Due to the changes you're making Microsoft the level of security in the Windows operating systems 11 22H2, more specifically in enabling the functionality of using Credential Guard Windows Defender by default, this functionality has since W10, but idle, it disables the protocols of logon authentication (PEAP-MSCHAPv2 -NTLMv1 -CredSSP) of the NPS service (Radius) causing those client computers with this version unable to connect to the NPS service using the SSO (single sign on).
The main function of Credential Guard is to protect the passwords stored in computers through encryption, adding security features to the operating systems Windows 10 -11 allowing users to authenticate on a network's active directory domain will have their password stored in a virtual container (VBS), so that only the software on the system with privileges can access them, preventing attacks, theft of credentials and not in the LSA (Local Security Authority) as it was in versions of operating systems with Windows 10. When Credential Guard, Windows Defender is enabled, Kerberos does not allow the delegation of Kerberos without any restrictions or DES encryption, not only for the credentials, initiated, but also for the requested credentials or saved. On the following image shows a high-level about how to isolate the LSA through the use of security-based virtualization:
In order to avoid impacts future, it is important to validate if the NPS service uses these protocols, if so, Microsoft recommends that you change the authentication of these protocols to a certificate-based as they are PEAP-TLS, or EAP-TLS. In the following image displays the different authentication protocols used by clients or the NPS server.
Before you make the change (taking into account if the future migraran client computers to W11) it is important to validate the controllers that manage the AP (Access Point) supports authentication with the following authentication protocols EAP-TLS – TLS 1.3 Microsoft recommends that you change the authentication to certificate-based PEAP-TLS, or EAP-TLS is important to validate the configuration of the NPS service is in the mode of authentication based on certificate as shown in the image, if you use a certificate as the authentication method, check if the certificate is valid. On the server (NPS), you can confirm what certificate is being used from the properties menu of EAP. In the NPS snap-in, go to Policies > Network policies. Select and hold (or right-click with the right button) on the policy and then select Properties. In the pop-up window, go to the tab Restrictions and then select the section Methods of authentication.
If you require more information regarding the implementation of this new change in their organizations may contact us at the following email darias@grupoitsupport.com
Article consulted TechNet Microsoft
Considerations when using Credential Guard Windows Defender
How it works Credential Guard Windows Defender
Advanced troubleshooting authentication 802.1 X
Troubleshooting information is available for the following 802.1 x Authentication errors. Select an error that you receive:
https://www.microsoft.com/en-us/download/details.aspx?id=4865
Dairo Arias Morales
Specialist Engineer