service will appear at some point to provide this sort of facility and 'bridge the gap'.  AAD/Intune/MDM is still in it's infancy really.   CM ... View more

I used the following to set this up.   I have AP-deployed, Intune-enrolled W10 devices, enrolling device/user certs from on-prem CA via SCEP and the NDES connector as part of ESP, as described in this article, using an Intune-deployed WIFI profile, connecting to Meraki wifi network, auth'ing against NPS using PEAP-TLS.   https://www.jeffgilb.com/ndes-for-intune/   Only real issue for us is the lack of device-based certificate auth, simply because with AAD-joined devices there are no computer account objects in on-prem AD to add to an AD group used in an NPS condition.  So yes on full-AAD joined devices we have to use User certs, so available post-logon.  If you require device-based certs enabling pre-user-logon auth to the WiFi network, you will prob need to use hybrid AAD join, so you get the computer account on-prem which you can add to a group and use in NPS.   Looks like a lot of work, but it isn't really.  If you already have on-prem AD, on-prem enterprise CA, an Azure tenant, familiarity with AAD Applications/Enterprise Applications, it's not a big deal.  Took a couple of hours.  Good luck 🙂 ... View more