In this post, I will show you how to fix Windows Defender Credential Guard issues. If you are dealing with Credential Guard issues for Windows Defender on your computers, this post lists the solutions for those.
Windows Defender Credential Guard isolates secrets so that only privileged system software can access the user credentials. Doing this will protect NTLM password hashes and Kerberos Ticket Granting Tickets and credentials stored by applications with domain credentials.
Users are validated by the Local Security Authority (LSA). Once Credential Guard becomes active, Windows will store the credentials in an isolated LSA, containing only the signed and certified security trusted binaries to keep the credentials safe.
Here is a good article from Microsoft on how to manage Windows Defender Credential guard.
MS-CHAPv2 Authentication can break when this is enabled
If you enable Windows Defender Credential Guard, NTLM classic authentication for Single Sign-On can no longer be used.
You will then be forced to enter your credentials to use these protocols, and you won’t be able to save them for future use.
Wi-Fi and VPN endpoints based on MS-CHAPv2 are subjected to similar attacks as NTLMv1. Microsoft recommends that organizations move from MS-CHAPv2 based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2 to certificate-based authentication such as PEAP-TLS or EAP-TLS.
Fix Windows Defender Credential Guard Issues
Let’s look at some of the common issues that you encounter with Windows Defender Credential Guard and solutions for each issue.
Example Windows Event errors you can experience:
Issue 1: Wired 802.1X Authentication failed
Reason Text: Network authentication failed\n The credentials provided might not be correct.
Issue 2: Error Code: 0x2B3
The network interface “Network Interface name here” has begun resetting. There will be a momentary disruption in network connectivity while the hardware resets. Reason: The network driver requested that it be reset. This network interface has reset 5 time(s) since it was last initialized.
Tools you can use to help see this error in real-time:
Using these tools, you can get a network trace and packet captures of the issue and see failures. You can still see the errors in my testing even if you “Suppress Repeated Failed Clients” in Cisco ISE.
Here are some considerations when using Windows Defender Credential Guard. If you consider using Windows Defender Credential Guard, I highly recommend reviewing the Microsoft article below.
#1 Kerberos Considerations
If you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Attackers can use Unconstrained delegation to extract Kerberos keys from the isolated LSA process. It is recommended to use constrained or resource-based Kerberos delegation instead.
#2 3rd Party Security Support Providers Considerations
Microsoft mentions that some 3rd party Security Support Providers might not be compatible with Windows Defender Credential Guard because it doesn’t allow third-party Security Support Providers to ask for password hashes from LSA.
Additionally, undocumented APIs in custom SSPs and APs are not supported. Therefore, if you do use custom implementations of SSPs, it is recommended that before you implement Windows Defender Credential Guard, you thoroughly test to ensure they work together.
#3 Windows Defender Credential Guard Protection Limits
The link below will explain how some ways of storing Windows credentials using Windows Defender Credential Guard aren’t protected. This is important to know before fully implementing this to ensure that Windows Defender Credential Guard meets your environmental needs.
#4 Saved Windows Credentials Protected
Microsoft states that starting with Windows 10, version 1511 domain credentials stored within Credential Manager are protected with Windows Defender Credential Guard.
However, generic credentials that are usernames and passwords that you use to log in to websites will not be protected since the applications require your clear text password.
If the application doesn’t need a copy of the password, it can save domain credentials as protected Windows credentials.
Microsoft states the following considerations regarding Windows Defender Credential Guard protections of Credential Manager:
- Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message “Logon attempt failed.”
- Applications that extract Windows credentials fail.
- When credentials are backed up from a PC with Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before enabling Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
Windows Defender Credential Guard provides many benefits by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. In addition, you will get better hardware security, virtualization-based security, and protection against advanced persistent threats.