Connecting Departmentally owned Windows 11 devices to ethernet
By default, Departmentally managed Windows devices will reside on the network 'Open Desktop' or 'Open Laptops'. Some services require that you are either on the 'Desktop' or 'Laptop' authenticated networks. Details on how to configure Windows 11 to connect to these authenticated networks is below.
Install the WIN authentication certificate
Download the WIN authentication certificate and double-click the file. Windows will display the certificate details:
Issued to: Certificate Authority
Issued by: Certificate Authority
Valid from 09/04/2019 to 09/04/2039
Confirm that the certificate is correct by clicking on the Details tab and then Issuer. This should display:
CN = Certificate Authority
O = IPA.FMRIB.OX.AC.UK
And the Thumbprint:
Return to the General tab and click on 'Install Certificate'. This will launch the certificate import wizard. For single user machines, 'Current User' is fine, multi-user machines should use Local Machine. Click Next.
Select Place all certificates in the following store and click Browse... Select, Trusted Root Certifications Authorities and click OK.
To enable logins to the network, open the Services control panel - enter 'Services' in the search box on the Windows tool bar, on the Services app summary on the right, click on Run as Administrator and enter an administrator's user account credentials if prompted.
Scroll through the list of services to find 'Wired AutoConfig' - double-click on it and in the next window change Startup type to Automatic and then click on Start in the Service status section.
Configure Network Logins
In the Windows search field enter Network and open the View Network Connections control panel that will be offered. Identify your ethernet network connection and right click on it, selecting Properties. Enter the admin password if requested. Along the top of this window you should find an Authentication tab. Click on this.
Tick the Enable IEEE 802.1x authentication box, make sure Microsoft: EAP-TTLS is selected and in the Settings, find 'Certificate Authority' and tick it, then confirm that the Client authentication is set to Select a non-EAP method for authentication with Unencrypted password (PAP) selected (this should be the default). Click OK to close the settings.
Now click on Additional Settings...
Tick Specify authentication mode and select User authentication from the drop-down. Click OK.
Make sure that Fallback to unauthorized network access is ticked.
You should now get a prompt to Sign in,
Open the Windows Settings application and click on Network & internet. This should show your network connection and indicate that sign in is required. Click Sign in and then view the certificate that is offered. Check that the fingerprint matches the value below:
66 9D 61 23 60 4F EF 94 A6 F5 7D C5 A3 E3 91 E4 58 8A 06
If it does, click Connect and then enter your WIN computer credentials