Can Intune push Wi-Fi passwords to Windows devices?

Yes. Intune Wi-Fi profiles support WPA2-Personal with a pre-shared key. The password is stored encrypted in Intune and pushed to enrolled devices automatically.

Does the Wi-Fi profile apply before the user logs in?

Yes, if you assign the profile to a device group. Device-assigned profiles apply during the Autopilot or enrolment process before the first user login, which means devices can connect to Wi-Fi before a user has signed in.

What is the difference between WPA2-Personal and WPA2-Enterprise in Intune?

WPA2-Personal uses a shared passphrase pushed via the profile. WPA2-Enterprise uses 802.1X authentication with a RADIUS server, where each device or user authenticates individually using certificates or credentials.

Intune Networking

How to Push Wi-Fi Profiles to Windows Devices via Intune

Published 17 March 2026

Pushing a Wi-Fi profile via Intune means devices automatically connect to your corporate Wi-Fi the first time they sign in - no manual password entry, no support calls from users who typed the wrong passphrase. This guide covers WPA2-Personal and WPA2-Enterprise (802.1X) profiles for Windows.

Contents

WPA2-Personal vs WPA2-Enterprise
Create the Wi-Fi profile
WPA2-Personal settings
WPA2-Enterprise (802.1X) settings
Assign and test
Troubleshooting

WPA2-Personal vs WPA2-Enterprise

Before building the profile, know which type your network uses:

WPA2-Personal (PSK) - a shared passphrase. Most small business Wi-Fi networks. Simple to configure in Intune.
WPA2-Enterprise (802.1X) - each user authenticates with their Entra ID credentials or a certificate. Used in larger or more security-conscious environments. Requires a RADIUS server (built into most enterprise-grade access points and Windows Server NPS).

💡

Which should I use?

WPA2-Personal is fine for most small businesses. If you are going for Cyber Essentials Plus or ISO 27001, or if you have a guest network you want to keep completely separate from corp devices, WPA2-Enterprise is worth the extra setup.

Create the Wi-Fi profile

Intune Admin Centre → Devices → Configuration → + Create → New policy

Go to Devices → Configuration → + Create → New policy
Platform: Windows 10 and later
Profile type: Templates → Wi-Fi
Click Create, give the profile a name (e.g. WIFI-CORP-WPA2) and click Next

WPA2-Personal settings

📶

Basic Wi-Fi settings

Core connection settings for WPA2-Personal

Wi-Fi typeUse Basic for WPA2-Personal. Use Enterprise for 802.1X.

Basic

Wi-Fi name (SSID)Must match the SSID of your access point exactly, including capitalisation

CORP-WIFI

Connection nameThe name shown to users in Windows network settings

Corporate Wi-Fi

Connect automatically when in rangeDevices connect as soon as the SSID is in range

Yes

Connect to more preferred network if availableAllows fallback to Ethernet if available

Yes

Metered connection limitKeep Unrestricted for a corporate network

Unrestricted

🔒

Security settings - WPA2-Personal

[]

Security type

WPA2-Personal

Encryption typeAlways use AES, not TKIP

AES

Pre-shared key (password)This is stored encrypted in Intune and pushed to the device

[your Wi-Fi password]

⚠️

Keep the passphrase out of screenshots

The pre-shared key is stored encrypted in Intune but appears in plain text during profile setup. Be careful when sharing screenshots of this page.

WPA2-Enterprise (802.1X) settings

For 802.1X you need a RADIUS server configured on your network. Most Cisco, Aruba, and Ubiquiti controllers have built-in RADIUS support, or you can use Windows Server NPS.

🔒

Security settings - WPA2-Enterprise

[]

Wi-Fi type

Enterprise

EAP typeEAP-TLS uses certificates (more secure). PEAP uses username/password.

EAP-TLS or PEAP

Certificate server namesThe FQDN of your RADIUS server

radius.contoso.com

Root certificates for server validationImport the trusted root CA that signed your RADIUS server certificate

[your root CA certificate]

Authentication method

Username and Password (PEAP) or Certificate (EAP-TLS)

💡

Using Entra ID credentials with PEAP

With PEAP and a Windows Server NPS configured for Entra ID auth, devices automatically authenticate using the signed-in users Entra ID credentials. No password to manage or rotate.

Assign and test

On the Assignments tab, add your device group. The profile applies at device level, so assign to a device group rather than a user group to ensure it works on shared devices too.

After assigning, trigger an Intune sync on a test device. The Wi-Fi profile appears under Settings → Network and Internet → Wi-Fi within a few minutes. The device should connect automatically if the SSID is in range.

Troubleshooting

Profile applied but device does not connect

Check the SSID matches exactly. A common issue is a trailing space in the SSID field or capitalisation mismatch. Also confirm the security type and encryption type match what the access point is broadcasting.

Profile not applying to the device

Check the device is in the assigned group. Go to Devices → [Device] → Configuration profiles to see whether the profile shows as Succeeded, Pending, or Error.

WPA2-Enterprise authentication failing

Check the RADIUS server logs. On a Windows NPS server, open Event Viewer → Custom Views → Server Roles → Network Policy and Access Services. Authentication failures show the exact rejection reason.

// need this done for your business?

Fixed-price Intune setup for UK businesses

I set up Intune for UK small businesses at a fixed price - compliance policies, app deployment, Conditional Access, and full documentation handed over at the end.

View Packages

#intune #networking #wi-fi #device-management #settings-catalog