After loading a group of new laptops from scratch I noticed that none of them would connect to Wi-Fi. They would say “cannot connect” and the log showed “Explicit EAP failure received”. I tried various things to fix the Wi-Fi for an hour and finally gave up and reloaded one of the new machines with the previous version of Windows and it connected to the network just fine. Our machines are domain-joined and use computer authentication against a Radius server with certificates. Connecting to an SSID that uses a name and password worked just fine. It turns out that Microsoft has turned Windows Defender Credential Guard on by default with Windows 11 22H2 which we are just now starting to use.
When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You’ll be forced to enter your credentials to use these protocols and can’t save the credentials for future use. So, if you’re using WiFi and VPN endpoints that are based on MS-CHAPv2 (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2) then you are no longer going to be able to make a connection. You will either have to move to certificate-based authentication with PEAP-TLS or EAP-TLS or turn off Credential Guard in order to connect again.
Disabling Windows Defender Credential Guard using Group Policy
If Windows Defender Credential Guard was enabled via Group Policy and without UEFI Lock, disabling the same Group Policy setting will disable Windows Defender Credential Guard.
-
- Disable the Group Policy setting that governs Windows Defender Credential Guard. Navigate to Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security. In the “Credential Guard Configuration” section, set the dropdown value to “Disabled”:
- Restart the machine.
Disabling Windows Defender Credential Guard using Registry Keys
If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it’s sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard.
-
- Change the following registry settings to 0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
Note
Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of 0.
- Restart the machine.
- Change the following registry settings to 0:
Disabling Credential Guard should only be a temporary fix until you can upgrade your authentication method to use a more secure protocol.