The Challenge
A retail brand with more than 2,000 employees and locations across the country sought to streamline its certificate lifecycle management solution and integrate its devices into the Microsoft ecosystem. To do this, the company decided to migrate its 1,000+ devices from AirWatch to Intune. However, the transition required careful management to mitigate a potential visibility gap that could lead to orphaned certificates and license waste.
A number of challenges presented themselves during the migration:
- Infrastructure management. Every device profile, configuration payload, and certificate delivery mechanism had to be rebuilt.
- Retail continuity. Store employees depend on Wi-Fi for point-of-sale, inventory, and customer-facing systems. Any disruption to certificate-based authentication during the MDM transition would directly affect operations and revenue.
- WSTEP for domain-joined devices. Some Windows devices required WSTEP configuration rather than standard Intune SCEP, adding another layer to the migration.
- System integration. The migration required re-plumbing the certificate delivery architecture to maintain security standards that were in line with the infrastructure shift.
The IT infrastructure team worked closely with SecureW2 engineers to orchestrate the migration without disruption.
The Solution
The work included rebuilding SCEP profiles in Intune to replace AirWatch certificate delivery, configuring WSTEP for domain-joined Windows devices that could not use standard SCEP enrollment, and validating Meraki wireless compatibility after the MDM switch.
The approach preserved the existing PKI hierarchy and Cloud RADIUS configuration. Certificates issued through the new Intune SCEP profiles used the same certificate authority chain, so Meraki and Cloud RADIUS required no reconfiguration. The company also implemented an advanced device enrollment model, automatically revoking certificates when they are no longer needed.
All throughout the migration, devices at retail stores continued authenticating to the same EAP-TLS SSID so there was no interruption in service.
The Results
- Strengthened security posture. The integration enabled real-time, automated certificate revocation, ensuring that certificates are invalidated when employees leave or devices are lost.
- MDM-agnostic PKI. The same cloud PKI and Cloud RADIUS supported both AirWatch and Intune without new certificate authorities or RADIUS changes.
- Retail operations uninterrupted. Certificate-based Wi-Fi stayed live for store employees throughout the MDM transition.
The completed migration positions the retailer on a modern MDM foundation with the same certificate infrastructure running underneath. With Intune now handling all device profiles, the team has a single management plane for certificate delivery across retail locations and corporate offices — a simpler architecture than the AirWatch-era setup.