Simplifying TLS 1.3 Configuration for EAP Authentication Using Microsoft Intune

Enable or Disable TLS 1.3 for EAP Client Authentication Using Intune Settings Catalog Policy

The Settings Catalog in Microsoft Intune is one of the most efficient ways to configure and manage policies across enterprise devices. It provides a centralized location where IT administrators can easily apply settings, ensuring consistency and security.

Transport Layer Security (TLS) is a critical protocol for securing communication over networks, ensuring confidentiality, integrity, and authentication. As the successor to Secure Sockets Layer (SSL), TLS plays a key role in protecting enterprise communications and authentication mechanisms.

In this article, we will discuss the key features of TLS 1.3, its impact on EAP Client Authentication, and explain step by step how to configure this policy using Microsoft Intune’s Settings Catalog.

What Are the Features of TLS 1.3?

TLS 1.3 brings significant improvements over previous versions, making it faster, more secure, and more efficient:

? Faster and more responsive connections, reducing handshake latency.

? Improved user experience and website performance with lower encryption overhead.

? Zero round-trip time (RTT), making TLS 1.3 handshake nearly instant.

? Elimination of outdated cryptographic algorithms, strengthening security.

? Enhanced privacy protections, encrypting more of the handshake process.

Since browsers and operating systems must adapt to newer TLS versions, organizations need to manage and enforce TLS 1.3 policies effectively. Using Microsoft Intune, IT administrators can easily enable or disable TLS 1.3 for EAP Client Authentication to align with their security requirements.

Windows CSP Details

Before configuring this policy, it's important to understand the Configuration Service Provider (CSP) details. In client operating systems, CSP acts as the interface between the configuration settings in a provisioning document and the settings applied on the device.

The screenshot below provides an overview of the CSP details relevant to this policy, helping administrators better understand how this configuration is applied within Windows environments.

Creating a Profile

To deploy the Intune policy, we first need to create a configuration profile. Start by logging into the Microsoft Intune Admin Center with your credentials.

Then, navigate to the Devices section, click on Configurations, and select the option to create a new policy. This profile will allow us to define the necessary settings for enabling or disabling TLS 1.3 for EAP Client Authentication.

Defining the Profile Settings

After clicking New Policy, the Create Profile window will open, where we need to configure the following settings:

1. Platform – Select Windows 10 and Later to ensure compatibility with modern Windows devices.
2. Profile Type – Choose Settings Catalog from the available options, allowing granular control over policy settings.
3. Confirmation – Click Create to finalize the profile and proceed with the configuration.

This setup ensures that the policy is properly structured before defining the specific settings for TLS 1.3 for EAP Client Authentication.

Basics

The first step in the profile creation process is the Basics section. Here, we need to provide a name and description for the policy we are deploying. This section is mandatory, and users must complete it to proceed with creating the profile.

For this configuration, we will use the following:

• Name: Allow TLS 1.3
• Description: This policy enables the use of TLS 1.3.

Once these details are entered, we can move forward with the next steps of the profile creation process.

Configuration Settings

Next, we proceed to the Configuration Settings section, where we select +Add settings to continue creating the profile. This section allows us to choose the specific settings we want to configure. Since it is a mandatory step, it must be completed before proceeding.

Selecting the Policy in the Settings Picker

When the Settings Picker window opens, we can search for the desired policy using keywords. In this case, enter "Allow TLS13 In" in the search bar and click Search to proceed.

Next, navigate to the Browse by category section and select EAP. Within this category, locate and select "Allow TLS13" to apply the configuration.

Configuration Settings

After selecting the settings, we can close the Settings Picker window. We will then be in the Configuration Settings section, where we can see that the use of TLS version 1.3 is allowed for authentication. To continue, click the Next button.

Scope Tags

The Scope Tags section is the next step in the profile creation process. This section is optional and allows us to assign Scope Tags to the profile if needed.

If we choose to add Scope Tags, we can define them here. However, if this step is not required, simply click Next to proceed.

Assignment

The next step is the Assignments section, where we assign the policy to specific device groups. To do this, click Add Group under the Included Groups section.

A new window will appear, allowing us to select the appropriate group. After making a selection, click Select, then click Next to proceed.

Review + Create

The Review + Create section is the final step in the policy creation process. Here, we can review a summary of the policy, including its name, description, platform, and assigned settings. This step ensures that all configurations are correct before deployment.

All the policy settings entered will be displayed for final verification before proceeding.

After clicking the Create button, we will be notified on the Intune Portal that the Policy “Allow TLS 1.3″ has been “created successfully“. We can quickly check the Created policy in the Intune Portal.

Device and User Check-in Status

After selecting the policy, a new window will open, providing a detailed view of the policy settings and deployment status. Monitoring this status is essential, as it helps determine whether the policy was successfully applied to the targeted devices.

To check the monitoring status, navigate to: Devices > Configuration > Search for the policy name.

Client-Side Verification

To perform client-side verification of the applied policy, you can use the Event Viewer. However, since specific Event IDs may vary depending on the policy type and configuration, it's essential to follow the steps below to identify the relevant ID for your scenario:

1. Open the Event Viewer on the target device.
2. Navigate to: Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin
3. Look for events related to policy processing. While Event ID 814 is commonly associated with successful policy application, it is recommended to:Review the event details to confirm they correspond to the policy you deployed.Check other Event IDs in this log that might relate to your specific configuration or settings.

If you cannot locate the expected Event ID or encounter issues, verify the following:

• Ensure the device is successfully synced with Intune.
• Check the policy's assignment and scope in the Intune admin center.
• Refer to Microsoft's documentation for additional troubleshooting guidance on the DeviceManagement-Enterprise-Diagnostics-Provider log.

By following these steps, you can accurately verify if the policy has been applied successfully and troubleshoot any discrepancies.

More Information

For further assistance on configuring TLS 1.3 for EAP Client Authentication using Microsoft Intune, refer to the following resources on Microsoft Learn:

• Extensible Authentication Protocol (EAP) for Network Access – Overview of EAP settings and configuration in Windows-based computers.

https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/network-access

• EAP - What's Changed in Windows 11 – Discusses the adoption of TLS 1.3 by default in Windows 11 version 22H2 and known issues related to TLS 1.3 support.

https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes

• Certificate Requirements When You Use EAP-TLS – Outlines the certificate requirements for EAP-TLS authentication, including client and server certificate configurations.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap

• Configure Certificate Templates for PEAP and EAP Requirements – Step-by-step guide to configuring certificate templates for PEAP and EAP authentication.

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements

• EAP Configuration – Guide to creating an EAP configuration XML for a VPN profile.

https://learn.microsoft.com/en-us/windows/client-management/mdm/eap-configuration

These resources provide comprehensive instructions on setting up, managing, and optimizing EAP configurations and TLS settings with Microsoft Intune.

Thank you!

??? Ricardo Barbosa

?? MCT Microsoft Certified Trainer | ?? Cloud Architect

?? Technology Director - https://altelix.com