Windows 11 TEAP bug

Peter Lapornik 6 Reputation points

The TEAP specification states that: EapTeapConnectionPropertiesV1
TrustedRootCAHashes: The thumbprint of a root certification authority that is trusted to issue server certificates, represented as a hexadecimal string of the certificate's [SHA256] hash. Zero or more elements can be present.

  • In Windows 10 it was implemented correctly using SHA256
  • In Windows 11 it was implemented using incorrectly SHA1

This causes issues if you try to mass-deploy GPO settings for Wired 802.1X in a mixed W10/W11 environment.

Our workaround was to apply a different GPO to each computer based on operating system.

Will there be a fix for this from Microsoft? Our fear is that if the behaviour is fixed in W11 then all W11 won't be able to connect until we apply a new GPO. This will cause major disruption.

You can reproduce the issue by creating a TEAP configuration on a wired connection then exporting using the netsh lan export profile command.

Note: We haven't completed testing using wireless connections so I can't say if the issue also applies there.

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
7,641 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,196 Reputation points

    Hi there,

    It should be added to the Development Roadmap in 2022.

    If your windows clients are domain joined, you have to push a group policy that enables TEAP, by exporting a group policy and changing some XML content related to the Windows Supplicant TEAP configuration.

    Windows 10 AlwaysON VPN with EAP-TEAP

    Advanced troubleshooting 802.1X authentication


    --If the reply is helpful, please Upvote and Accept it as an answer–