Link to home
Start Free TrialLog in
Avatar of McKnife
McKnifeFlag for Germany

asked on

How to disable Windows 10 Credential Guard?

Friendly disclaimer: please only participate if you know Credential Guard and you yourself have had this very problem AND solved it successfully - thanks.

On win10 1909, I tested credential guard (activated the feature via GPO). It worked and I finished my test by deactivating it via GPO and I rebooted - it stayed on.
I verified that the disabling GPO was applied - it was, but it stayed on:

User generated image

So I uninstalled Hyper-V - it shouldn't work without. It stayed on.
So I restored an image backup of c: (definitely, in this backup it wasn't on) - it stayed on.

Who knows how to disable it?
[I am able to deactivate Intel Virtualization bios features and yes, that solved it, but it won't let me use Hyper-V, which I need).
Avatar of McKnife
McKnife
Flag of Germany image

ASKER

It's solved. Please don't answer (unless you are iamthecreator), I will explain later.
ASKER CERTIFIED SOLUTION
Avatar of Iamthecreator
Iamthecreator
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of McKnife

ASKER

Thank you so much. My problem was: I used UEFI-locking and wasn't aware that this meant I would have to do a lot more to undo it. The GPO text only hints vaguely "The "Enabled with UEFI lock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI"
Avatar of McKnife

ASKER

So what needs to be done in addition to resetting the GPO to unconfigured is the following:
----
Delete the following registry settings:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LsaCfgFlags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
If you also wish to disable virtualization-based security delete the following registry settings:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures
Important

If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.

Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:

mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d

Open in new window


Then restart the PC.