- Use a custom device profile to create a WiFi profile with a preshared key in Intune
- Before you begin
- Create a custom profile
- Android or Windows Wi-Fi profile example
- What you need to know
- Example
- EAP-based Wi-Fi profile example
- Create the XML file from an existing Wi-Fi connection
- Best practices
- Next steps
- Wifi one key setting
Use a custom device profile to create a WiFi profile with a preshared key in Intune
Pre-shared keys (PSK) are typically used to authenticate users in WiFi networks, or wireless LANs. With Intune, you can create a WiFi profile using a preshared key. To create the profile, use the Custom device profiles feature within Intune. This article also includes some examples of how to create an EAP-based Wi-Fi profile.
- Android device administrator
- Android Enterprise personally owned devices with a work profile
- Windows
- EAP-based Wi-Fi
- Using a pre-shared key with Windows 10/11 causes a remediation error to show in Intune. When this happens, the Wi-Fi profile is properly assigned to the device, and the profile does work as expected.
- If you export a Wi-Fi profile that includes a pre-shared key, be sure the file is protected. The key is in plain text. It’s your responsibility to protect the key.
Before you begin
- It may be easier to copy the code from a computer that connects to that network, as described in Create the XML file from an existing Wi-Fi connection (in this article).
- You can add multiple networks and keys by adding more OMA-URI settings.
- For iOS/iPadOS, use Apple Configurator on a Mac station to set up the profile.
- PSK requires a string of 64 hexadecimal digits, or a passphrase of 8 to 63 printable ASCII characters. Some characters, such as asterisk ( * ), aren’t supported.
Create a custom profile
- Sign in to the Microsoft Intune admin center.
- Select Devices >Configuration profiles >Create profile.
- Enter the following properties:
- Platform: Choose your platform.
- Profile: Select Custom. Or, select Templates >Custom.
- Select Create.
- In Basics, enter the following properties:
- Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is Custom OMA-URI Wi-Fi profile for Android DA.
- Description: Enter a description for the profile. This setting is optional, but recommended.
- Select Next.
- In Configuration settings, select Add. Enter a new OMA-URI setting with the following properties:
- Name: Enter a name for the OMA-URI setting.
- Description: Enter a description for the OMA-URI setting. This setting is optional, but recommended.
- OMA-URI: Enter one of the following options:
- For Android: ./Vendor/MSFT/WiFi/Profile/SSID/Settings
- For Windows: ./Vendor/MSFT/WiFi/Profile/SSID/WlanXml
- Be sure to include the dot character at the beginning.
- If the SSID has a space, then add an escape space %20 .
SSID is the SSID for which you’re creating the policy. For example, if the Wi-Fi is named Hotspot-1 , enter ./Vendor/MSFT/WiFi/Profile/Hotspot-1/Settings . If the Wi-Fi is named Contoso WiFi , enter ./Vendor/MSFT/WiFi/Profile/Contoso%20WiFi/Settings (with the %20 escape space).
The next time each device checks in, the policy is applied, and a Wi-Fi profile is created on the device. The device can then connect to the network automatically.
Android or Windows Wi-Fi profile example
The following example includes the XML code for an Android or Windows Wi-Fi profile. The example is provided to show proper format and provide more details. It’s only an example, and isn’t intended as a recommended configuration for your environment.
What you need to know
false must be set to false. When true, it could cause the device to expect an encrypted password, and then try to decrypt it; which may result in a failed connection.53534944 should be set to the hexadecimal value of . Windows 10/11 devices may return a false x87D1FDE8 Remediation failed error, but the device still contains the profile.- XML has special characters, such as the & (ampersand). Using special characters may prevent the XML from working as expected.
Example
53534944 = The hexadecimal value of
= Name of profile shown to users. For example, enter ContosoWiFi . = Plain text of SSID. Does not need to be escaped. It could beYour Company's Network .= Type of authentication used by the network, such as WPA2PSK. = Type of encryption used by the network, such as AES. false do not change this value, as true could cause device to expect an encrypted password and then try to decrypt it, which may result in a failed connection. = Plain text of the password to connect to the network -->53534944 false ESS auto false false passPhrase false password 0 EAP-based Wi-Fi profile example
The following example includes the XML code for an EAP-based Wi-Fi profile: The example is provided to show proper format and provide more details. It’s only an example, and isn’t intended as a recommended configuration for your environment.
testcert 7465737463657274 testcert true ESS auto false WPA2 AES true false disabled false user 13 0 0 0 13 true false false false false true 75 f5 06 9c a4 12 0e 9b db bc a1 d9 9d d0 f0 75 fa 3b b8 78 Client Authentication 1.3.6.1.5.5.7.3.2 Client Authentication Create the XML file from an existing Wi-Fi connection
You can also create an XML file from an existing Wi-Fi connection. On a Windows computer, use the following steps:
- Create a local folder for the exported W-Fi- profiles, such as c:\WiFi.
- Open up a command prompt as an administrator (right-click cmd >Run as administrator).
- Run netsh wlan show profiles . The names of all the profiles are listed.
- Run netsh wlan export profile name=»YourProfileName» folder=c:\Wifi . This command creates a file named Wi-Fi-YourProfileName.xml in c:\Wifi.
- If you’re exporting a Wi-Fi profile that includes a preshared key, add key=clear to the command: netsh wlan export profile name=»YourProfileName» key=clear folder=c:\Wifi key=clear exports the key in plain text, which is required to successfully use the profile.
- If the exported Wi-Fi profile element includes a space, then it might return a ERROR CODE 0x87d101f4 ERROR DETAILS Syncml(500) error when assigned. When this issue happens, the profile is listed in \ProgramData\Microsoft\Wlansvc\Profiles\Interfaces , and shows as a known network. But, it doesn’t successfully display as managed policy in the «Areas managed by. » URI. To resolve this issue, remove the space.
After you have the XML file, copy and paste the XML syntax into OMA-URI settings > Data type. Create a custom profile (in this article) lists the steps.
\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\ also includes all the profiles in XML format.
Best practices
- Before you deploy a Wi-Fi profile with PSK, confirm that the device can connect to the endpoint directly.
- When rotating keys (passwords or passphrases), expect downtime and plan your deployments. Consider pushing new Wi-Fi profiles during non-working hours. Also, warn users that connectivity may be affected.
- For a smooth transition, be sure the end user’s device has an alternate connection to the Internet. For example, the end user can switch back to Guest WiFi (or some other WiFi network) or have cellular connectivity to communicate with Intune. The extra connection allows the user to receive policy updates when the corporate WiFi Profile is updated on the device.
Next steps
Be sure to assign the profile, and monitor its status.
Wifi one key setting
Please check if your computer has a wireless network cardOr external devices such as 360 portable WiFi
Copy the code below into the text document and change the suffix to.bat (batch file)
cd C:\windows\system32\ @echo off titleVirtualize the wireless network card into a wireless AP color 0A :: The following are the default settings set SSIDNAME=Virtual_AP set PASSWORD=Virtual_PW :SSTART cls Echo virtualizes the wireless network card into a wireless AP echo echo============================================== echo. echo 1. Show wireless network interface echo. echo 2. Install and start virtual AP echo. echo 3. Start virtual AP echo. echo 4. Restart virtual AP echo. echo 5. Restart the wireless network (need to reset the virtual AP) echo. echo 6. Close the virtual AP echo. echo 7. Close and uninstall the virtual AP echo. echo Q. Exit the program echo. echo============================================== ECHO. set type= set /P type=Please select [1],[2],[3],[4],[5],[6],[7] or [Q]: if /I "%type%"=="1" goto :showwlaninterface if /I "%type%"=="2" goto :install if /I "%type%"=="3" goto :start if /I "%type%"=="4" goto :restart if /I "%type%"=="5" goto :restartwlan if /I "%type%"=="6" goto :stop if /I "%type%"=="7" goto :uninstall if /I "%type%"=="Q" goto :end :showwlaninterface netsh wlan show drivers Echo loading is complete! Press any key to return! pause>nul goto :SSTART :install set /P SSIDNAME=Please enter the wireless network name (SSID, the default is "%SSIDNAME%"): set /P PASSWORD=Please enter the password (default is "%PASSWORD%"): netsh wlan set hostednetwork mode=allow ssid=%SSIDNAME% key=%PASSWORD% netsh wlan start hostednetwork Echo setup is complete! Press any key to return! pause>nul goto :SSTART :start netsh wlan start hostednetwork Echo setup is complete! Press any key to return! pause>nul goto :SSTART :restart netsh wlan stop hostednetwork netsh wlan start hostednetwork Echo setup is complete! Press any key to return! pause>nul goto :SSTART :restartwlan netsh interface set interface wireless network connection disabled netsh interface set interface wireless network connection enable Echo setup is complete! Press any key to return! pause>nul goto :SSTART :stop netsh wlan stop hostednetwork Echo setup is complete! Press any key to return! pause>nul goto :SSTART :uninstall netsh wlan stop hostednetwork netsh wlan set hostednetwork mode=disallow Echo setup is complete! Press any key to return! pause>nul goto :SSTART :end exit
Note: If there is no network after the phone is connected
Select to open the network and internet settings à
Click Network and Sharing Center
Click on the current network à Select attribute à shared à Select local connection*12 à Click OK