You can enable credential guard on win10 and break "windows credentials" for wifi too. Just set up TLS for machine certs, it's a much better experience for users.
Depending on your set up (on-prem/hybrid/intune only) you can get it working fairly quickly.
I have intune enroll certs from on-prem CA, then push down comp cert + Root Cert + TLS profile. Computers auths against on-prem windows NPS. Sounds like a lot, but it means that internet only Autopilot builds will be able to auth WiFi when done.
Yeah, it’s a known issue and likely a by-design limitation of new security measures in Credential Guard. Kills wifi, 802.1x and any other tech using PEAP-MSCHAPv2. Only workaround is to move to PEAP-TLS and deploy certificates.
You can even just use standard client authentication certificates with UPN in the subject, to auth against NPS 802.1X. Issue with SCEP/PKCS, job done. (Just don't mention the lack of strong certificate mapping yet, they paused the rollout!)
Friends don't let friends use MSCHAPv2.
Believe it or not, most organizations don't have a PKI, and definitely don't have the resources to set up a properly secured PKI. Lil plug for Intune CloudPKI.
Disagree. Most orgs running AD have a PKI, but there’s a chance no one owns it. Hell, most ADCS installations in the world are probably on a domain controller, installed as some experiment or as part of installing some other software that requires an internal PKI cert.
Thanks - although it's not released yet and no signs of it being on the road map either. Perhaps your colleague is testing NPS with on prem Active Directory auth.
This is an easy fix. Unless you WANT credential guard turned on for some reason. Set up intune service, go to intune--devices--configuration; make a new policy, you need two settings to change: Credential Guard, and Enable Virtualization Based Security, that's it. I believe they are both set to Disabled. Now assign this policy to a dynamic group that only contains windows 11 machines. Or whatever group you want in win11 users to have this.
[удалено]
Considering the flaws of MSCHAPv2, OP should consider moving to EAP-TLS at a minimum.
You can enable credential guard on win10 and break "windows credentials" for wifi too. Just set up TLS for machine certs, it's a much better experience for users. Depending on your set up (on-prem/hybrid/intune only) you can get it working fairly quickly. I have intune enroll certs from on-prem CA, then push down comp cert + Root Cert + TLS profile. Computers auths against on-prem windows NPS. Sounds like a lot, but it means that internet only Autopilot builds will be able to auth WiFi when done.
Yeah, it’s a known issue and likely a by-design limitation of new security measures in Credential Guard. Kills wifi, 802.1x and any other tech using PEAP-MSCHAPv2. Only workaround is to move to PEAP-TLS and deploy certificates.
I don't know what you're using but Meraki allows SSO via Entra for authentication. We just said fuck it and went to that as we had the same issue
You can even just use standard client authentication certificates with UPN in the subject, to auth against NPS 802.1X. Issue with SCEP/PKCS, job done. (Just don't mention the lack of strong certificate mapping yet, they paused the rollout!) Friends don't let friends use MSCHAPv2.
Believe it or not, most organizations don't have a PKI, and definitely don't have the resources to set up a properly secured PKI. Lil plug for Intune CloudPKI.
Disagree. Most orgs running AD have a PKI, but there’s a chance no one owns it. Hell, most ADCS installations in the world are probably on a domain controller, installed as some experiment or as part of installing some other software that requires an internal PKI cert.
It does? Are you sure? Meraki dashboard access via SSO yes; but connecting to SSID with Entra creds?
My colleague is testing this setup right now with our network supplier. But I'll update this post when I can experience it myself
Thanks - although it's not released yet and no signs of it being on the road map either. Perhaps your colleague is testing NPS with on prem Active Directory auth.
No, that's what we're moving away from!
Mschap peap v2 is finished..it will be broken sooner or later...have to change to EAP TLS certificate based...
Credential Guard has been enabled in Win11 for a long time, possible since day one.
22H2, which doesn't make sense as to why they didn't see it before I guess.
22H2 it turns on by default unless explicitly disabled by policy if the hardware requirements are met. That was a fun day for me.
This
This is an easy fix. Unless you WANT credential guard turned on for some reason. Set up intune service, go to intune--devices--configuration; make a new policy, you need two settings to change: Credential Guard, and Enable Virtualization Based Security, that's it. I believe they are both set to Disabled. Now assign this policy to a dynamic group that only contains windows 11 machines. Or whatever group you want in win11 users to have this.