Why 802.1X EAP-TLS Cert Re-Prompts at Every Sign-In on Windows 11

When you connect to a corporate Wi-Fi or wired network using 802.1X with EAP-TLS authentication, Windows 11 normally stores your certificate credentials so you do not have to re-authenticate at every sign-in. If you see a certificate prompt or connection failure each time you log on, the authentication process is failing to cache the credentials properly. This issue typically occurs because the certificate is not stored in the correct Windows credential store, the network profile is configured incorrectly, or Group Policy settings are blocking credential caching. This article explains why the certificate re-prompt happens and provides step-by-step fixes to resolve it permanently.

Why Windows 11 Re-Prompts for an 802.1X EAP-TLS Certificate at Every Sign-In

Windows 11 uses the Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS) to authenticate devices on 802.1X networks. During authentication, the client presents a digital certificate to the network access server (RADIUS). Windows caches the authenticated session so subsequent connections do not require a new certificate prompt. When the cache is missing or invalid, Windows re-prompts for the certificate at every sign-in.

The root cause is almost always one of the following:

• The client certificate is installed in the Current User certificate store instead of the Local Machine store. Windows cannot access the Current User store before the user logs on, so it prompts for credentials during the logon process.
• The wireless network profile is set to use user-based authentication instead of machine-based authentication. User-based authentication requires the user to be logged on, which triggers the prompt at every sign-in.
• Group Policy or local policy forces re-authentication on every connection. Policies such as “Enable single sign-on for this network” with the wrong mode can cause repeated prompts.
• The certificate has expired, has been revoked, or does not match the server name in the EAP-TLS configuration.

Understanding these causes helps you target the correct fix. In most enterprise environments, the fix involves moving the certificate to the machine store and adjusting the network profile settings.

Steps to Stop the 802.1X EAP-TLS Certificate Re-Prompt on Windows 11

Follow these steps in order. Each step addresses a specific cause of the re-prompt.

Step 1: Move the Client Certificate to the Local Machine Store

1. Open the Microsoft Management Console (MMC) for Certificates
   Press Win + R, type certlm.msc, and press Enter. This opens the Local Machine certificate store.
2. Import or move the client certificate
   If the certificate is already in the Current User store (certmgr.msc), export it as a PFX file with the private key. In certlm.msc, right-click Personal, select All Tasks > Import, and follow the wizard. Ensure you check Mark this key as exportable if you need to export it later.
3. Verify the certificate is in the correct store
   Expand Personal > Certificates in certlm.msc. Confirm the client certificate appears with a private key icon (a key overlay on the certificate icon).

Step 2: Configure the Network Profile for Machine-Based Authentication

1. Open Network and Sharing Center
   Go to Settings > Network & internet > Advanced network settings > More network adapter options.
2. Open the properties of the wireless or Ethernet adapter
   Right-click the active network adapter and select Properties.
3. Edit the 802.1X settings
   Go to the Authentication tab. Under Select authentication method, choose Microsoft: Smart Card or other certificate (EAP-TLS) and click Settings.
4. Enable machine authentication
   In the Smart Card or other Certificate Properties window, check Use a certificate on this computer. Under Simple certificate selection (Recommended), select the client certificate you moved to the Local Machine store. Click OK.
5. Enable single sign-on with pre-logon authentication
   Back on the Authentication tab, click Additional Settings. Under Specify authentication mode, select User or computer authentication. Check Enable single sign-on for this network. Under Perform immediately before user logon, select Computer authentication. Click OK.

Step 3: Clear and Refresh the Network Profile via Command Line

1. Open Command Prompt as Administrator
   Press Win + X, select Terminal (Admin) or Command Prompt (Admin).
2. List all wireless profiles
   Type netsh wlan show profiles and press Enter. Note the profile name of your corporate network.
3. Set the profile to use pre-logon authentication
   Type netsh wlan set profileparameter name=”YourProfileName” authMode=computer and press Enter. Replace YourProfileName with the actual profile name.
4. Force the profile to use EAP-TLS with the machine certificate
   Type netsh wlan set profileparameter name=”YourProfileName” eapMethod=Microsoft: Smart Card or other certificate and press Enter.

Step 4: Verify Group Policy Settings (Enterprise Environments Only)

1. Open Local Group Policy Editor
   Press Win + R, type gpedit.msc, and press Enter.
2. Navigate to Wireless Policy settings
   Go to Computer Configuration > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies.
3. Edit the existing policy or create a new one
   Double-click the policy that applies to your network. Go to the Security tab. Under EAP settings, click Properties. Ensure Use machine certificates is selected and the correct certificate thumbprint is specified.
4. Enable single sign-on in the policy
   On the Single Sign-On tab, check Enable single sign-on for this network. Under Perform immediately before user logon, select Computer only. Click OK.

Common Issues After Fixing the 802.1X EAP-TLS Certificate Prompt

Certificate Not Found in the Local Machine Store After Import

If you import the PFX file into certlm.msc and the certificate does not appear, the private key may be missing or the file may be corrupted. Re-export the certificate from the source with the private key included. Ensure you check Export all extended properties and Enable certificate privacy during export.

Windows 11 Still Prompts for Credentials After Profile Changes

If the prompt persists, the network profile may be cached with old settings. Delete the profile and reconnect. Open Command Prompt as Administrator and type netsh wlan delete profile name=”YourProfileName”. Then reconnect to the network and re-enter the EAP-TLS settings.

EAP-TLS Authentication Fails After Moving Certificate

The RADIUS server may require the certificate to be linked to a specific user account. If the server expects a user certificate but receives a machine certificate, authentication fails. This is a server-side configuration issue. Contact your network administrator to update the RADIUS policy to accept machine certificates.

802.1X EAP-TLS Machine vs User Authentication: Behavior Differences

Item	Machine Authentication	User Authentication
Certificate store	Local Machine store (certlm.msc)	Current User store (certmgr.msc)
Available before user logon	Yes	No
Authentication timing	Pre-logon or immediately after network connection	After user logs on
Certificate prompt frequency	Once per machine boot or network change	Every user sign-in
RADIUS server configuration	Expects computer account in Active Directory	Expects user account in Active Directory
Typical enterprise use case	Domain-joined devices with shared user workstations	User-owned devices or remote access scenarios

After applying the fixes in this article, Windows 11 will cache the 802.1X EAP-TLS session using the machine certificate and will not prompt for credentials at each sign-in. Test the configuration by restarting the device and verifying that the network connects automatically without intervention. For advanced environments, consider deploying the certificate via Group Policy to certlm.msc using the Certificates snap-in in a GPO, which ensures all domain-joined machines receive the certificate in the correct store automatically.