Solved: Windows 11 22H2 Credential Guard Enforcement

JordanJ · ‎09-28-2022

Hi.

It looks like Microsoft is introducing changes with the latest version of Windows 11 22H2 in that they are enforcing the use of Credential Guard. Credential Guard breaks PEAP methods of authentication (including authentication by username/password and computer object in AD).

What are other organisations using to authenticate their Windows clients? Microsoft's advice basically states that MSCHAPv2 is insecure and not recommended. EAP-TLS and PEAP-TLS are the recommended solution from Microsoft (https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations).

My industry is K-12 education and we use EAP-TLS for authentication of some supplicants but prefer PEAP wherever possible because it allows us to identify users in the case that they are accessing inappropriate material. Is PEAP-TLS different to simply PEAP? How does it work?

We use Cisco ISE as our AAA authentication server.

Kind regards,

Jordan

Charlie Moreton · ‎09-29-2022

From the linked article:

When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use. If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.

PEAP-EAP-TLS will still work and so will TEAP-EAP-TLS, looks like Microsoft are beginning to deprecate MSCHAPv2, so move to a more secure protocol. If this is not possible, the article also has a chapter showing how to disable Defender Credential Guard (DCG) via GPO. Also, if not all requirements for DCG are met, it will not be installed.

@Arne Bier, I would take it to mean that TEAP-EAP-MSCHAPv2 is affected.

View solution in original post

Arne Bier · ‎09-28-2022

Interesting. Do you know if that also applies to TEAP?

If you're using EAP-TLS today, I assume it's Machine authentication only, and the machine name doesn't tell you the username - but you could look it up perhaps in a separate database if you needed to?

Aref Alsouqi · ‎09-29-2022

Using EAP-TLS as the inner method of EAP-PEAP wouldn't change much in this case because in that case it will still be using the machine certificate which wouldn't have any reference of the end users. Also, I personally experienced a few issues using that method where the NIC caused the workstation to crash with the blue screen. I think the best way to work around these caveats would be to enrol the user certificates and keep using EAP-TLS with the users certificates, or moving to TEAP still using the machine and users certificates.

Charlie Moreton · ‎09-29-2022

From the linked article:

When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use. If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.

PEAP-EAP-TLS will still work and so will TEAP-EAP-TLS, looks like Microsoft are beginning to deprecate MSCHAPv2, so move to a more secure protocol. If this is not possible, the article also has a chapter showing how to disable Defender Credential Guard (DCG) via GPO. Also, if not all requirements for DCG are met, it will not be installed.

@Arne Bier, I would take it to mean that TEAP-EAP-MSCHAPv2 is affected.

Aref Alsouqi · ‎09-29-2022

I think if the user identification is required, the users certs should be rolled out and used alongside EAP-TLS or TEAP, alternatively, I can't see how using the machine certs would identify the users, regardless of which protocol is being used.

JordanJ · ‎10-03-2022

Thanks everyone.

What is PEAP-EAP-TLS / TEAP-EAP-TLS? How is it different to plain PEAP-EAP? Can you still authenticate with 'Computer Account' (see group policy screenshot attached)? Or does this require that a certificate be used? Is there a way to combine certificate with Computer Authentication or something like that?

There is an option to use EAP-TEAP, is this the same as TEAP-EAP-TLS?

Also, does anyone know if this also affects connections with Username / Password authentication? I've read that it will not give out a username / password for 802.1x authentication after the upgrade but the device I've tested with is still authenticating with PEAP-MSCHAPv2 using a saved username / password WITH credential guard enabled.

There's no point fighting Microsoft and I think credential guard offers good security mechanisms so it would be good to adopt a more secure protocol.

hslai · ‎10-04-2022

PEAP is a tunneling protocol. Depending on the inner methods, PEAP(EAP-MSCHAPv2) is using EAP-MSCHAPv2 as the inner method and PEAP(EAP-TLS) is using EAP-TLS as the inner method. There is no plain PEAP-EAP.

Credential Guard, as the others already said, is to eliminate username+password.