Share via

[BUG] Cannot configure WPA2-Enterprise EAP-TLS network from GUI in Windows 11

テスト メール 5 Reputation points
2025-06-25T06:51:11.3366667+00:00

既知のネットワークから追加できない_追加設定

Summary:

In Windows 11, it is not possible to configure EAP-TLS Wi-Fi networks via the GUI ("Manage known networks") as it was in Windows 10. Certificate selection and authentication settings are missing or broken.

Steps to reproduce:

  1. Go to Settings > Network > Wi-Fi > Manage known networks > Add network
  2. Select WPA2-Enterprise and try to configure EAP-TLS
  3. No way to select certificates or proper identity appears

Expected behavior:

User should be able to select certificate and configure EAP-TLS network via GUI (as in Windows 10).

Other EAP methods, such as PEAP, should continue to work properly.

Actual behavior:

Settings UI is broken or limited for EAP-TLS only. Only PEAP and other EAP types work as expected.

Impact:

This blocks secure Wi-Fi deployment in environments without centralized GPO/MDM. Standalone deployment becomes unmanageable.

Request:

Please restore full EAP-TLS configuration ability in GUI or document the official supported method.

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joseph Tran 4,080 Reputation points Independent Advisor
    2025-08-05T06:48:51.2966667+00:00

    Based on my knowlegde, what you're experiencing in Windows 11 is a known regression in the Wi-Fi configuration GUI compared to Windows 10.

    So we have to wait until Microsoft resolves this via update, but we can use some workaround options bellows:

    Option 1: Use netsh wlan add profile with XML

    You can still fully configure EAP-TLS using an XML Wi-Fi profile.

    -> Example: wifi-eap-tls.xml

    <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
    <name>HOMEAP</name>
    <SSIDConfig>
        <SSID>
            <name>HOMEAP</name>
        </SSID>
    </SSIDConfig>
    <connectionType>ESS</connectionType>
    <connectionMode>auto</connectionMode>
    <MSM>
        <security>
            <authEncryption>
                <authentication>WPA2</authentication>
                <encryption>AES</encryption>
                <useOneX>true</useOneX>
            </authEncryption>
            <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
                <EAPConfig>
                    <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                        <EapMethod>
                            <Type>13</Type>
                            <VendorId>0</VendorId>
                            <VendorType>0</VendorType>
                            <AuthorId>0</AuthorId>
                        </EapMethod>
                        <Config xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"
                                xmlns:eapTls="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
                            <baseEap:Eap>
                                <baseEap:Type>13</baseEap:Type>
                                <eapTls:EapType>
                                    <eapTls:CredentialsSource>
                                        <eapTls:CertificateStore>
                                            <eapTls:SimpleCertSelection>true</eapTls:SimpleCertSelection>
                                        </eapTls:CertificateStore>
                                    </eapTls:CredentialsSource>
                                    <eapTls:ServerValidation>
                                        <eapTls:DisableUserPromptForServerValidation>false</eapTls:DisableUserPromptForServerValidation>
                                        <eapTls:TrustedRootCA>‎‎<Thumbprint_here></eapTls:TrustedRootCA>
                                        <eapTls:ServerNames>radius.homeap.local</eapTls:ServerNames>
                                    </eapTls:ServerValidation>
                                    <eapTls:DifferentUsername>false</eapTls:DifferentUsername>
                                </eapTls:EapType>
                            </baseEap:Eap>
                        </Config>
                    </EapHostConfig>
                </EAPConfig>
            </OneX>
        </security>
    </MSM>
</WLANProfile>
    • Then install it via:
    netsh wlan add profile filename="wifi-eap-tls.xml" user=current

    => Replace ‎<Thumbprint_here> with the certificate thumbprint of your trusted CA.

    Option 2: Use Group Policy or Intune (if available)

    For domain-joined or Intune-managed devices, use:

    • GPO → Computer Configuration → Policies → Windows Settings → Security Settings → Wireless Network (IEEE 802.11) Policies
    • Intune → Wi-Fi profiles with EAP-TLS settings

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.