Credential Guard and Network Authentication Advisory

Microsoft Windows operating systems are a critical component in our customers’ business operations. Security is just as important for business continuity. Microsoft has recently released enhanced security for your Domain joined computers to help keep your user credentials safe. This is called Windows Defender Credential Guard and is automatically enabled in Windows 11 Enterprise and Windows 11 Education editions as of version of 22H2.


Why are we informing you?

This new security enhancement will impact the ability for Windows computers to successfully authenticate to your wireless or wired network. Proactive action needs to be taken to ensure you do not lose connectivity to your network after 22H2 is applied.


Are you sure this affects me?

This affects customers running EAP-PEAP for the Network authentication protocol. Specifically on Domain Joined computers running Windows 11 Enterprise or Windows 11 Education edition.


What can you do about it?

For those affected, to mitigate the issues, you will need to take one of two actions. Laketec’s recommendation is to migrate your network authentication protocol from EAP-PEAP to EAP-TLS. This is a relatively easy and straight forward to implement. In addition to keeping the benefits of Credential Guard, you will also gain the more secure certificate-based authentication that EAP-TLS provides. Your Active Directory and Windows client computers already have this capability. No additional licensing needed!

The other action you could take is to disable Credential Guard as detailed in the link to the first article below.

Laketec can assist you with determining if you are affected and to help make a smooth transition from EAP-PEAP to EAP-TLS. We will also work with you to review any considerations for RADIUS Authentication policy you may have implemented in Microsoft NPS or Aruba Clearpass.


Links to the Microsoft articles.

Please review to get a more detailed explanation of Windows Defender Credential Guard and its impact to your environment. Note, in addition to network authentication, this enhancement also impacts Remote Desktop connections and various other items as discussed in the articles.