Windows 11 TEAP bug

Peter Lapornik 6 Reputation points
2022-06-27T08:08:13.753+00:00

The TEAP specification states that:

2.2.3.2.13 EapTeapConnectionPropertiesV1
TrustedRootCAHashes: The thumbprint of a root certification authority that is trusted to issue server certificates, represented as a hexadecimal string of the certificate's [SHA256] hash. Zero or more elements can be present.

  • In Windows 10 it was implemented correctly using SHA256
  • In Windows 11 it was implemented using incorrectly SHA1

This causes issues if you try to mass-deploy GPO settings for Wired 802.1X in a mixed W10/W11 environment.

Our workaround was to apply a different GPO to each computer based on operating system.

Will there be a fix for this from Microsoft? Our fear is that if the behaviour is fixed in W11 then all W11 won't be able to connect until we apply a new GPO. This will cause major disruption.

You can reproduce the issue by creating a TEAP configuration on a wired connection then exporting using the netsh lan export profile command.

Note: We haven't completed testing using wireless connections so I can't say if the issue also applies there.

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
7,641 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,196 Reputation points
    2022-06-28T15:44:59.207+00:00

    Hi there,

    It should be added to the Development Roadmap in 2022.

    If your windows clients are domain joined, you have to push a group policy that enables TEAP, by exporting a group policy and changing some XML content related to the Windows Supplicant TEAP configuration.

    Windows 10 AlwaysON VPN with EAP-TEAP https://learn.microsoft.com/en-us/answers/questions/120377/windows-10-alwayson-vpn-with-eap-teap.html

    Advanced troubleshooting 802.1X authentication https://learn.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-802-authentication

    ----------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–