Windows 11's New Credential Guard Feature Causes Issues for Some Enterprise Networks

A new feature in Windows 11 22H2 called Credential Guard may cause issues for some enterprise networks. This feature is designed to prevent NTLM credentials from being sent by the machine, which is what is in use with PEAP/MSCHAPV2. If you're not familiar with these terms, here's a brief explanation:

• PEAP/MSCHAPV2 is a network authentication protocol used in enterprise environments that requires the user to enter a username and password to access network resources.
• NTLM is an older authentication protocol that is considered insecure because it can lead to password disclosure on both the client and the server.

When Windows Defender Credential Guard is enabled, it will block the use of these insecure protocols by design, which means that any device that enables Windows Defender Credential Guard may encounter issues with SSO (Single Sign-On) for network services.

If you connect to a WiFi network from Windows 11  22H2 you may get the error message "Can't connect to this network"

Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to log in and will be forced to manually re-authenticate in every new Windows session. This can be a major inconvenience for enterprise networks that rely on SSO for efficiency and ease of use.

Microsoft is recommending that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS as Windows Defender Credential Guard doesn’t block certificate-based authentication.

For a more immediate but less secure fix, organizations can disable Windows Defender Credential Guard. However, note that this will leave some stored domain credentials vulnerable to theft. Unfortunately Windows Defender Credential Guard cannot be configured to allow specific protocols and must either be completely on or off.

It's important to note that as part of the Windows 11, version 22H2 update, eligible devices which had not previously explicitly disabled Windows Defender Credential Guard had it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses.

In conclusion, if you are part of an enterprise network that relies on SSO for network services, it's important to be aware of this known issue with Windows 11 and Credential Guard. Organizations can take steps to mitigate the issue by moving away from insecure protocols and towards certificate-based authentication or by disabling Windows Defender Credential Guard. However, it's important to weigh the security implications of these options before making a decision.

You can find more detail on the change on Microsoft’s website Credential Guard known issues.