Windows 11 TEAP bug

asked 2022-06-27T08:08:13.753+00:00
Peter Lapornik 1 Reputation point

The TEAP specification states that: EapTeapConnectionPropertiesV1
TrustedRootCAHashes: The thumbprint of a root certification authority that is trusted to issue server certificates, represented as a hexadecimal string of the certificate's [SHA256] hash. Zero or more elements can be present.

  • In Windows 10 it was implemented correctly using SHA256
  • In Windows 11 it was implemented using incorrectly SHA1

This causes issues if you try to mass-deploy GPO settings for Wired 802.1X in a mixed W10/W11 environment.

Our workaround was to apply a different GPO to each computer based on operating system.

Will there be a fix for this from Microsoft? Our fear is that if the behaviour is fixed in W11 then all W11 won't be able to connect until we apply a new GPO. This will cause major disruption.

You can reproduce the issue by creating a TEAP configuration on a wired connection then exporting using the netsh lan export profile command.

Note: We haven't completed testing using wireless connections so I can't say if the issue also applies there.

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
3,480 questions
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2022-06-28T15:44:59.207+00:00
    Limitless Technology 37,291 Reputation points

    Hi there,

    It should be added to the Development Roadmap in 2022.

    If your windows clients are domain joined, you have to push a group policy that enables TEAP, by exporting a group policy and changing some XML content related to the Windows Supplicant TEAP configuration.

    Windows 10 AlwaysON VPN with EAP-TEAP

    Advanced troubleshooting 802.1X authentication


    --If the reply is helpful, please Upvote and Accept it as an answer–

    No comments