Forum Discussion
Windows 11 clients cannot authenticate to NPS server using computer authentication
- Had this with 802.1x and AlwaysOn VPN. Maybe it's the same for your Wifi profile,. The reason is documented here https://directaccess.richardhicks.com/2021/09/23/always-on-vpn-error-853-on-windows-11/
For our environment it was due to credential guard. This will break anything using PEAP w/MS-CHAPv2, including machine authentication. It's also extremely tricky to debug because this requires Windows Enterprise version and since we are using E3 licenses (included in there is the OS Enterprise license) this problem only surfaces eventually when the OS is upgraded to enterprise in the background (enabled by default with Enterprise, does not get enabled with only Pro).
Fix: Group Policy->Administrative Templates->System->Device Guard->Turn On Virtualization Based Security (set to DISABLED).
- This is the solution for me as well.
- But seriously - to Disable Device Guard - is that even an option you want?
Our fix is to rename the NPS server so its name is lowercase. Since our NPS's are also a a DCs the steps are
1. uninstall Certificate Authority
2. rename the server to lowercase using the following
netdom computername DC1.domain.local /add:dc1.domain.local
netdom computername DC1.domain.local /makeprimary:dc1.domain.local
shutdown /r
3. Install Certificate Authority again
I have a lot of servers to change so if there is a less disruptive workaround I love to hear what it is.
- Hello,
Please keep in mind having a CA on a domain controller is not supported (and will block you from upgrading to another OS). Having NPS role on domain controllers is also not recommended.
MikkelLundKnudsen Device Guard offers a critical protection against numerous ransomwares as it counters Mimikatz-based attacks, so that's a big no in my book.
