Windows 11 22H2 breaks MSCHAPv2 authentication for WiFi and wired connections

PhilipDAth
Kind of a big deal

Windows 11 22H2 breaks MSCHAPv2 authentication for WiFi and wired connections

This is a heads up - a big problem that is going to affect a huge number of WiFi networks.

 

Windows 11 22H2 enables credential guard by default - which disables MSCHAPv2 by default for single sign-on.  Many companies use MSCHAPv2 for authenticating to WiFi and wired connections (because it was the default setting in Windows 10 and 11 till now).

 

If you use this configuration, as users upgrade to Windows 11 22H2 they will no longer be able to authenticate to the network "at login" (as in automatically - single sign-on).  If enabled, users will still have the ability to click on the connection concerned and manually re-authenticate - but this breaks the whole user experience of seamless connectivity.

 

Microsoft recommends migrating to certificate-based authentication.

 

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-g... 

 

 

This is going to be a lot of work ...

4 REPLIES 4
BlakeRichardson
Kind of a big deal

Ah great. Thanks for sharing I am sure a lot of people are going to be scratching their heads soon. 

www.btr.net.nz
KarstenI
Kind of a big deal

Thanks for the info. Just not sure why MS does this also when MSCHAPv2 is done through a TLS tunnel ...

GIdenJoe
Kind of a big deal

Holy crap... this is going to be a tough one.

I always enjoy a company just pushing changes through an update without actually announcing this a year before so administrators get time to implement.

OCTOMG
Here to help

Thank you, PhilipDAth!!  We just ran up against this problem on a new batch of Win11 22H2 laptops using their domain machine accounts for Windows NPS RADIUS authentication to wifi, so your post was a HUGE help in determining how to overcome the connectivity issue until we can fully implement certificate-based authentication.

 

We were able to get the new 22H2 laptops to automatically connect by first disabling Windows Defender Credential Guard using the registry key method found in this MS doc, and then manually enabling NTLMv2 authentication by adding the registry key found in this MS doc.  Hope this helps somebody else like me who hasn't fully implemented certificate-based authentication and was caught off guard by this change.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.