6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

  • Windows NT operating system

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 operating system

  • Windows Server operating system

  • Windows Server 2019 operating system

  • Windows Server 2022 operating system

  • Windows 11 operating system

  • Windows Server 2025 operating system

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.2.2: The Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 PEAP implementations do not support PEAP Phase 2 packet fragmentation.

<2> Section 2.2.6: Microsoft PEAP clients never exchange outer TLVs during PEAP authentication. However, if a PEAP server or client implementation sends outer TLVs during phase 1, PEAP clients will utilize them in computing the compound MAC of the Cryptobinding TLV. The Windows NT, Windows 2000, Windows XP, and Windows Server 2003 PEAP clients prior will ignore the outer TLVs.

<3> Section 3.1.1: The Windows NT, Windows 2000, Windows XP, and Windows Server 2003 PEAP implementations do not support Cryptobinding TLVs (section 2.2.8.1.1).

<4> Section 3.1.1: The ADM element is initialized with the value configured at the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\25\BypassNegotiation. It is not supported on Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<5> Section 3.1.1: The ADM element is initialized with the value configured at the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\25\AssumePhase2Fragmentation. It is not supported on Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<6> Section 3.1.1: Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do not support Capabilities Negotiation Method (section 2.2.8.3) packets; in these cases, the peer responds with an EAP NAK and the server never sends a Capabilities Negotiation Method packet.

<7> Section 3.1.1: The Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 PEAP implementations do not support PEAP Phase 2 packet fragmentation.

<8> Section 3.1.5.5: Windows NT, Windows 2000, Windows XP, and Windows Server 2003 do not implement cryptobinding. Use of cryptobinding can be configured on both PEAP server and PEAP peer implementations.

Windows PEAP server implementations always send cryptobinding TLVs. If a server implementation configured to enforce cryptobinding TLVs sends a cryptobinding TLV and does not receive one in response, it ends the conversation by sending an EAP-Failure. If the enforcement is not configured and the server does not receive a cryptobinding TLV, it is processed without cryptobinding support.

Windows PEAP peer implementations can be configured to enforce the exchange of a cryptobinding TLV. A peer receiving a cryptobinding TLV responds with a cryptobinding TLV irrespective of the configuration. If the peer is configured to expect a cryptobinding TLV and does not receive one, it ends the conversation by sending a Failure Result TLV (section 2.2.8.1.2). If the peer does not receive a cryptobinding TLV and is not configured to expect a cryptobinding TLV, the peer processes the packet without cryptobinding support.

<9> Section 3.2.1: Not supported on Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 PEAP implementations.

<10> Section 3.2.1: Not supported on Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 PEAP implementations.

<11> Section 3.2.3: Not supported on Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 PEAP implementations.

<12> Section 3.2.3: BypassCapNegotiation is initialized from "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\25\BypassNegotiation". AssumePhase2Frag is initialized from "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\25\AssumePhase2Fragmentation".

<13> Section 3.2.5.4.6: The Windows PEAP peer implementations never send the Capabilities Method Response (section 2.2.8.3.2) packet with the F flag set to zero.

<14> Section 3.2.7.1: Windows uses the certificates in the "machine trusted root CA store" to validate the trust anchor of the server certificate.

<15> Section 3.3.3: Not supported on Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<16> Section 3.3.3: BypassCapNegotiation is initialized from "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\25\BypassNegotiation". AssumePhase2Frag is initialized from "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\25\AssumePhase2Fragmentation".

<17> Section 3.3.5.4.3: The Windows PEAP server implementations never send a Capabilities Method Request (section 2.2.8.3.1) packet with the F flag set to zero.

<18> Section 3.3.5.4.6: The Windows NT, Windows 2000, Windows XP, and Windows Server 2003 PEAP implementations do not support SoH [TNC-IF-TNCCSPBSoH] TLV transmission and processing.