20 minute delay deploying Windows 7 on 802.1x? Fix it here!

Someone mentioned to me that he has a 20 minute delay deploying Windows 7 to 801.1x EAP networks.  They noted https://support.microsoft.com/kb/978152 which is “A Windows Vista-based or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication”.

 

But didn’t see a fix similar for Windows 7.  So, what do they do?  They ask PFE of course!  I got together with Yong Rhee and Carl Luberti and we kicked the tires a few and found that to fix this you need to likely do two things:

1)  Apply https://support.microsoft.com/?id=976373 which is “A computer that is connected to an IEEE 802.1x-authenticated network via another 802.1x enabled device does not connect to the correct network” and then add the registry key to modify the timeout value:

For wired networks
To use the new registry setting in a wired network, follow these steps:

1. Open Registry Editor. To do this, click Start

Collapse this imageExpand this image

clip_image001

, type regedit in the Start Search box, and then press ENTER.

2. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc

3. Point to New, and then click DWORD Value.

4. Type BlockTime, and then press ENTER.

5. Right-click BlockTime, and then click Modify.

6. Click Decimal under Base.

7. In the Value data box, type an appropriate value for the blocking period, and then click OK. The value that you specify for this registry entry represents the number of minutes that the system waits before it retries a failed authentication. The default value is 20 and the valid range is 1 - 60. If you set this key to 0, it will not apply at all.

8. Exit Registry Editor.

For wireless networks
To use the new registry setting in a wireless network, follow these steps:

1. Open Registry Editor. To do this, click Start

Collapse this imageExpand this image

clip_image001

, type regedit in the Start Search box, and then press ENTER.

2. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc

3. Point to New, and then click DWORD Value.

4. Type BlockTime, and then press ENTER.

5. Right-click BlockTime, and then click Modify.

6. Click Decimal under Base.

7. In the Value data box, type an appropriate value for the blocking period, and then click OK. The value that you specify for this registry entry represents the number of minutes that the system waits before it retries a failed authentication. The default value is 20 and the valid range is 1 - 60. If you set this key to 0, it will not apply at all.

Exit Registry Editor.

Setting the value to something smallish, like say, 2.

Hope this helps you in your deployments!

Jeff, Carl and Yong

Comments

  • Anonymous
    January 01, 2003
    If the steps above don't resolve your issue Raj I can only suggest to contact support, something else is amiss here.

  • Anonymous
    January 01, 2003
    ty

  • Anonymous
    September 09, 2013
    Jeff, I had installed this hotfix and created registry entry for Block time (1 minute) in a windows 7 domain PC. But the behaviour did not change, the block time remained 20 minutes. I also have installed the hotfix KB980295 but it also did not change the block time behaviour. Wired 802.1x policy is configured through Group Policy. Group policy Object settings does not show up "Enable Block time" option. Please advice on how to resolve this issue and reduce block time to 1 minute

  • Anonymous
    October 01, 2013
    Try netsh lan set blockperiod value=0 No need to modify registry Worked for me

  • Anonymous
    October 01, 2013
    The PC is in domain and the dot1x profile is  set by Group policy. When entering the "netsh lan set blockperiod value=0", access denied error message is displayed.

  • Anonymous
    November 25, 2015
    C:>netsh lan set blockperiod value=0

    Error from function "Dot3SetAutoConfigParameter":
    Access is denied.

    You do not have sufficient privileges or group policy has been applied.

    C:>netsh lan set blockperiod value=1

    Error from function "Dot3SetAutoConfigParameter":
    Access is denied.

    You do not have sufficient privileges or group policy has been applied.

  • Anonymous
    December 06, 2015
    Yeah you need admin rights for this.

  • Anonymous
    February 02, 2016
    Microsoft support engineer told me the valid range is 1 - 60 minutes, and that if you set the value to 0, then the block timer will keep the default value of 20 minutes. Has anyone found conclusive evidence that block timer can be set to 0?

  • Anonymous
    February 02, 2016
    No it can't. 1-60 are valid.

  • Anonymous
    May 25, 2016
    Is there any reason not to set it to 1 minute? I know if there is an 802.1x failure it will send out packets every minute, but that's Ok.20 minutes is way too long...

    • Anonymous
      July 07, 2016
      Uh, not that I've found, no. :(
  • Anonymous
    February 10, 2017
    Hello, How install dis Fix on a Windows 7 Standard embedded System?