TEAP Native supplicant configuration

henokk60 · ‎09-25-2025

Hi All,

I am in the process of rolling out TEAP authentication with the following configuration:

Primary inner method: EAP‑TLS
Secondary inner method: MSCHAPv2

Certificate enrollment is already automated through Microsoft Intune, so the client certificates are being provisioned successfully.

My question is: Is it possible to configure the native Windows supplicant / wireless adapter settings for a specific SSID using Intune or another method, rather than relying on traditional Group Policy Objects (GPOs)?

The goal is to centrally push the SSID profile with the correct TEAP/EAP settings to corporate workstations without using GPO.

Any guidance, best practices, or references on achieving this through Intune (or other supported approaches) would be greatly appreciated.

Thanks in advance,

Rob Ingram · ‎09-25-2025

@henokk60 it's been a while since I used Intune, but I am not sure native support for TEAP is supported in Intune, in which case you'd need to use GPO.

Are you using Windows 11 Credential Guard, that will cause a problem when using MSCHAPv2, it's recommended to not use MSCHAPv2 any more. Use TEAP for EAP Chaining with EAP-TLS for machine and user authentication.

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues#wi-fi-and-vpn-considerations

henokk60 · ‎09-29-2025

Hi @Rob Ingram

Thank you for your response. I am now able to automate the setting via Intune, and I appreciate you letting me know about the concern.