MSCHAPv2 Deprecation in Windows 11
Starting with Update 22H2 for Windows 11 Enterprise and Windows 11 Education versions, Microsoft Windows Defender Credential Guard is enabled by default. This, in turn, disables MSCHAPv2 for single sign-on. Single sign-on typically refers to devices that are AD domain joined or managed from central IT departments. Institutions using EAP-MSCHAPv2 or PEAP-MSCHAPv2 for 802.1x will be impacted when endpoints running these Windows versions upgrade to 22H2. This update does not appear to impact Windows 11 Home and Pro versions, as they are not designed for single sign-on services. Real world impact information is still emerging as many institutions have not yet upgraded their managed endpoints to 22H2 at scale.
Relating to Windows 11 Education, Pro and Enterprise Editions that participate in AD domain joining. Windows Home is unaffected
✅ Win11 22H2 w/ configured for any EAP type that does not use MSCHAPv2: Most clients should work
❌ Win11 22H2 w/ configured with EAP-MSCHAPv2 or PEAP-MSCHAPv2: Single sign-on clients may be impacted
Workarounds and Resolution
It is advised that institutions discuss with their Systems and Security teams before implementing any changes.
Day 0 "Quick" Workarounds
Disable Credential Guard on impacted endpoints running Windows 11 22H2
Resolution (Address When You Can)
Change your institution's 802.1x EAP Type. Microsoft recommends switching to EAP-TLS.