Intune-Windows

Configure Intune for Initial Setup

Please refer the Intune for Initial Setup documentation to configure Intune initially.

Create Configuration profiles

In the Endpoint manager, now go to devices → configuration profiles

  1. Create a new profile for Windows 10 using the Trusted certificate template. Upload the Foxpass Client CA cert in the client profile. (The CA can be downloaded by clicking 'Download CA', which is located under 'Client Server Authorities' on the EAP-TLS)). Please refer to the image below for the Client CA download location.
Client CA

Foxpass Client CA

Foxpass Client CA profile

Foxpass Client CA profile

  1. Create a new profile for Windows 10 using the Trusted certificate template. Upload the Foxpass Server CA cert in the server profile. (The CA can be downloaded by clicking the 'Download CA' button in the active CA section, which is located under 'Server Certificate Authorities' on the EAP-TLS. Please refer to the image below for the Server CA download location.
Foxpass Server CA

Foxpass Server CA

Foxpass Server CA Profile

Foxpass Server CA Profile

  1. Create another new profile for Windows 10 using the SCEP certificate template . You can create a profile with either the "User" or "Device" certificate type, depending on your specific use case and requirements.

Option 1: Certificate type - User

🚧

You need to make sure that every user has an EmailAddress set in their Azure User Profile. If not, SCEP the profiles will not install.

  • Name: Foxpass SCEP
  • Certificate type: User
  • Subject name format: CN={{UserName}},E={{EmailAddress}}
  • Subject alternative name: Add 1 attribute:
    • Email address as {{EmailAddress}}
  • Certificate Validity period: Years = 1
  • Key storage provider: Enroll to software KSP
  • Key usage: Digital Signature
  • Key size: 2048
  • Hash algorithm: SHA2
  • Root certificate: Select cert from Foxpass Client CA from first item in this section
  • Extended key usage:
  • Add both
    • Any Purpose (2.5.29.37.0)* (optional)
    • Client Authentication (1.3.6.1.5.5.7.3.2)*
  • Renewal threshold (%): 10
  • SCEP server URL: Foxpass SCEP endpoint from the SCEP page
Foxpass SCEP Profile

Sample Foxpass SCEP Profile - User Certificate type

Option 2: Certificate type - Device

  • Name: Foxpass SCEP
  • Certificate type: Device
  • CN={{AAD_Device_ID}}
  • Subject Alternative Name: Leave it empty.
  • Certificate Validity period: Years = 1
  • Key storage provider: Enroll to software KSP
  • Key usage: Digital Signature
  • Key size: 2048
  • Hash algorithm: SHA2
  • Root certificate: Select cert from Foxpass Client CA from first item in this section
  • Extended key usage:
  • Add both
    • Any Purpose (2.5.29.37.0)* (optional)
    • Client Authentication (1.3.6.1.5.5.7.3.2)*
  • Renewal threshold (%): 10
  • SCEP server URL: Foxpass SCEP endpoint from the SCEP page
Sample Foxpass SCEP Profile - Device Certificate

Sample Foxpass SCEP Profile - Device Certificate type

  1. Create a new Wi-Fi profile with these settings:
  • Name: Foxpass Wi-Fi
  • Network name: (Your SSID)
  • Connect automatically: (your choice)
  • Hidden network: Disable
  • Security Type: WPA/WPA2 Enterprise
  • Proxy settings: None
  • EAP-Type: EAP-TLS
  • Root certificates for server validation: (Choose Foxpass Server CA uploaded previously in this step)
  • Certificates: Foxpass SCEP

3. Now, test

Test by enrolling a sample Windows 10 device: Open settings → Access work or school → Enroll device MDM → Enter your company email and proceed to login to Azure. This will kick off the enrollment process that takes a little while.

If all goes well, you will now be able to see your device enrolled in Intune and the Foxpass Console's EAP-TLS.

Windows connected to Foxpass MDM

Windows connected to Foxpass MDM

Foxpass SCEP - Intune

Client Certificate - Intune

You can see Foxpass Client CA and Server CA in "Certificates" under "Trusted Root Certificate Authorities" on your Windows machine.

Client CA and Server CA in Windows

Client CA and Server CA in Windows

You can view your Client certificate in "Certificates" under "Personal" category.

Client certificate

Client certificate

You can also see successful/unsuccessful logs on the RADIUS logs page.

RADIUS logs page

RADIUS logs page