How to Enable or Disable Credential Guard in Windows 10

Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.

Credential Guard offers the following features and solutions:

• Hardware security Credential Guard increases the security of derived domain credentials by taking advantage of platform security features including, Secure Boot and virtualization.
• Virtualization-based security Windows services that manage derived domain credentials and other secrets run in a protected environment that is isolated from the running operating system.
• Better protection against advanced persistent threats Securing derived domain credentials using the virtualization-based security blocks the credential theft attack techniques and tools used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
• Manageability You can manage Credential Guard by using Group Policy, WMI, from a command prompt, and Windows PowerShell.

Credential Guard references: (recommend to read)

• Protect derived domain credentials with Credential Guard (Windows 10) | Microsoft Docs
• How Credential Guard works | Microsoft Docs
• Manage Credential Guard (Windows 10) | Microsoft Docs
• Credential Guard protection limits (Windows 10) | Microsoft Docs
• Considerations when using Credential Guard (Windows 10) | Microsoft Docs
• Scripts for Certificate Issuance Policies in Credential Guard (Windows 10) | Microsoft Docs
• Credential Guard Known issues (Windows 10) | Microsoft Docs
• Windows Defender Credential Guard hardware requirements | Microsoft Docs
• Windows 10 Enterprise Security: Credential Guard and Device Guard | Dell US
• ThinkPad support for Device Guard and Credential Guard in Microsoft Windows 10 - ThinkPad
• HP Manageability Integration Kit Supported Platforms | HP Client Management Solutions
• Windows 10 Device Guard and Credential Guard Demystified

This tutorial will show you how to enable or disable Credential Guard virtualization-based security on Windows 10 Enterprise and Windows 10 Education PCs.

You must be signed in as an administrator to enable or disable Credential Guard.



Here's How:

1. Open Windows Features, and:

In Windows 10 Enterprise/Education version 1607 and newer, check Hyper-V Hypervisor under Hyper-V, and click/tap on OK. (see left screenshot below)

OR

In Windows 10 Enterprise/Education versions earlier than 1607, check Hyper-V Hypervisor under Hyper-V, check Isolated User Mode, and click/tap on OK. (see right screenshot below)
 

2. Open the Local Group Policy Editor.

3. Navigate to the key below in the left pane of Local Group Policy Editor. (see screenshot below)

Computer Configuration\Administrative Templates\System\Device Guard

4. In the right pane of Device Guard in Local Group Policy Editor, double click/tap on the Turn On Virtualization Based Security policy to edit it. (see screenshot above)

5. Do step 6 (enable) or step 7 (disable) below for what you would like to do.

 6. To Enable Credential Guard

A) Select (dot) Enabled. (see screenshot below step 7)

B) Under Options, select Secure Boot or Secure Boot and DMA Protection in the Select Platform Security Level drop menu for what you want.

The Secure Boot (recommended) option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.

The Secure Boot with DMA will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.

C) If you like, you could also enable Device Guard by selecting Enabled with UEFI lock or Enabled without lock in the Virtualization Based Protection of Code Integrity drop menu for what you want.

The Enabled with UEFI lock option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.

The Enabled without lock option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy.

D) Under Options, select Enabled with UEFI lock or Enabled without lock in the Credential Guard Configuration drop menu for what you want.

The Enabled with UEFI lock option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.

The Enabled without lock option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).

E) Go to step 8 below.

 7. To Disable Credential Guard

A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 8 below. (see screenshot below)

NOTE: Not Configured is the default setting.

8. Close the Local Group Policy Editor.

9. Restart the computer to apply.


That's it,
Shawn