Windows 11 22H2 breaks NPS RADIUS for computer accounts

After loading a group of new laptops from scratch I noticed that none of them would connect to Wi-Fi.  They would say “cannot connect” and the log showed “Explicit EAP failure received”. I tried various things to fix the Wi-Fi for an hour and finally gave up and reloaded one of the new machines with the previous version of Windows and it connected to the network just fine.  Our machines are domain-joined and use computer authentication against a Radius server with certificates. Connecting to an SSID that uses a name and password worked just fine. It turns out that Microsoft has turned Windows Defender Credential Guard on by default with Windows 11 22H2 which we are just now starting to use.

When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You’ll be forced to enter your credentials to use these protocols and can’t save the credentials for future use. So, if you’re using WiFi and VPN endpoints that are based on MS-CHAPv2 (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2) then you are no longer going to be able to make a connection.  You will either have to move to certificate-based authentication with PEAP-TLS or EAP-TLS or turn off Credential Guard in order to connect again.

Disabling Windows Defender Credential Guard using Group Policy

If Windows Defender Credential Guard was enabled via Group Policy and without UEFI Lock, disabling the same Group Policy setting will disable Windows Defender Credential Guard.

    1. Disable the Group Policy setting that governs Windows Defender Credential Guard. Navigate to Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security. In the “Credential Guard Configuration” section, set the dropdown value to “Disabled”:Windows Defender Credential Guard Group Policy set to Disabled.
    2. Restart the machine.

Disabling Windows Defender Credential Guard using Registry Keys

If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it’s sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard.

    1. Change the following registry settings to 0:
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags

         Note

        Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of 0.

    2. Restart the machine.

Disabling Credential Guard should only be a temporary fix until you can upgrade your authentication method to use a more secure protocol.

About The Author

I have worked in the computer repair field since the early '90s. I was a technician and then Coordinator of Computer Repair for Regional Education Service Agency II (RESA 2) for 18 years. I currently work for Wayne County Schools as a Network Engineer/Technology Specialist. I am responsible for the schools' Internet access, Wi-Fi, networks, servers, laptops, desktops, and operating systems and software.

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *

3 + 2 =