Re: Deploy TEAP Wired/Wireless profile using SCCM

Hanmer · ‎06-23-2026

Hello Folks,

I am currently planning a TEAP deployment for Windows endpoints and would appreciate insights from those who have implemented this at scale.

From a best-practice perspective, is it recommended to deploy the wired and wireless TEAP profiles using Group Policy (Wired/Wireless Network Policies), or would deploying the XML profiles via SCCM scripts be a better approach?

One concern I have with the GPO method is that if the GPO is accidentally unlinked, deleted, or its scope changes, the locally applied profile may be removed from the client, potentially impacting network connectivity.

I also have a question regarding the Wired AutoConfig (dot3svc) service. Since the service needs to be running for wired 802.1X authentication, once it has been configured and started (Startup Type = Automatic) using scripts, can it be reverted back to Manual ? , any scenario where this was reverted back to manual causing network disruption ?

Additionally, has anyone successfully deployed TEAP profiles using scripts (SCCM, PowerShell, netsh, etc.)? I have tested this approach on a few devices and it appears to work well, but I would like to understand the community’s experience and recommended best practices, especially in larger enterprise environments.

Appreciate your expertise and any lessons learned from your deployments.

Thanks in advance!

Rob Ingram · ‎06-23-2026

@Hanmer FWIW, I've only seen customer deployments deploy 802.1X supplicant settings using either GPO or MDM. This seems to be the typical method used by others to deploy these settings from my experience on this forum. I would not recommend using SCCM or scripts.

The only scenario I've seen SCCM used was when using Cisco Secure Client NAM, which requires a profile to be deployed.

It seems to be Cisco's recommended approach. https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2024/pdf/BRKSEC-2347.pdf

Hanmer · ‎06-23-2026

Thank You @Rob Ingram for your valuable insights.

Our objective is to ensure that the PowerShell script used to deploy the profiles keeps the wired and wireless profiles persistent on the endpoint and independent of GPO, thereby eliminating the risk of profile removal when the GPO is no longer applied. We would like to understand why this approach is not recommended, given that it achieves the same outcome as GPO deployment, with the key difference being that profiles deployed via script remain persistent, whereas profiles deployed through GPO are removed when the corresponding policy is absent.

Additionally, we are planning to completely remove the Cisco AnyConnect NAM module and leverage the native Windows supplicant for TEAP, which is supported on Windows 10 version 2004 and later, as well as Windows 11. Given this direction, we would like to understand if there are any concerns or limitations with using a script-based deployment approach for maintaining the wired and wireless TEAP profiles.

Is there a technical limitation or unsupported scenario with deploying native Windows TEAP profiles via SCCM/PowerShell, or is the recommendation against it based primarily on operational best practices and customer convention? Since our goal is to maintain profile persistence and eliminate dependence on GPO, we would like to understand whether there are any specific risks or supportability concerns with this approach

Its a basic powershell cmd pushed via SCCM which applies the profile

netsh lan add profile filename=LanProfile.xml

netsh wlan add profile filename=WlanProfile.xml