The Windows Defender Credential Guard, also known as Microsoft Defender Credential Guard, is a security feature in the Windows and Windows Server operating systems. Although it is there to make your credentials secure, some users are experiencing problems with it.
Some have reported that due to this feature, the Remote Desktop Connection now consistently asks for credentials, while others are experiencing problems running the VMWare hypervisor.
In this article, we are going to address what Windows Defender Credential Guard is, and how can you disable it, or enable it, if needed.
Table of Contents
What is Windows Defender Credential Guard
The Credential Guard is part of Windows Security that was first introduced in Windows 10 Enterprise edition, which has now also been carried forward to Windows 11 Professional edition, amongst others.
The Windows Defender Credential Guard uses virtualization technology to isolate your credentials so that they cannot be stolen via unauthorized access. This feature prevents hackers from accessing vulnerable data and credential theft attacks, and only authorized systems can view or edit them.
It is because of this reason that users experience repeated credentials windows when trying to access remote computers via RDP.
In Windows 10, this feature is disabled by default but is automatically enabled when you enable Hyper-V. In Windows 11 Pro, this feature is enabled by default, provided that your system meets the minimum requirements.
Here is a list of the minimum hardware and software requirements for Credential Guard to be enabled:
- Support for Virtualization-based security
- Secure boot
- Trusted Platform Module (TPM) versions 1.2 or 2.0
- UEFI lock (preferred)
- 64-bit CPU
- CPU virtualization
- Windows hypervisor (does not require Hyper-V Windows Feature to be installed)
Below you’ll find the methods to enable Windows Defender Credential Guard or disable it in case it is causing.
The Credential Guard can be seen inside Windows Security inside “Device Security” under Core Isolation. However, there is no option to configure it.
Credential Guard can be enabled or disabled using Group Policy and the Windows Registry. However, in Windows 10, the method to enable it requires an additional step.
We have discussed the methods in detail below.
Disable Windows Defender Credential Guard in Windows 10
In Windows 10, the Credential Guard is automatically enabled when you enable Hyper-V, In the method below, we will show you how to disable Credential Guard while Hyper-V is still enabled.
To disable Credential Guard in Windows 10, we must first enable Hyper-V.
Enable Hyper-V
-
Open the Optional Features applet by typing in “optionalfeatures” in the Run Command box.
Open the Optional Features applet -
Select “Hyper-V” and click Ok.
Enable Hyper-V The wizard will now install Hyper-V and its components.
-
When installed, close the wizard.
Close the wizard
Now, it is time to disable Credential Guard. This can be done via the Group Policy.
Disable Credential Guard
-
Open the Group Policy editor by typing in “gpedit.msc” in the Run Command box.
Open the Group Policy editor -
Navigate to the following from the left pane:
Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> Device Guard
-
Double-click the policy “Turn On Virtualization Based Security.”
Edit VBS policy -
Select “Disabled,” then click Apply and Ok.
Disable the VBS policy -
Now run the following cmdlet in an elevated Command Prompt for the changes to take effect.
GPUpdate /ForceEnforce the Group Policies
The Windows Defender Credential Guard will now be disabled with the Hyper-V enabled.
However, if you wish to enable Credential Guard on Windows 10, follow the guide in the next section below.
Enable Windows Defender Credential Guard in Windows 10
To enable the Credential Guard in Windows 10, follow these steps:
-
First, enable Hyper-V as given in the method above.
-
Now open the Group Policy editor and navigate to the following:
Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> Device Guard
-
Double-click the policy “Turn On Virtualization Based Security.”
Edit policy -
Select “Enabled.”
-
Under the Options section, select the following settings from the drop-down menus:
-
Select Platform Security Level:
- Secure Boot and DMA Protection
-
Virtualization Based Protection of Code Integrity:
- Enabled with UEFI Lock – So the option cannot be disabled remotely, or
- Enabled without lock – Windows Defender Credential Guard can be disabled remotely.
-
Credential Guard Configuration:
- Enabled with UEFI Lock – So the option cannot be disabled remotely, or
- Enabled without lock – Windows Defender Credential Guard can be disabled remotely.
-
Secure Launch Configuration:
- Not Configured – If you choose it to be configured by your domain administrator, or
- Enabled – If you want to turn on Secure Launch, or
- Disabled – If you want to disable Secure Launch
Configure VBS to enable Credential Guard in Windows 10 -
-
Click Apply and Ok.
-
Now run the following cmdlet in an elevated Command Prompt for the changes to take effect.
GPUpdate /ForceEnforce Group Policies
Windows Defender Credential Guard will now be enabled.
There are also other methods to disable or enable the Credential Guard in Windows 10. The following methods also apply to Windows 11.
Disable Windows Defender Credential Guard in Windows 11 using Group Policy
As mentioned earlier, the Credential Guard is enabled by default in Windows 11. You can disable it using the Windows Group Policy editor, and through Windows Registry. You can use any of the following given methods to disable it or re-enable it if needed.
Follow these steps to disable the Credential Guard in Windows 11 or Windows 10 using the Group Policy editor:
-
Open the Group Policy editor by typing in “gpedit.msc” in the Run Command box.
Open the Group Policy editor -
Navigate to the following from the left pane:
Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> Device Guard
-
Double-click the policy “Turn On Virtualization Based Security.”
Edit VBS policy -
Select “Disabled,” then click Apply and Ok.
Disable the VBS policy -
Now run the following cmdlet in an elevated Command Prompt for the changes to take effect.
GPUpdate /ForceEnforce the Group Policies
The Windows Defender Credential guard will now be disabled. However, to enable it, perform the steps in the next section.
Enable Windows Defender Credential Guard in Windows 11 using Group Policy
-
Open the Group Policy editor and navigate to the following:
Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> Device Guard
-
Double-click the policy “Turn On Virtualization Based Security.”
Edit policy -
Select “Enabled.”
-
Under the Options section, select the following settings from the drop-down menus:
-
Select Platform Security Level:
- Secure Boot and DMA Protection
-
Virtualization Based Protection of Code Integrity:
- Enabled with UEFI Lock – So the option cannot be disabled remotely, or
- Enabled without lock – Windows Defender Credential Guard can be disabled remotely.
-
Credential Guard Configuration:
- Enabled with UEFI Lock – So the option cannot be disabled remotely, or
- Enabled without lock – Windows Defender Credential Guard can be disabled remotely.
-
Secure Launch Configuration:
- Not Configured – If you choose it to be configured by your domain administrator, or
- Enabled – If you want to turn on Secure Launch, or
- Disabled – If you want to disable Secure Launch
-
(Windows 11 22H2) Kernel-mode Hardware-enforced Stack Protection:
- Disabled – Turns off kernel-mode Hardware-enforced Stack Protection, or
- Enabled in audit mode – enables kernel-mode Hardware-enforced Stack Protection where shadow stack violations are not fatal and will be logged to the system event log, or
- Enabled in enforcement mode – enables kernel-mode Hardware-enforced Stack Protection where shadow stack violations are fatal, or
- Not Configured – leaves the policy setting undefined
Configure VBS to enable Credential Guard in Windows 11 -
-
Click Apply and Ok.
-
Now run the following cmdlet in an elevated Command Prompt for the changes to take effect.
GPUpdate /ForceEnforce Group Policies
Windows Defender Credential Guard will now be enabled.
You can also enable or disable the Credential Guard from Windows Registry.
Disable Windows Defender Credential Guard in Windows 11/10 from Windows Registry
If you are unable to disable the Windows Defender Credential Guard using the Group Policy editor, then you can use the Registry editor to get the job done. Here are the steps to disable the Credential Guard from Windows Registry:
Note: Misconfiguration of critical values in the system’s registry could be fatal for your operating system. Therefore, we insist that you create a system restore point before proceeding forward with the process.
You can also use our top selection of disk imaging and backup software so you never lose your data or operating system again.
-
Open the Registry Editor by typing in “regedit” in the Run Command box.
Open the Registry Editor -
Paste the following in the navigation bar for quick navigation and press Enter:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
Navigate to DeviceGuard -
Create a new DWORD and name it “EnableVirtualizationBasedSecurity”.
Create DWORD EnableVirtualizationBasedSecurity Right-click the DeviceGuard key, expand New, then click “DWORD (32-bit) Value,” and name this key “EnableVirtualizationBasedSecurity.”
Note: If this or any other value inside the Windows Registry already exists, then do not create a new one. Instead, perform the following action on the existing Registry.
-
Double-click the DWORD “EnableVirtualizationBasedSecurity” and set its Value Data to “0.”
Set Value Data for EnableVirtualizationBasedSecurity -
Now paste the following in the navigation bar to change the directory:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Navigate to Lsa -
Create a new DWORD named “LsaCfgFlags.”
-
Set the Value Data for “LsaCfgFlags” to “0.”
Set Value Data for LsaCfgFlags -
Restart the computer for the changes to take effect.
When the computer restarts, you will find that the Windows Defender Credential Guard has been disabled.
Enable Windows Defender Credential Guard in Windows 11/10 from Windows Registry
If you want to enable Windows Defender Credential Guard from Windows Registry, then follow these steps. Note that these steps are a little different from the ones given above to disable the feature, as it involves an additional Registry value.
-
Open the Registry Editor by typing in “regedit” in the Run Command box.
Open the Registry Editor -
Paste the following in the navigation bar for quick navigation and press Enter:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
Navigate to DeviceGuard -
Create a new DWORD and name it “EnableVirtualizationBasedSecurity”.
Create DWORD EnableVirtualizationBasedSecurity Right-click the DeviceGuard key, expand New, then click “DWORD (32-bit) Value,” and name this key “EnableVirtualizationBasedSecurity.”
Note: If this or any other value inside the Windows Registry already exists, then do not create a new one. Instead, perform the action on the existing Registry.
-
Double-click the DWORD “EnableVirtualizationBasedSecurity” and set its Value Data to “1.”
Set Value Data for EnableVirtualizationBasedSecurity -
Create another DWORD within the same “DeviceGuard” key and name it “RequirePlatformSecurityFeatures”.
-
Set the Value Data for “RequirePlatformSecurityFeatures” to “1.”
Set Value Data for RequirePlatformSecurityFeatures -
Now paste the following in the navigation bar to change the directory:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Navigate to Lsa -
Create a new DWORD named “LsaCfgFlags.”
-
Set the Value Data for “LsaCfgFlags” to “1.”
Set Value Data for LsaCfgFlags -
Restart the computer for the changes to take effect.
Windows Defender Credential Guard will now be enabled. This method can be adopted on both Windows 10 and Windows 11, as long as your PC meets the requirements.
How to Check if Windows Defender Credential Guard is Enabled or Disabled
Whether you have made changes to enable or disabled the Credential Guard, or just want to check its status, there are methods you can try.
From System Information
-
Open the System Information applet by typing in “msinfo32” in the Run Command box.
Open System Information -
Stay in the “System Summary” tab.
-
On the right side, look for the value in front of “Virtualization-based security Services Running.”
Check System Information for Credential Guard status If the value says “Credential Guard,” it means that Credential Guard is activated and running.
Using Windows PowerShell
Simply run the following cmdlet in an elevated PowerShell instance to check the current status of Credential Guard:
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
One of the following outputs would then be generated, informing you of whether Windows Defender Credential Guard is running or not:
- 0 – Credential Guard is disabled
- 1 – Credential Guard is enabled
Closing Thoughts
The Windows Defender Credential Guard ought to be running at all times. It keeps your usernames and passwords safe from hackers.
However, if it causes any trouble, such as issues with VMWare, or the fact that you are annoyed by the constant credentials prompts, you can always disable it.
That said, we still recommend that you re-enable it once you are done with your work.
The methods to enable and disable Windows Defender Credential Guard are given in this post for both Windows 10 and 11 and can be done from the Group Policy Editor and the Registry Editor.
Readers help support Windows Report. We may get a commission if you buy through our links.
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
Looking to disable the Windows Defender Credential Guard on Windows 11? You’re not alone. While it enhances security, this feature can block access to apps like VMware. Here’s what you need to know to disable it effectively.
How do I disable the Windows Defender Credential Guard on Windows 11?
Before trying advanced solutions try the following: disconnect remote connections, and close background apps. If these don’t work, keep reading.
1. Disable via Group Policy
- Press Windows + R key to open the Run dialog box, type gpedit.msc in the text space, and click OK to open the Group Policy Editor.
- Navigate to the following location:
Computer Configuration\Administrative Templates\System\Device Guard - Click on Device Guard and double-click the Turn on Virtualization Based Security policy option.
- Then, click the Disabled or the Not Configured option and the OK button to save the changes.
- Exit and restart your PC to effect the change you made.
Selecting the disabled option or Not configured will stop the activities of Windows Defender Credentials Guard on your Windows 11. Also, you can check the fixes for missing gpedit on Windows 11 if you cannot find it.
2. Disable via Registry Keys
- Left-click the Start button, type Regedit in the search box, and select Registry Editor.
- Navigate to the following keys and set their values to 0 to disable the virtualization-based security:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlagsHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags - Restart your computer.
Note that you must set the registry settings to 0 to disable virtualization-based security.
- Windows 11 24H2 is now broadly available, but there’s a catch
- Gamers are migrating to Windows 11 even more as Windows 10 EoS nears
- Windows 11 will soon add ‘Advanced’ settings page with lots of useful options
- Microsoft’s forced BitLocker encryption causing Windows 11 users lose their data
3. Disable via UEFI Lock
- Left-click the Start button, type comm in the search space, and select Run as Administrator.
- Click Yes when the User Account Control window appears.
- Run the following command and click ENTER:
bcdedit - Then copy and paste the following commands in the Command Prompt:
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
Before the booting process completes, confirm the prompt notifying you that UEFI was modified. Also, ensure the prompt will implement the changes you made.
4. Disable Virtualization-Based Security
- Left-click the Start button, type comm in the search space, and select Run as Administrator.
- Click Yes when the User Account Control window appears.
- Run the following command and click ENTER:
bcdedit - Then copy and paste the following commands and press ENTER:
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS bcdedit /set vsmlaunchtype off - Finally, restart your PC to implement the changes.
The Windows Defender Credential Guard is dependent on VBS (Virtualization-Based Security). Hence, disabling the Virtual-Based Security will automatically disable the Credential Guard on your Windows device.
Ensure to follow the steps strictly to avoid complicating your PC further.
Nonetheless, check our article about disabling Windows Defender Credential Guard on Windows 10 for more details.
Kindly tell us which solutions worked for you in the comments section. For further queries, leave them, and we will get back to you.
Henderson Jayden Harper
Windows Software Expert
Passionate about technology, Crypto, software, Windows, and everything computer-related, he spends most of his time developing new skills and learning more about the tech world.
He also enjoys gaming, writing, walking his dog, and reading and learning about new cultures. He also enjoys spending private time connecting with nature.
Credential Guard is one of the main security features in Windows 10. This post shows 2 ways to disable Credential Guard. In addition, you can visit MiniTool to look for more Windows solutions and tips.
What Is Credential Guard?
Credential Guard is a virtualization-based isolation technology for Local Security Authority Subsystem Service that can prevent attackers from stealing credentials. Hence, it can provide a kind of protection for your data.
The Windows Defender Credential Guard was introduced in Windows 10 Enterprise and Windows Server 2016, and Windows Server 2019. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticker Granting Tickets, and credentials stored by applications as domain credentials.
However, some users complain that the VMware may fail to work if the Windows Defender Credential Guard is running. Hence, they ask whether there is a possibility to disable Credential Guard.
Of course, you can do that. In the following section, we will show you 2 ways to disable Credential Guard Windows 10. Keep on your reading.
2 Ways to Disable Credential Guard
In this section, we will show 2 ways to disable device guard or Credential Guard.
Way 1. Disable Credential Guard Windows 10 via Group Policy
First of all, we will show you the first way to disable Credential Guard Windows 10. In this way, you can disable device guard or Credential Guard via Control Panel.
Now, here is the tutorial.
Enable Hyper-V
To disable Credential Guard, you need to enable Hyper-V first.
Step 1: Type Control Panel in the search box of Windows 10 and choose the best-matched one. Then choose Programs and Features to continue.
Step 2: In the left panel, choose Turn Windows features on or off to continue.
Step 3: In the Windows Feature window, check Hyper-V and click OK to continue.
Note: If your Windows 10 is earlier than Windows 10 Version 1607, you also need to check the options Hyper-V Hypervisor and Isolated User Mode.
Step 4: Then click OK to confirm the changes. After that, it may prompt you to restart your computer. So, restart the computer to continue.
After having enabled Hyper-V, you can begin to disable Credential Guard.
Disable Credential Guard
In this section, we will show you how to disable Credential Guard to continue.
Step 1: Press Windows key and R key together to open Run dialog, then type gpedit.msc in the box and click OK to continue.
Step 2: In the Local Group Policy Editor window, navigate to the following location.
Computer Configuration > Administrative Templates > System > Device Guard
Step 3: Then select Device Guard to continue.
Step 4: Then find the Turn on Virtualization Based Security on the right panel and double-click it to continue.
Step 5: Then in the pop-up window, choose Disabled to continue.
Step 6: After that, click Apply and OK to confirm the changes.
When it is finished, you have disabled Credential Guard and can work with Hyper-V as well as VMware without any issues.
Way 2. Disable Credential Guard via Registry Editor
Now, we will show you the second way to disable Credential Guard. In this way, you can disable Credential Guard via Registry Editor.
Now, here is the tutorial.
Step 1: Press Windows key and R key together to open Run dialog, then type regedit in the box and click OK to continue.
Step 2: In the Registry Editor window, navigate to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
Step 3: Right-click on the DeviceGuard and choose New, then choose DWORD(32-bit) Value to continue.
Step 4: Name the newly created value as the EnableVirtualizationBasedSecurity and hit Enter to continue.
Step 5: Double-click it and then change its value data to 0.
Step 6: After that, right-click the DeviceGuard again, choose New, and choose DWORD(32-bit) Value to continue.
Step 7: Name the new key as RequirePlatformSecurityFeatures to continue.
Step 8: Double-click it to change its value data to 1 to use Secure Boot only or change value data to 3 to use Secure Boot and DMA protection.
Step 9: Returning to the Registry Editor window, and then navigate to the following folder.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Step 10: Right-click on LSA, select New, and choose DWORD(32-bit) Value to continue.
Step 11: Name it as the LsaCfgFlags to continue.
Step 12: Double-click it to change its value data to 0.
When you have finished all steps, close the Registry Editor window and you have successfully disabled the Credential Guard.
From above information, you can know that Credential Guard can provide protection for your data. But if it is disabled, computer would be in a risky status. So, in order to better keep computer safe, you can make a system image.
Final Words
To sum up, this post has introduced 2 ways to disable Credential Guard. So, if you want to disable Windows Defender Credential Guard for a Virtual Machine, these ways can help you out.
If you want to disable Credential Guard in Windows 11, you’re essentially turning off a security feature that helps protect your credentials. This isn’t recommended unless you have a specific reason. Here’s a quick guide: Access Group Policy Editor, navigate to the Credential Guard settings, and disable it. Now, let’s break it down step-by-step.
Disabling Credential Guard in Windows 11 can be quite straightforward if you follow the steps carefully. This part of the setup will walk you through each step, ensuring you understand what is happening at each stage.
Step 1: Open Group Policy Editor
To start, you need to open the Group Policy Editor.
To do this, press the Windows Key + R to open the Run dialog box. Then type «gpedit.msc» and hit Enter. The Group Policy Editor will open, which is where you can manage many advanced settings on your computer.
Step 2: Navigate to Credential Guard Settings
Next, you need to find the Credential Guard setting within the Group Policy Editor.
Navigate to Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security. This is where Credential Guard settings are located, and you’ll need to tweak these settings to disable Credential Guard.
Step 3: Disable Credential Guard
Now, it’s time to disable the Credential Guard.
Double-click on «Turn on Virtualization Based Security.» A new window will open, and you need to set the option to «Disabled.» Click Apply, then OK. This disables Credential Guard, but you may need to restart your computer for the changes to take effect.
Step 4: Confirm Changes in Registry Editor
To ensure that Credential Guard is completely disabled, you might want to check the Registry Editor.
Press Windows Key + R again, type «regedit,» and hit Enter. Navigate to HKEY_LOCAL_MACHINESystemCurrentControlSetControlDeviceGuard. Ensure that the «EnableVirtualizationBasedSecurity» key is set to 0. If it isn’t, change it manually.
Step 5: Restart Your Computer
Finally, restart your computer to apply all the changes.
Once your computer restarts, Credential Guard should be disabled.
After completing these steps, Credential Guard will be disabled, which means that your system won’t be using this particular security feature to protect your credentials anymore.
Tips for Disabling Credential Guard Windows 11
- Always back up your data before making changes to system settings.
- Make sure you have administrative privileges to access the Group Policy Editor.
- Understand the security implications of disabling Credential Guard.
- Use the Registry Editor with caution—incorrect changes can harm your system.
- Restart your computer to ensure changes are applied properly.
Frequently Asked Questions
What is Credential Guard?
Credential Guard is a feature in Windows 11 that uses virtualization-based security to isolate secrets, such as user credentials, so that only privileged system software can access them.
Why would someone disable Credential Guard?
Someone might disable Credential Guard if it conflicts with other software or security measures, or if it’s causing performance issues.
Can I enable Credential Guard again after disabling it?
Yes, you can re-enable Credential Guard by reversing the steps outlined: set the Group Policy back to «Enabled» and ensure the relevant registry keys are set properly.
Do I need to restart my computer after disabling Credential Guard?
Yes, a restart is necessary to ensure that the changes take effect.
Is it safe to disable Credential Guard?
Disabling Credential Guard reduces the security of your system, making it more vulnerable to attacks. It should only be done if absolutely necessary.
Summary
- Open Group Policy Editor
- Navigate to Credential Guard settings
- Disable Credential Guard
- Confirm changes in Registry Editor
- Restart your computer
Conclusion
Disabling Credential Guard in Windows 11 can be a necessary step for some users, especially if it interferes with specific applications or other security protocols. However, it’s important to recognize the security trade-offs you’re making. Credential Guard is designed to protect your credentials from various types of attacks, so disabling it should be a well-considered decision. If you ever need to re-enable it, just follow the steps in reverse.
For further reading, you may want to explore other security features offered by Windows 11, or consult with a tech expert to ensure you’re making the best choices for your system’s security. Remember, while tweaking settings and exploring advanced options can be exciting, always prioritize your system’s safety.
Matt Jacobs has been working as an IT consultant for small businesses since receiving his Master’s degree in 2003. While he still does some consulting work, his primary focus now is on creating technology support content for SupportYourTech.com.
His work can be found on many websites and focuses on topics such as Microsoft Office, Apple devices, Android devices, Photoshop, and more.
Today, in this post, we will see how to enable or turn on Credential Guard in Windows 11/10 using Group Policy. Credential Guard is one of the main security features available with Windows 11/10. It allows protection against the hacking of domain credentials, thereby preventing hackers from taking over the enterprise networks.
What does Credential Guard do?
Credential Guard is one of the main security features available with Windows 11/10. It allows protection against hacking of domain credentials thereby preventing hackers from taking over the enterprise networks. With features like Device Guard and Secure Boot, Windows 11/10 is more secure than any of the previous Windows operating systems.
Credential Guard is available only in Windows 11/10 Enterprise Edition. So if you are using Pro or Education, you won’t get to see this feature on your version of Windows. Moreover, Your machine should be supporting Secure Boot and 64-bit virtualization.
To enable or turn on Credential Guard, Open Run, type gpedit.msc and hit Enter to open the Group Policy Editor.
Now navigate to the following setting:
Computer Configuration > Administrative Templates > System > Device Guard
Now, double-click Turn On Virtualization Based Security, and then select Enabled.
Under Options, select Platform Security Level box, choose Secure Boot or Secure Boot and DMA Protection.
Under Virtual Based protection of Code Integrity, select Not configured
In the Credential Guard Configuration box, click Enabled with UEFI lock and then OK. If you want to turn off Credential Guard remotely, choose Enabled without lock.
Under Secure Launch Configuration, select Not configured
Under Kernal-mode Hardware-enforced Stack Protection, select Not configured
This policy specifies whether Virtualization Based Security is enabled.
Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices.
Virtualization Based Protection of Code Integrity
This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature.
The “Disabled” option turns off Virtualization Based Protection of Code Integrity remotely if it was previously turned on with the “Enabled without lock” option.
The “Enabled with UEFI lock” option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to “Disabled” as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
The “Enabled without lock” option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy.
The “Not Configured” option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified.
The “Require UEFI Memory Attributes Table” option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility.
Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible.
Credential Guard
This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials.
The “Disabled” option turns off Credential Guard remotely if it was previously turned on with the “Enabled without lock” option.
The “Enabled with UEFI lock” option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to “Disabled” as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
The “Enabled without lock” option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).
The “Not Configured” option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified.
Secure Launch
This setting sets the configuration of Secure Launch to secure the boot chain.
The “Not Configured” setting is the default, and allows configuration of the feature by Administrative users.
The “Enabled” option turns on Secure Launch on supported hardware.
The “Disabled” option turns off Secure Launch, regardless of hardware support.
Click Apply/OK and exit.
Restart your system.
Disable or Enable Credential Guard using Registry
You need to enable virtualization-based security first as follows:
Open Registry Editor and go to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.
Add a new DWORD value. name it EnableVirtualizationBasedSecurity and set its value as follows:
- To enable virtualization-based security, set it to 1
- To disable virtualization-based security set it to 0
Next, add a new DWORD value named RequirePlatformSecurityFeatures.
Set the value of this registry setting to 1
- To use Secure Boot only set its value to 1
- To use Secure Boot and DMA protection, set its value to 3
Now, to enable Windows Defender Credential Guard, go to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Add a new DWORD value and name it LsaCfgFlags.
- To disable Windows Defender Credential Guard, set its value to 0
- To enable Windows Defender Credential Guard with UEFI lock, set it to 1
- To enable Windows Defender Credential Guard without UEFI lock, set it to 2
Close Registry Editor and restart your computer.
You have to remember that Credential Guard will offer protection against direct hacking attempts and malware-seeking credential information. If the credential information is already stolen before you could implement Credential Guard, it won’t prevent the hackers from using the hash key on other computers in the same domain.
Read: Credential Guard Service not running but Enabled in Windows
How do I know if Credential Guard running?
You can view System Information to check that Windows Defender Credential Guard is running on your computer. To do so, Run msinfo32.exe, and select System Information. Next, select System Summary. If you see Credential Guard mentioned next to Virtualization-based Security Services, it means it is running.
TIP: The Remote Credential Guard in Windows 11/10 protects Remote Desktop credentials.
