How to Create and Deploy Wi-Fi Profiles in Microsoft Intune

Start by signing into the Microsoft Intune admin center. This is where you'll manage all device configuration policies including Wi-Fi profiles.

Open your browser and navigate to endpoint.microsoft.com. Sign in with your admin credentials that have either Global Admin or Intune Admin permissions.

Once logged in, navigate to Devices from the left sidebar, then select Configuration. You'll see a list of existing configuration profiles if any are already created.

Click Create and then select New policy from the dropdown menu. This opens the policy creation wizard where you'll configure your Wi-Fi profile.

Choose your target platform first, as each platform has slightly different Wi-Fi configuration options. For this example, we'll start with Windows 10 and later, but the process is similar across platforms.

Select Platform: Windows 10 and later, then choose Profile type: Templates and select Wi-Fi from the template list.

In the Basics section, configure these essential fields:

• Name: Enter a descriptive name like "Corporate Wi-Fi Basic" or "Guest Network Profile"
• Description: Add details about the network purpose and target users

Click Next to proceed to configuration settings. Here you'll define the actual Wi-Fi network parameters that devices will use to connect automatically.

For a basic Wi-Fi network using WPA2 with a pre-shared key (most common for small offices or guest networks), configure these essential settings:

Connection name: This is the user-visible name that appears in their Wi-Fi list. Enter something like "CorpWiFi" or "GuestNetwork".

Network name (SSID): Enter the exact SSID of your wireless network. This must match exactly, including case sensitivity.

Security type: Select WPA2-Personal for basic networks with shared passwords.

Pre-shared key: Enter the Wi-Fi password. This will be securely distributed to devices without users needing to know it.

Additional optional settings you can configure:

• Connect automatically: Enable this so devices connect without user intervention
• Connect when network is not broadcasting: Enable for hidden SSIDs
• Metered connection limits: Set data usage restrictions if needed

Enterprise networks require certificate-based authentication for enhanced security. Create a new profile following steps 1-2, but select different security settings for enterprise authentication.

In the configuration settings, choose these enterprise options:

Security type: Select WPA2-Enterprise or WPA3-Enterprise (if your infrastructure supports WPA3).

EAP type: Choose based on your authentication infrastructure:

• EAP-TLS: Uses client certificates for authentication (most secure)
• PEAP: Uses username/password with server certificate validation
• EAP-TTLS: Similar to PEAP but with different tunneling

For EAP-TLS configuration:

• Client authentication certificate: Select an existing SCEP or PKCS certificate profile
• Root certificate for server validation: Choose your organization's root CA certificate profile

For PEAP configuration:

• Authentication method: Select "Username and password"
• Root certificate for server validation: Select your trusted root CA profile
• Identity privacy (outer identity): Optional anonymous identity for initial connection

Each platform offers unique advanced settings that can enhance the Wi-Fi experience. Configure these based on your network requirements and security policies.

For Windows devices:

• Company Portal authentication: Require users to authenticate through Company Portal before connecting
• Single sign-on: Enable if using the same credentials for network and domain authentication
• Proxy settings: Configure automatic proxy detection or manual proxy server settings

For Android devices:

• Wi-Fi hotspot blocking: Prevent devices from sharing the Wi-Fi connection
• MAC address randomization: Enable for privacy (supported on Android 10+)

For iOS/iPadOS devices:

• Disable MAC address randomization: Some enterprise networks require consistent MAC addresses
• Captive network assistant: Disable if your network doesn't use captive portals

Example proxy configuration for automatic detection:

{
  "proxySettings": "automatic",
  "proxyAutomaticConfigurationUrl": "http://proxy.company.com/proxy.pac"
}

Scope tags help organize and control access to configuration profiles, especially in large organizations with multiple IT teams. Assignment groups determine which devices receive the Wi-Fi profile.

Scope tags configuration:

If your organization uses scope tags, select the appropriate tags from the dropdown. Common scope tags include:

• Department-based tags (HR, Finance, Engineering)
• Location-based tags (Office-NYC, Office-London)
• Device type tags (Corporate-Laptops, BYOD-Devices)

If you don't use scope tags, leave this section with the default "Default" tag.

Assignment groups setup:

Click Next to reach the Assignments page. Here you'll specify which devices or users receive this Wi-Fi profile:

• Include groups: Select Azure AD groups containing target devices or users
• Exclude groups: Optionally exclude specific groups (useful for testing)

Common assignment strategies:

• All Devices: For company-wide networks
• All Users: For user-based assignments
• Dynamic device groups: Based on device properties like OS version or enrollment type
• Static groups: Manually managed groups for specific departments

Before deploying, carefully review all configuration settings to prevent connectivity issues. The review page shows a summary of all your Wi-Fi profile settings.

Review checklist:

• SSID matches your network exactly (case-sensitive)
• Security type matches your wireless infrastructure
• Pre-shared key is correct (for basic profiles)
• Certificate profiles are properly referenced (for enterprise profiles)
• Assignment groups contain the intended devices

If everything looks correct, click Create to deploy the profile. Intune will begin distributing the Wi-Fi settings to assigned devices.

Deployment timeline:

• Enrolled devices: 15-30 minutes for policy sync
• New Autopilot devices: Up to 8 hours during initial setup
• Manually enrolled devices: Next check-in cycle (typically 8 hours)

To force immediate deployment for testing, you can trigger a manual sync from the device:

• Windows: Settings > Accounts > Access work or school > [Account] > Info > Sync
• Android: Company Portal app > Settings > Sync
• iOS: Settings > General > VPN & Device Management > [Management Profile] > More Details > Update Settings

After deployment, monitor the Wi-Fi profile status to ensure successful distribution and identify any connection issues. Intune provides detailed reporting on profile deployment success and failures.

Navigate to Devices > Configuration and click on your Wi-Fi profile name. The overview page shows deployment statistics:

• Succeeded: Devices that successfully received and applied the profile
• Error: Devices that encountered errors during deployment
• Conflict: Devices with conflicting policies
• Not applicable: Devices that don't match the assignment criteria

Click Device status to see per-device details. For failed deployments, common error codes include:

• 0x87D1FDE8: Certificate not found (enterprise profiles)
• 0x80073CF9: Invalid SSID or security settings
• 0x87D13B8F: User rejected the profile installation

Troubleshooting steps for common issues:

Certificate-related failures:

# Check certificate deployment on Windows device
Get-ChildItem -Path Cert:\LocalMachine\My
Get-ChildItem -Path Cert:\CurrentUser\My

SSID connectivity issues:

• Verify the SSID is broadcasting and in range
• Check if the device can see the network manually
• Confirm security settings match the wireless infrastructure