Introduction

This guide helps you understand and troubleshoot Wi-Fi profile issues that you may encounter when you use Microsoft Intune.

This article is divided into the following sections:

The examples in this guide use SCEP certificate authentication for these profiles and assume that the Trusted Root and SCEP profiles work correctly on the device. In the examples, the Trusted Root and SCEP profiles are named as follows.

Android

iOS

Windows

Trusted Root Profile

AndroidRoot

iOSRoot

WindowsRoot2

SCEP profile

AndroidSCEP

iOSSCEP

WindowsSCEP2

Overview of Wi-Fi profiles

Wi-Fi is a wireless network that's used by many mobile devices to get network access. Microsoft Intune includes built-in Wi-Fi settings that can be deployed to users and devices in your organization. This group of settings is called a profile. It can be assigned to different users and groups. After the profile is assigned, your users get access your organization's Wi-Fi network without configuring it themselves.

For example, you install a new Wi-Fi network that is named Contoso Wi-Fi. Then, you want to set up all iOS devices to connect to this network. This process includes the following steps:

  1. You create a Wi-Fi profile that includes the settings that connect to the Contoso Wi-Fi wireless network.

  2. You assign the profile to a group that includes all users of iOS devices.

  3. Users find the new Contoso Wi-Fi network in the list of wireless networks on their device. They can then connect to the network by using the authentication method of your choice.

Wi-Fi profiles support the following device platforms and versions:

  • Android 4 and later

  • Android Enterprise and kiosk

  • iOS 8.0 and later

  • macOS X 10.11 and newer

  • Windows 10 and later, Windows 10 Mobile, and Windows Holographic for Business

Creating Wi-Fi profiles

To create a Wi-Fi profile, follow the steps in the "Create a device profile" section of the following Microsoft Docs article:

Add and use Wi-Fi settings on your devices in Microsoft Intune

The Properties screen on the supported platforms resembles the following examples.

Android Wifi

iOS Wifi

Windows Wifi

Assigning Wi-Fi profiles

After you create the Wi-Fi profile, assign the profile to selected groups.

See the following Assignments screen examples.

Android Wifi

iOS Wifi

Windows Wifi

What successful Wi-Fi profiles look like on your device

The following is an example of Nokia 6.1 device. In this example, you must install the Trusted Root and SCEP profiles before the Wi-Fi profile can be installed on the device.

  1. You receive a notification to install the Trusted Root certificate profile.

    Trusted root

    Trusted root

  2. You receive a notification to install the SCEP certificate profile.

    SCEP

    SCEP

    Note If you use a device administrator-managed Android device, there may be multiple certificates. This is because the certificates aren’t revoked or removed when a certificate profile is changed or removed. In this case, select the latest certificate. Usually, this is the last one in the list of certificates.

    This situation doesn’t occur on Android Enterprise and Samsung Knox devices. For more information, see Manage Android work profile devices with Intune and Remove SCEP and PKCS certificates in Microsoft Intune.

  3. You receive a notification to install the Wi-Fi profile.

    Wifi

  4. The Wi-Fi connection is successfully created.

    Wifi

After the Wi-Fi profile is installed on the device, you can see it in the Management Profile screen.

Management profile

Wifi profile

Wifi profile

After the Wi-Fi profile is installed on the device, go to Settings > Accounts > Access work or school, select your work or school account, and then select Info.

Info

You can see WiFi under the Areas managed by Microsoft.

Managed areas

The Wi-Fi profile is listed under Settings > Network & Internet  > Wi-Fi.

WiFi

Entries in Company Portal logs of successful Wi-Fi profile deployment

On an Android device, the Omadmlog.log file logs detail activities of the Wi-Fi profile when it's processed on the device. Depending on how long the Company Portal app has been installed, you may have up to five Omadmlog log files. You can use the timestamp of the last sync to help find the related entries.

The following example uses CMTrace to read the logs and uses “wifimgr” as the search string filter.

CMTrace

The following sample log snippet shows a successful processing of the Wi-Fi profile:

2019-08-01T19:22:46.7340000    VERB    com.microsoft.omadm.platforms.android.wifimgr.WifiProfile    15118    04142    Starting to parse Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:46.7490000    VERB    com.microsoft.omadm.platforms.android.wifimgr.OneX    15118    04142    Starting to parse OneX from Wifi XML.
2019-08-01T19:22:46.8100000    VERB    com.microsoft.omadm.platforms.android.wifimgr.OneX    15118    04142    Completed parsing OneX from Wifi XML.
2019-08-01T19:22:46.8209999    VERB    com.microsoft.omadm.platforms.android.wifimgr.WifiProfile    15118    04142    Completed parsing Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:46.8240000    INFO    com.microsoft.omadm.utils.CertificateSelector    15118    04142    Selected ca certificate with alias: 'user:205xxxxx.0' and thumbprint '<thumbprint>'.
2019-08-01T19:22:47.0990000    VERB    com.microsoft.omadm.platforms.android.certmgr.CertificateChainBuilder    15118    04142    Complete certificate chain built with Complete certs.
2019-08-01T19:22:47.1010000    VERB    com.microsoft.omadm.utils.CertUtils    15118    04142    1 cert(s) matched criteria: User<ID>[i:<ID>,17CECEA1D337FAA7D167AD83A8CC7A8FCBF9xxxx;eku:1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2]
2019-08-01T19:22:47.1090000    VERB    com.microsoft.omadm.utils.CertUtils    15118    04142    0 cert(s) excluded by criteria:
2019-08-01T19:22:47.1110000    INFO    com.microsoft.omadm.utils.CertificateSelector    15118    04142    Selected client cert with alias 'User<ID>' and requestId 'ModelName=<ModelName>%2FLogicalName_<LogicalName>;Hash=-912418295'.
2019-08-01T19:22:47.4120000    VERB    com.microsoft.omadm.Services    15118    04142    Successfully applied, enabled and saved wifi profile '<profile ID>'
2019-08-01T19:22:47.4240000    VERB    com.microsoft.omadm.platforms.android.wifimgr.OneX    15118    04142    Starting to parse OneX from Wifi XML.
2019-08-01T19:22:47.4910000    VERB    com.microsoft.omadm.platforms.android.wifimgr.OneX    15118    04142    Completed parsing OneX from Wifi XML.
2019-08-01T19:22:47.4970000    VERB    com.microsoft.omadm.platforms.android.wifimgr.WifiProfile    15118    04142    Starting to parse Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:47.5080000    VERB    com.microsoft.omadm.platforms.android.wifimgr.OneX    15118    04142    Starting to parse OneX from Wifi XML.
2019-08-01T19:22:47.5820000    VERB    com.microsoft.omadm.platforms.android.wifimgr.OneX    15118    04142    Completed parsing OneX from Wifi XML.
2019-08-01T19:22:47.5900000    VERB    com.microsoft.omadm.platforms.android.wifimgr.WifiProfile    15118    04142    Completed parsing Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:47.5910000    INFO    com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager    15118    04142    Applied profile <profile ID>

On an iOS device, the Company Portal log doesn't contain any information about Wi-Fi profiles. To see details about the installation of the Wi-Fi profiles, examine the Console and Device logs. To do this, follow these steps:

  1. Connect the iOS device to Mac, and then go to Applications > Utilities to open the Console app. 

    Console

  2. Under Action, select Include Info Messages and Include Debug Messages.

    Include messages

  3. After the problem is reproduced, save the logs to a text file. To do this, select Edit > Select All to select all the messages on the current screen, and then select Edit > Copy to copy the messages to the clipboard. Next, open the TextEdit application, paste the copied logs into a new text file, and then save the file.

You can search the file that has the Wi-Fi profile name to view detailed information.

Sample log snippet:

Line 390870: debug    11:19:58.994815 -0400    profiled    Adding dependent www.windowsintune.com.wifi.Contoso to parent Microsoft.Profiles.MDM in domain ManagingProfileToManagedProfile to system\
Line 390872: debug    11:19:58.995210 -0400    profiled    Adding dependent Microsoft.Profiles.MDM to parent www.windowsintune.com.wifi.Contoso in domain ManagedProfileToManagingProfile to system\
Line 392346: default    11:19:59.360460 -0400    profiled    Profile \'93www.windowsintune.com.wifi.Contoso\'94 installed.\

On a Windows device, the details about Wi-Fi profiles are logged in the following location in Event Viewer:

  • Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin

Note You must select the Show Analytic and Debug Logs option in Event Viewer to see these logs.

Sample log snippet:

Log Name:      Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source:        Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date:          8/7/2019 8:01:41 PM
Event ID:      1506
Task Category: (1)
Level:         Information
Keywords:      (2)
User:          SYSTEM
Computer:      <Computer Name>
Description:
WiFiConfigurationServiceProvider: Node set value, type: (0x4), Result: (The operation completed successfully.).

Troubleshooting common issues

Issue 1: The Wi-Fi profile isn't deployed to the device

  • Verify that the Wi-Fi profile is assigned to the correct group.

    In the Intune portal, go to Device configuration > Profiles, select Assignments, and then examine the selected groups.

    Android Wifi

    Also review the Assignments information in the Troubleshoot pane.

    Troubleshoot pane

  • Verify that the device can sync with Intune by checking the Last Check In time in the Troubleshoot pane.

  • If the Wi-Fi profile is linked to the Trusted Root and SCEP profiles, verify that both profiles have been deployed to the device. The Wi-Fi profile has a dependency on these profiles.


    If the Trusted Root and SCEP profiles aren't installed on the device, you will see the following entry in the Company Portal Omadmlog file:

    2019-08-01T19:18:13.5120000    INFO    com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager    15118    04105    Skipping Wifi profile <profile ID> because it is pending certificates.

    Note There is a scenario in which the Trusted Root and SCEP profiles are on the device and compliant but the Wi-Fi profile is still not on the device. This situation occurs when the CertificateSelector provider from the Company Portal app doesn't find a certificate that matches the specified criteria. The specific criteria can be on the Certificate Template or in the SCEP profile. If a matching certificate isn't found, the certificates on the device will be excluded. This will cause the Wi-Fi profile to be skipped because it doesn’t have the correct certificate. In this scenario, you see the following entry in the Company Portal Omadmlog file:

     Skipping Wifi profile <profile ID> because it is pending certificates.

    The following is a sample log snippet in which certificates are excluded because the Any Purpose Extended Key Usage
     (EKU) criteria was specified but the certificates that are assigned to the device don’t have that EKU:

    2018-11-27T21:10:37.6390000    VERB     com.microsoft.omadm.utils.CertUtils      14210    00948    Excluding cert with alias User<ID1> and requestId <requestID1> as it does not have any purpose EKU.
    2018-11-27T21:10:37.6400000    VERB     com.microsoft.omadm.utils.CertUtils      14210    00948    Excluding cert with alias User<ID2> and requestId <requestID2> as it does not have any purpose EKU.
    2018-11-27T21:10:37.6400000    VERB     com.microsoft.omadm.utils.CertUtils      14210    00948    0 cert(s) matched criteria:
    2018-11-27T21:10:37.6400000    VERB     com.microsoft.omadm.utils.CertUtils      14210    00948    2 cert(s) excluded by criteria:
    2018-11-27T21:10:37.6400000    INFO       com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager       14210                00948     Skipping Wifi profile <profile ID> because it is pending certificates.

    In this example, the SCEP profile has the option of Any Purpose EKU specified, but it is not specified in the Certificate Template on the certificate authority (CA). To fix the issue, add the Any Purpose option to the certificate template, or remove the Any Purpose option from the SCEP profile.

    Certificate template

    SCEP profile

  • Verify that all required certificates in the complete certificate chain are on the device. Otherwise, the Wi-Fi profile can't be installed on the device. For more information, see Missing intermediate certificate authority.

  • Filter Omadmlog with keyword to look for useful information, such as what certificate is used for the Wi-Fi profile and whether it was applied or not.

    For example, you can use CMTrace to read the logs and use the search string filter of “wifimgr”.

    CMTrace

    Sample log snippet:

    Log

    If you see an error in the log, copy the time stamp of the error and un-filter the log.  Then use the “find” option with the time stamp to see what happened right before the error occurred.

  • Verify that the Wi-Fi profile is assigned to the correct group.

    In the Intune portal, go to Device configuration > Profiles, select the profile > Assignments, verify the selected groups.

    iOS Wifi

    Also review the Assignments information in the Troubleshoot pane.

    Troubleshoot pane

  • Verify that the device can sync with Intune by checking the Last Check In time in the Troubleshoot pane.

  • If the Wi-Fi profile is linked to the Trusted Root and SCEP profiles, verify that both profiles have been deployed to the device. The Wi-Fi profile has a dependency on these profiles.

  • Verify that the Wi-Fi profile is assigned to the correct group.

    In the Intune portal, go to Device configuration > Profiles, select the profile > Assignments, verify the selected groups.

    Windows Wifi

    Also review the Assignments information in the Troubleshoot pane.

    Troubleshoot pane

  • Verify that the device can sync with Intune by checking the Last Check In time in the Troubleshoot pane.

  • If the Wi-Fi profile is linked to the Trusted Root and SCEP profiles, verify that both profiles have been deployed to the device. The Wi-Fi profile has a dependency on these profiles.

  • Examine the MDM Diagnostic Information log from Windows 10 devices.

    To do this, download the MDM Diagnostic Information log. Then, open File Explorer, and navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.

    MDM log

    MDM log

    MDM log

    WiFi profile

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×