Get rid of the “Continue connecting?” prompt for your policy-configured wifi networks

AaronEndpoint Management10 Comments

Updates ahead

Based on some comments and additional feedback, additional content is added below.

As of Windows 11, we noticed that we were getting prompted to continue connecting to a network that we’d never had a problem with before. It’s already defined in group policy, so this new behavior is puzzling and annoying. The certificate in question is for the NPS/Radius server our network uses to validate credentials for the wifi.

I really had no idea how to even begin googling for this problem, but while talking to some of my fellow nerds on the Winadmins Discord server, tossing around some ideas on what could be causing this, looking to see whether there was a problem with the certificate, etc. While I was poking around and testing these suggestions I stumbled across the fix.

In the group policy editor, find the defined wifi policies under Computer -> policies > windows settings > Wireless Network (802.11) Policies. Open the properties for the configuration in question.

On the General tab, find the SSID you’ve configured and click Edit. On the Security tab, under the authentication method (Microsoft: Protected EAP in my case), click properties.

On the Protected EAP Properties tab, the checkmark for “Verify the server’s identity by validating the certificate” was already checked. The fix ended up being to select the checkmark by my company’s internal CA service. After updating the group policy on the laptop in question, the network connects properly on login again with no further questions.

It is important to note that we’re not specifying what the server names should be, we are merely selecting which root certificate is allowed to sign any certificates for the radius / NPS servers that might serve this wifi connection.

To answer questions about intune, there are obvious equivalent settings in intune wifi policies. Here is a bare-bones, heavily redacted screenshot from production that does not show all settings, just the settings relevant to this topic:

A screenshot with a group policy showing relevant settings.

Hopefully this provides some additional clarity, but let me know if it doesn’t.

10 Comments on “Get rid of the “Continue connecting?” prompt for your policy-configured wifi networks”

    1. I’ve not yet had the misfortune of having to configure anything on my clients with intune. Presumably if you created a wifi profile inside intune it should also have a way to specify which root CAs are trusted.

      Update:
      It does in fact have places to put the same settings. Here are the relevant documents:
      https://docs.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-windows#enterprise-profile

      Just search for “dynamic trust” on the page.

  1. Hope this isn’t a stupid question, but what do you mean with “select the checkmark by my company’s internal CA service”?
    I also have “Verify the server’s identity by validating the certificate” already checked in the policy.
    Thank you!

    1. This assumes your company is running an internal Certificate Authority and did not buy a certificate from a third party vendor. For example, Microsoft has a server role for providing a certificate authority unique to your company.

  2. The other thing that Windows 11 seems to do is not allow a wildcard in the server names field – I had *.school.edu and while it worked fine in Wiondows 10, Windows 11 gave users the continue connecting prompt. We already had our CA ticked, once I replaced the * with the CN of the certificate, Windows 11 worked fine.

    1. I just don’t specify their names and each radius server has their own, it seems to work out. We push our iPads to the guest wifi so I do not often have to care about their weirdness. Thanks for the tip, I am sure it will help other people in a similar situation!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.