When set, the OID_802_11_ENCRYPTION_STATUS OID requests that the miniport driver change its encryption mode. A single encryption mode value can be set, though this may enable one or more cipher suites or disable all cipher suites on the device. A transmit key is not required to set the encryption mode.

Encryption modes define the set of cipher suites that can be enabled on the 802.11 device:


WEP encryption is supported and enabled on the device. The device either does not support TKIP and AES or these cipher suites are disabled.

The WEP cipher suite as defined through this OID uses either 40-bit or 104-bit key lengths. Other extended key lengths are not supported for the WEP cipher suite.


WEP and TKIP encryption are supported and enabled on the device. The device either does not support AES or this cipher suite is disabled.


WEP, TKIP, and AES encryption are supported and enabled on the device.

The AES cipher suite as defined through this OID is AES-CCMP. If the device supports other variants of the AES cipher suite, it cannot advertise support for the Encryption3 encryption mode unless the device also supports AES-CCMP.

For more information regarding encryption modes, refer to 802.11 Encryption.

If the miniport driver cannot accept the specified encryption mode, it must return NDIS_STATUS_NOT_ACCEPTED.

If an invalid type is specified in the set request, the miniport driver must return NDIS_STATUS_INVALID_DATA.

If the device does not support Temporal Key Integrity Protocol (TKIP), the miniport driver must fail any set request that specifies Ndis802_11Encryption3Enabled or Ndis802_11Encryption2Enabled, and return NDIS_STATUS_NOT_SUPPORTED.

If the device does not support Advanced Encryption Standard (AES), the miniport driver must fail any set request that specifies Ndis802_11Encryption3Enabled, and return NDIS_STATUS_NOT_SUPPORTED.

If Wireless Equivalent Privacy (WEP), TKIP, or AES are enabled, but a transmit key is not available, the device must send only 802.1X packets unencrypted. In this scenario, the device must not send other types of packets, such as TCP or UDP packets.

When queried, this OID requests that the miniport driver return its current encryption mode. In response, the miniport driver can indicate which encryption mode is enabled or disabled, that the transmit key is absent, or that encryption is not supported.

The data passed in a query or set of this OID is the NDIS_802_11_ENCRYPTION_STATUS enumeration, which defines the following encryption status values:


Encryption using the WEP, TKIP, and AES cipher suites is not supported.


AES, TKIP, and WEP are disabled, and a transmit key is available.


WEP is enabled; TKIP and AES are disabled. A transmit key may or may not be available.


WEP, TKIP and AES are disabled. A transmit key is not available.


TKIP and WEP are enabled; AES is disabled. A transmit key is available.


TKIP and WEP are enabled; AES is disabled. A transmit key is not available.


AES, TKIP, and WEP are enabled, and a transmit key is available.


AES, TKIP, and WEP are enabled. A transmit keys is not available.

When a device is neither associated with an access point nor operating in ad hoc mode, the transmit key status is based on the availability of a transmit key in the set of default keys.

This OID enables or disables the cipher suites (and, for AES and TKIP, the integrity suites) in groups. For example, specifying Ndis802_11Encryption3Enabled enables TKIP, AES, and WEP. This behavior does not reflect any network-policy decisions made elsewhere that determine which ciphers an access point must support to allow a client to associate with it.

The device must not associate with an access point that advertises any cipher suite that is not supported by the device or is not enabled in the device's current encryption mode.

The following values are valid for set operations:





The following table shows the encryption modes that the miniport driver returns when queried by this OID. The returned value is based on the status of the device's cipher suites and availability of a transmit key.

Encryption mode returnedAES statusTKIP statusWEP statusTransmit key available
Ndis802_11EncryptionNotSupportedNot supportedNot supportedNot supportedNo
Ndis802_11EncryptionNotSupportedNot supportedNot supportedNot supportedYes
Ndis802_11Encryption1KeyAbsentDisabled / not supportedDisabled / not supportedDisabledNo
Ndis802_11EncryptionDisabledDisabled / not supportedDisabled / not supportedDisabledYes
Ndis802_11Encryption1EnabledDisabled / not supportedDisabled / not supportedEnabledNo
Ndis802_11Encryption1EnabledDisabled / not supportedDisabled / not supportedEnabledYes
Ndis802_11Encryption2KeyAbsentDisabled / not supportedEnabledEnabledNo
Ndis802_11Encryption2EnabledDisabled / not supportedEnabledEnabledYes


The encryption state affects some of the values in the 802.11 WPA and RSN information element (IE) of the device's associate and reassociate requests. The encryption state also determines whether the device associates with the access point or authenticates in ad hoc mode.

AP unicast cipherAP multicast cipherEncryption modeESS associate or IBSS authenticateAssociate unicast cipherAssociate multicast cipher
NoneWEPNdis802_11Encryption2EnabledNoNot applicableNot applicable
NoneWEPNdis802_11Encryption3EnabledNoNot applicableNot applicable
NoneTKIPNdis802_11Encryption1EnabledNoNot applicableNot applicable
NoneTKIPNdis802_11Encryption3EnabledNoNot applicableNot applicable
NoneAESNdis802_11Encryption1EnabledNoNot applicableNot applicable
NoneAESNdis802_11Encryption2EnabledNoNot applicableNot applicable
TKIPWEPNdis802_11Encryption1EnabledNoNot applicableNot applicable
TKIPWEPNdis802_11Encryption3EnabledNoNot applicableNot applicable
TKIPTKIPNdis802_11Encryption1EnabledNoNot applicableNot applicable
TKIPTKIPNdis802_11Encryption3EnabledNoNot applicableNot applicable
TKIPAESNdis802_11Encryption1EnabledNoNot applicableNot applicable
TKIPAESNdis802_11Encryption2EnabledNoNot applicableNot applicable
TKIPAESNdis802_11Encryption3EnabledNoNot applicableNot applicable
AESWEPNdis802_11Encryption1EnabledNoNot applicableNot applicable
AESWEPNdis802_11Encryption2EnabledNoNot applicableNot applicable
AESTKIPNdis802_11Encryption1EnabledNoNot applicableNot applicable
AESTKIPNdis802_11Encryption2EnabledNoNot applicableNot applicable
AESAESNdis802_11Encryption1EnabledNoNot applicableNot applicable
AESAESNdis802_11Encryption2EnabledNoNot applicableNot applicable




Send comments about this topic to Microsoft

© 2014 Microsoft