Entra Hybrid Join + 802.1x using PEAP-MSCHAPv2 + Credential Guard = 'Perfect Storm'
I recently encountered an issue as part of a project involving Entra hybrid join for existing domain joined devices and Co-management where devices stopped connecting to corporate wireless access points automatically. The devices would complain about missing credentials, resulting in authentication errors and eventually give up on connecting to the corporate Wi-Fi. Here is a snapshot of one such error - The environment is configured with Cisco ISE as the RADIUS solution with an authentication policy relying on PEAP MSCHAPv2 as the authentication protocol. The logs on the Cisco side reflected the same ' Internal authentication error ' as seen in the event viewer of the endpoints. This was strange at first because there was nothing set up in Intune or otherwise as part of the Co-management configuration that would interfere with the WiFi settings in general. On further investigation, it was discovered that the issue could very well be related to Credential Guard on the devices. ...