Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

MSCHAPv2 Deprecation in Windows 11

Starting with Update 22H2 for Windows 11 Enterprise and Windows 11 Education versions, Microsoft Windows Defender Credential Guard is enabled by default. This, in turn, disables MSCHAPv2 for single sign-on. Single sign-on typically refers to devices that are AD domain joined or managed from central IT departments. Institutions using EAP-MSCHAPv2 or PEAP-MSCHAPv2 for 802.1x will be impacted when endpoints running these Windows versions upgrade to 22H2. This update does not appear to impact Windows 11 Home and Pro versions, as they are not designed for single sign-on services. Real world impact information is still emerging as many institutions have not yet upgraded their managed endpoints to 22H2 at scale.

Impact Scenarios

Relating to Windows 11 Education, Pro and Enterprise Editions that participate in AD domain joining. Windows Home is unaffected


❌ Win11 22H2 w/ configured with EAP-MSCHAPv2 or PEAP-MSCHAPv2: Single sign-on clients may be impacted


Workarounds and Resolution

It is advised that institutions discuss with their Systems and Security teams before implementing any changes.

Day 0 "Quick" Workarounds

Disable Credential Guard on impacted endpoints running Windows 11 22H2

Resolution (Address When You Can)

Change your institution's 802.1x EAP Type. Microsoft recommends switching to EAP-TLS.