Intune integration
Pull Intune device compliance into Arbiter auth policies, and have Arbiter issue 802.1X device certificates to every Intune-managed Windows machine automatically. No NDES, no AD Certificate Services, no on-prem certificate connector. The same Azure AD app powers both halves.
What this gives you
By the end of this guide every device in your Intune fleet will silently enrol a device certificate from your Arbiter tenant root, then use that certificate to authenticate against corporate Wi-Fi and any 802.1X-protected wired port. Arbiter never holds the private keys: each device generates its own keypair locally and only the signed certificate crosses the wire.
Two distinct features come out of this single integration:
- Device compliance signals in auth policy. Arbiter polls Intune every sync interval and exposes per-device fields like
mdm_compliant,mdm_managed,mdm_os_versionandmdm_owner. You can write an auth policy that says "only permit if Intune-managed and compliant" and have it apply the moment a non-compliant device tries to authenticate. - Cloud-native certificate distribution. Arbiter acts as the SCEP server for your tenant. Intune validates each enrolment request with Microsoft, then Arbiter signs the certificate under your per-tenant root and the device installs it without anyone touching a server. The trust anchor is the same root Arbiter is already using to sign your RADIUS server certificate, so EAP-TLS just works.
Before you start
- An Arbiter tenant with the Edge appliance online (or RadSec wired into your switches some other way). If you have not done that yet, follow the Edge appliance guide first.
- Your tenant shortname. Several steps below embed it (the SCEP URL and the RADIUS hostnames). Find it as the segment in your portal URL,
app.arbiter.ie/portal/<shortname>/..., or in your Arbiter onboarding email. Wherever a step shows<your-tenant-shortname>, substitute this value. - Global Administrator or Privileged Role Administrator rights on your Microsoft Entra ID tenant (needed to grant admin consent to the app permissions).
- Intune Administrator rights (needed to push the configuration profiles).
- An Intune licence assigned to at least one test user. Microsoft 365 Business Premium, Microsoft 365 E3/E5 and the Intune standalone SKU all include it.
- One test device joined to your Microsoft Entra ID tenant (Settings -> Accounts -> Access work or school -> Join this device to Microsoft Entra ID). The device should show up under Intune -> Devices -> All devices with MDM: Microsoft Intune.
Register an Azure AD app
Arbiter calls Microsoft on your behalf in two places: it pulls device compliance from Microsoft Graph, and it validates SCEP challenges via the Intune SCEP validation API. Both calls use the same Azure AD application identity, so we only need to register it once.
In the Microsoft Entra admin centre go to Applications -> App registrations -> New registration.
- Name: Arbiter NAC (Intune sync + SCEP)
- Supported account types: Accounts in this organisational directory only
- Redirect URI: leave blank (this is a confidential client, not an interactive sign-in app)
Click Register. You will land on the app's Overview page. Copy these two values somewhere safe, you will paste them into Arbiter in step 3:
- Application (client) ID
- Directory (tenant) ID
Grant API permissions
On the app's left nav choose API permissions -> Add a permission. Add all three of the following as Application permissions (not Delegated):
| API | Permission | What it lets Arbiter do |
|---|---|---|
| Microsoft Graph | DeviceManagementManagedDevices.Read.All | Read device compliance and inventory for the MDM sync |
| Microsoft Graph | Application.Read.All | Discover the Intune SCEP validation service endpoint |
| Microsoft Intune | scep_challenge_provider | Validate SCEP enrolment challenges with Microsoft |
Once all three are listed, click Grant admin consent for [your tenant] at the top of the permissions table. Every row should flip to a green tick under Status.
Create a client secret and wire it into Arbiter
Still inside the app, choose Certificates & secrets -> Client secrets -> New client secret.
- Description: Arbiter NAC
- Expires: 24 months (or per your secret rotation policy)
Click Add. Copy the Value column immediately, before you navigate away. Microsoft only shows it once. If you lose it, create another secret, you cannot recover the original.
Now in Arbiter go to Settings -> MDM Integrations -> Intune. Tick Enable intune and fill in:
- Sync every: 60 minutes (the default is fine, anything from 5 to 1440 works)
- Azure AD tenant ID: the Directory (tenant) ID from step 1
- App client ID: the Application (client) ID from step 1
- App client secret: the secret Value you just copied
Click Test connection. A green "Connection OK: fetched N managed endpoints" banner means the MDM sync half is working. Click Save.
The first full sync runs in the background within a couple of minutes. The Sync log on the same page shows progress. From this point on you can already write auth policies that key on mdm_compliant or mdm_managed. The SCEP half needs the next few steps before it is usable.
Download your tenant root CA
Intune-managed devices need to trust the RADIUS server certificate that FreeRADIUS presents during EAP-TLS. That certificate is signed by your per-tenant Arbiter root, so we need a copy of the root in a format Intune will accept.
In the portal open Certificate Management (under Administration in the sidebar), find the Arbiter root certificate card and click Download root.pem. Rename the downloaded file from root.pem to root.cer. Intune accepts both PEM and DER encoding, it only cares that the extension is .cer or .crt, not .pem. Hang on to this file, you will upload it in the next step.
If you would rather verify the fingerprint end to end, or you are working from a headless box, pull the same root over SCEP with curl and OpenSSL:
curl -s 'https://scep.arbiter.ie/scep/<your-tenant-shortname>?operation=GetCACert' \
-o arbiter-root.cer
openssl x509 -inform DER -in arbiter-root.cer -noout -subject -fingerprint -sha256The subject should look like CN=<shortname>-root, O=Arbiter Tenant N, OU=Arbiter PKI. The SHA-256 fingerprint OpenSSL prints should match the one shown on the Arbiter root certificate card in the portal, confirming the root you are about to trust is the one your RADIUS server actually presents.
Push the root CA to devices (Trusted Certificate profile)
In the Intune admin centre go to Devices -> Configuration -> + Create -> + New policy:
- Platform: Windows 10 and later
- Profile type: Templates
- Choose Trusted certificate -> Create
Fill in:
| Field | Value |
|---|---|
| Name | Arbiter root CA |
| Certificate file (.cer) | Upload arbiter-root.cer from step 4 |
| Destination store | Computer certificate store - Root |
On the Assignments tab, target a test group that contains your test device. All devices works for the initial rollout. Skip Applicability rules, review and create.
Trigger certificate enrolment (SCEP Certificate profile)
This is the profile that does the actual cert issuance. It tells every assigned device to generate a keypair locally, send a CSR to Arbiter, then install the signed certificate. Same Configuration page, + Create -> + New policy, Windows 10 and later, Templates, this time SCEP certificate.
| Field | Value |
|---|---|
| Name | Arbiter device certificate |
| Certificate type | Device |
| Subject name format | CN={{AAD_Device_ID}} |
| Subject alternative name | (leave empty) |
| Certificate validity period | 1 Years |
| Key storage provider (KSP) | Enroll to Software KSP |
| Key usage | Digital signature + Key encipherment |
| Key size (bits) | 2048 |
| Hash algorithm | SHA-2 |
| Root Certificate | + Root Certificate -> pick the Arbiter root CA profile from step 5 |
| Extended key usage | Client Authentication ( 1.3.6.1.5.5.7.3.2) |
| Renewal threshold (%) | 20 |
| SCEP Server URLs | https://scep.arbiter.ie/scep/<your-tenant-shortname> |
Assign to the same test group as the Trusted Cert profile and create.
Auto-connect to corporate Wi-Fi (Wi-Fi profile)
The third profile points devices at your SSID and tells them to authenticate with the certificate the SCEP profile just installed. Same wizard, Templates, this time Wi-Fi.
| Field | Value |
|---|---|
| Name | Arbiter Corp Wi-Fi |
| Wi-Fi type | Enterprise |
| Wi-Fi name (SSID) | Your corporate SSID |
| Connect automatically when in range | Yes |
| Wireless security type | WPA/WPA2-Enterprise |
| EAP type | EAP-TLS |
| Authentication Mode | Machine |
| Certificate server names | radius.<your-tenant-shortname>.arbiter.ie |
| Root certificates for server validation | + Add -> Arbiter root CA (the Trusted Cert profile) |
| Authentication method | SCEP certificate |
| Client certificate for client authentication | + Add -> Arbiter device certificate (the SCEP profile) |
Assign to the same test group and create.
Auto-authenticate on wired ports (optional)
Only relevant if you have 802.1X switched ports for laptops. Same wizard, Templates, this time Wired networks. The fields mirror the Wi-Fi profile minus the SSID:
| Field | Value |
|---|---|
| Name | Arbiter Corp Wired |
| Authentication Mode | Machine |
| EAP type | EAP-TLS |
| Certificate server names | radius.<your-tenant-shortname>.arbiter.ie |
| Root certificates for server validation | Arbiter root CA |
| Authentication method | SCEP certificate |
| Client certificate | Arbiter device certificate |
Fix it with a one-shot Platform Script. In Intune go to Devices -> Scripts and remediations -> Platform scripts -> + Add -> Windows. Save the following as enable-dot3svc.ps1 and upload it:
# Enable Wired AutoConfig (dot3svc) for Intune wired EAP-TLS profiles.
# Idempotent. Safe to run on every device.
try {
$svc = Get-Service -Name dot3svc -ErrorAction Stop
if ($svc.StartType -ne 'Automatic') {
Set-Service -Name dot3svc -StartupType Automatic
}
if ($svc.Status -ne 'Running') {
Start-Service -Name dot3svc
}
Write-Output "dot3svc OK"
exit 0
} catch {
Write-Error "Failed to configure dot3svc: $_"
exit 1
}- Run script using logged on credentials: No (the script needs SYSTEM context to change a service start type)
- Enforce script signature check: No
- Run script in 64-bit PowerShell host: Yes
Assign to the same group as the four profiles.
Verify on a test device
Pick one Intune-managed Windows device. In the Intune admin centre go to Devices -> All devices, click the device, then Sync at the top of its detail page. That tells the device to check in immediately instead of waiting for its next scheduled poll, which can be up to eight hours away.
You can also force the check-in from the device itself, which is handy whenever you change a profile and want it applied now rather than waiting on the portal Sync to propagate. In an elevated PowerShell:
# Force an immediate MDM check-in: pull policy changes now,
# instead of waiting for the scheduled poll (up to 8 hours away).
Get-ScheduledTask -TaskPath "\Microsoft\Windows\EnterpriseMgmt\*" -TaskName "Schedule to run OMADMClient by client","Schedule to run OMADMClient by server" |
Start-ScheduledTask
# Confirm the check-in: want LastTaskResult 0 and a LastRunTime of just now.
Get-ScheduledTask -TaskPath "\Microsoft\Windows\EnterpriseMgmt\*" -TaskName "Schedule to run OMADMClient by client" |
Get-ScheduledTaskInfo |
Select-Object TaskName, LastRunTime, LastTaskResultA LastTaskResult of 0 with a LastRunTime of just now means the device checked in. If two rows come back, a device that was enrolled before will carry an orphaned task that returns a non-zero error (2147942402 is "file not found"), the row returning 0 is the live enrolment.
Give it three to five minutes. Then on the device, open PowerShell and run the following, replacing <shortname> with your tenant shortname:
# On a freshly synced laptop, confirm the cert and provider.
$t = (Get-ChildItem Cert:\LocalMachine\My |
Where-Object { $_.Issuer -match '<shortname>-root' }).Thumbprint
certutil -store My $t | findstr /C:"Provider"
# Expect: Provider = Microsoft Software Key Storage ProviderYou should see a single certificate in Cert:\LocalMachine\My with an issuer matching your tenant root, and the Provider line should read Microsoft Software Key Storage Provider. If Provider says Microsoft Platform Crypto Provider instead, the SCEP profile is still set to TPM. Go back to step 6, change to Software KSP, delete the existing cert and trigger another sync.
The device should now auto-connect to the corporate SSID and, if plugged into an 802.1X port, auto-authenticate on wired too. In the Arbiter portal go to Auth Log and you should see a Permit with:
- Method: DOT1X
- EAP Type: TLS
- Common Name: the device's AAD Device ID (a GUID, matching {{AAD_Device_ID}} from the SCEP profile's Subject name format)
- Issuer: your tenant root
Troubleshooting
The Sync log says "auth_failure"
The Test connection button shows the same. Almost always means the Azure AD app permissions are not granted, or the client secret has expired or was typed wrong. Re-check that all three permissions from step 2 show a green tick under Status in the Entra portal. If you have rotated the secret recently, the old value is invalidated immediately, paste the new one and save.
The cert never appears on the device
Check that the device is actually Intune-managed, not just Entra-registered. In Entra -> Devices -> All devices the row should show Join type: Microsoft Entra joined (not "registered") and MDM: Microsoft Intune (not blank). A BYOD-registered device cannot receive Configuration profiles.
If the join type is correct, look at the Windows MDM event log for SCEP errors:
Get-WinEvent -LogName \
"Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" \
-MaxEvents 20 |
Where-Object {$_.Id -in 32,53,306,307,309} |
Format-List TimeCreated, Id, MessageEvent ID 53 means the cert installed successfully. Event ID 32 means it failed and the message tells you why.
The cert is on the device but Wi-Fi or wired auth fails
Run the verify command from step 9 and confirm the provider line reads Microsoft Software Key Storage Provider. If it says Microsoft Platform Crypto Provider, the SCEP profile is still set to TPM. Update the profile, then on the laptop:
# Delete every Arbiter-issued cert and force re-enrolment
Get-ChildItem Cert:\LocalMachine\My |
Where-Object { $_.Issuer -match '<your tenant>-root' } |
ForEach-Object {
Remove-Item -Path "Cert:\LocalMachine\My\$($_.Thumbprint)" -DeleteKey -Force
}
Get-ScheduledTask -TaskName "*EnterpriseMgmt*" | Start-ScheduledTaskWired profile silently does nothing
Check the Wired AutoConfig service. From an elevated PowerShell:
Get-Service dot3svcIf it is Stopped or set to Manual, the Platform Script from step 8 has not run. Verify the script is assigned to the device, and sync again. Once the script reports success, the wired profile will land on the next sync.
Need a hand
Email support@arbiter.ie with the device hostname, the Intune device ID and the auth log entry (if it got that far). We can usually pinpoint the issue from the reject_reason in our SCEP audit table.
Where to go next
- Write an auth policy that gates access on compliance: in the Arbiter portal go to Policies -> Auth policies -> + New and add a condition
mdm_compliant equals true. Any device flagged non-compliant by Intune will drop to Default Deny within one sync cycle. - Pair the cloud PKI with SIEM forwarding so every cert issuance lands in your security data lake alongside the auth logs.
- Onboard the rest of your switches and APs via the network device guides.