McKnife
asked on
How to disable Windows 10 Credential Guard?
Friendly disclaimer: please only participate if you know Credential Guard and you yourself have had this very problem AND solved it successfully - thanks.
On win10 1909, I tested credential guard (activated the feature via GPO). It worked and I finished my test by deactivating it via GPO and I rebooted - it stayed on.
I verified that the disabling GPO was applied - it was, but it stayed on:
So I uninstalled Hyper-V - it shouldn't work without. It stayed on.
So I restored an image backup of c: (definitely, in this backup it wasn't on) - it stayed on.
Who knows how to disable it?
[I am able to deactivate Intel Virtualization bios features and yes, that solved it, but it won't let me use Hyper-V, which I need).
On win10 1909, I tested credential guard (activated the feature via GPO). It worked and I finished my test by deactivating it via GPO and I rebooted - it stayed on.
I verified that the disabling GPO was applied - it was, but it stayed on:
So I uninstalled Hyper-V - it shouldn't work without. It stayed on.
So I restored an image backup of c: (definitely, in this backup it wasn't on) - it stayed on.
Who knows how to disable it?
[I am able to deactivate Intel Virtualization bios features and yes, that solved it, but it won't let me use Hyper-V, which I need).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you so much. My problem was: I used UEFI-locking and wasn't aware that this meant I would have to do a lot more to undo it. The GPO text only hints vaguely "The "Enabled with UEFI lock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI"
ASKER
So what needs to be done in addition to resetting the GPO to unconfigured is the following:
----
Delete the following registry settings:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LsaCfgFlags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
If you also wish to disable virtualization-based security delete the following registry settings:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures
Important
If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
Then restart the PC.
----
Delete the following registry settings:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LsaCfgFlags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
If you also wish to disable virtualization-based security delete the following registry settings:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures
Important
If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
Then restart the PC.
ASKER