This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 28.999999999999996%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Newly imaged PCs are unable to connect to WiFi via EAP-TLS. The certificate gets pushed down via auto enrollment after the GPO update. We've verified the certificates, and all are present on the machine and good. We can normally fix this by manually deleting the device certificate and doing a reboot (although we have a few that are still having an issue). We are trying to get this issue fixed to keep our process automated. Anyone else experience this issue? It happens on both Windows 10 and Windows 11.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 23%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
You can use a PowerShell script to automate the removal of the certificate:
Script to delete certificate on Windows 10 devices
Also update Network Driver and consider recreating a Wi-Fi profile.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 55.00000000000001%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHL%3C/text%3E%3C/svg%3E)
Hello,
Here are a few possible options you could try to check:
Verify the certificate chain: Ensure that the certificate chain is intact and valid on the client machine. Check the Root CA, intermediate CA, and device certificates to ensure they are present and not expired.
Check certificate permissions: Ensure that the device certificate has the appropriate permissions to be used for authentication. Make sure the certificate is not marked as non-exportable and that the private key is accessible.
Check Group Policy settings: Verify that the Group Policy settings for EAP-TLS authentication are correctly configured. Ensure that the appropriate certificate template is specified in the policy and that it is enabled for auto enrollment.
Check certificate stores: Confirm that the certificates are present in the correct certificate stores. The device certificate should be located in the machine’s Personal certificate store.
Reset network settings: Sometimes, resetting the network settings on the client machine can help resolve authentication issues. You can do this by opening Command Prompt with administrative privileges and running the following commands:
netsh winsock reset
netsh int ip reset
ipconfig /release
ipconfig /renew
ipconfig /flushdns
Update network drivers: Make sure that the network drivers on
Best Regards,
Hania Lian
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.