What you should do about it
At Roc, we’ve been working closely with customers to identify the root cause and future-proof their authentication infrastructure. Here’s what you need to know.
Windows Credential Guard is a security feature introduced by Microsoft to combat credential theft techniques such as pass-the-hash and pass-the-ticket. It leverages Virtualisation-Based Security (VBS) to isolate and protect sensitive authentication information like NTLM hashes and Kerberos Ticket-Granting Tickets (TGTs) from the operating system.
Starting with Windows 11 version 22H2, Credential Guard is enabled by default on supported editions, including Enterprise, Education, and some Pro devices. It’s also the default in Windows Server 2025 and later.
While Credential Guard significantly boosts endpoint security, it brings with it some unintended consequences, particularly around network authentication.
Many enterprise networks use 802.1X authentication with PEAP-MSCHAPv2 as the inner method, which relies on saved user credentials or single sign-on (SSO).
Credential Guard blocks access to stored credential hashes, even by legitimate processes like network authentication. As a result, users may find themselves:
This not only frustrates end users but also creates a support burden for IT teams.
While disabling Credential Guard is technically an option, it’s not a good one. Doing so removes a critical security layer designed to prevent lateral movement and credential-based attacks.
Instead, organisations should migrate to certificate-based 802.1X authentication, using methods like EAP-TLS or PEAP-TLS. These approaches offer seamless SSO without relying on stored passwords or hashes, making them fully compatible with Credential Guard.
To transition securely and effectively, we recommend the following steps:
This shift not only resolves the compatibility issues with Credential Guard but also aligns your network with modern, zero-trust security principles.
Whether you’re just starting your 802.1X journey or need help modernising your authentication strategy, Roc’s team of network and security specialists are ready to assist. We offer:
Let Roc help you build a secure, seamless authentication experience that works with and not against your Windows security posture.
Contact us
Network Services Practice Lead
David leads the development of Roc’s network strategy and portfolio, shaping and refining customer propositions to strengthen performance and experience whilst delivering value.
The best kind of change is often the kind you don’t notice happening. Systems run smoother, processes feel easier, people stop sighing at their screens – and suddenly everything just works a little better.
True modernisation is less about speed – and more about substance. We talk about modernisation as if it’s a race – a finish line you can cross and then move on. It isn’t.
The modern enterprise has shifted beyond recognition.
Hybrid working is embedded, cloud adoption continues at pace, and data now moves across a range of devices, locations, and applications. As this digital footprint expands, the traditional network perimeter has dissolved.
AI has altered the physics of cybersecurity. Threats now move faster than policies can adapt, and defences evolve in real time. The traditional idea of resilience – static controls, periodic reviews, and defined perimeters – no longer fits.
In an era where many students invest over £60,000 in a university education, the question of value for money has become a defining factor in university choice. But “value” is not universal.
Enterprise networks have reached an inflection point. Hybrid working is now embedded, cloud applications proliferate, and data moves continuously between users, devices and locations. UK organisations now manage more cloud identities than traditional endpoints, and more than half of enterprise traffic originates outside the office. As a result, network reliability, security and performance have shifted from operational concerns to board-level priorities.
AI is now woven into every part of cybersecurity operations. It analyses behaviour, identifies anomalies, and increasingly, takes action on its own. It’s faster, tireless, and in many cases more consistent than any analyst could be. But with that progress comes a harder question: how much decision-making are we prepared to give away?
There’s no escaping the squeeze. Demand is rising, budgets are flat, and no one’s in the mood for another “game-changing” announcement. People have heard so many promises of ‘once in a generation’ transformation that hype doesn’t hold much weight anymore.
There’s a moment every organization faces when it has to stop pretending the cracks aren’t there. The systems that don’t quite talk to each other. The processes everyone works around. The decisions that were right once — but no longer are.