After you apply the Windows 10 November update to a device, you cannot connect to a WPA-2 Enterprise network that's using certificates for server-side or mutual authentication (EAP TLS, PEAP, TTLS).


In the Windows 10 November update, EAP was updated to support TLS 1.2. This implies that, if the server advertises support for TLS 1.2 during TLS negotiation, TLS 1.2 will be used.

We have reports that some Radius server implementations experience a bug with TLS 1.2. In this bug scenario, EAP authentication succeeds but the MPPE Key calculation fails because an incorrect PRF (Pseudo Random Function) is used.

Radius servers known to be affected

Note This information is based on research and partner reports. We will add more details as we get more data.


Additional information

Fix available

FreeRADIUS 2.x

2.2.6 for all TLS based methods, 2.2.6 - 2.2.8 for TTLS


FreeRADIUS 3.x

3.0.7 for all TLS based methods, 3.0.7-3.0.9 for TTLS



4.14 when used with Net::SSLeay 1.52 or earlier


Aruba ClearPass Policy Manager



Pulse Policy Secure

Fix under test

Cisco Identify Services Engine 2.x patch 1

Fix under test


Recommended fix

Work with your IT administrator to update the Radius server to the appropriate version that includes a fix.

Temporary workaround for Windows-based computers that have applied the November update

Note Microsoft recommends the use of TLS 1.2 for EAP authentication wherever it's supported. Although all known issues in TLS 1.0 have patches available, we recognize that TLS 1.0 is an older standard that's been proven vulnerable.

To configure the TLS version that EAP uses by default, you must add a DWORD value that's named TlsVersion to the following registry subkey:

The value of this registry key can be 0xC0, 0x300, or 0xC00.


  • This registry key is applicable only to EAP TLS and PEAP; it does not affect TTLS behavior.

  • If the EAP client and the EAP server are misconfigured so that there is no common configured TLS version, authentication will fail, and the user may lose the network connection. Therefore, we recommend that only IT administrators apply these settings and that the settings be tested before deployment. However, a user can manually configure the TLS version number if the server supports the corresponding TLS version.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

To add these registry values, follow these steps:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.

  2. Locate and then click the following subkey in the registry:


  3. On the Edit menu, point to New, and then click DWORD Value.

  4. Type TlsVersion for the name of the DWORD value, and then press Enter.

  5. Right-click TlsVersion, and then click Modify.

  6. In the Value data box, use the following values for the various versions of TLS, and then click OK.

    TLS version

    DWORD value

    TLS 1.0


    TLS 1.1


    TLS 1.2


  7. Exit Registry Editor, and then either restart the computer or restart the EapHost service.

More Information

Related documentation:

Microsoft security advisory: Update for Microsoft EAP implementation that enables the use of TLS: October 14, 2014

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!