How to enable or disable Windows Defender Credential Guard

Windows Defender Credential Guard is a security feature in Windows that isolates secrets like credentials and hashes in a secure environment, protecting them from malware and other threats. It’s especially useful in enterprise environments, but sometimes it needs to be enabled or disabled based on your setup.

Whether you’re troubleshooting issues, setting up a VM, or managing a secure workstation, here’s how to turn Credential Guard on or off safely.

🔒 What Is Credential Guard?

Credential Guard uses virtualization-based security (VBS) to isolate secrets in memory, making it harder for attackers to steal credentials using tools like Mimikatz. It’s available on Windows 10 Enterprise and Education editions, as well as Windows 11 Pro and up.

✅ How to Enable Credential Guard

There are a few ways to enable Credential Guard. Here’s the easiest and most reliable one:

Option 1: Using Group Policy

1. Press Win + R, type gpedit.msc, and hit Enter.
2. Navigate to:
   Computer Configuration → Administrative Templates → System → Device Guard
3. Double-click “Turn On Virtualization Based Security”.
4. Select Enabled.
5. Under Credential Guard Configuration, choose one of:
   • Enabled with UEFI lock (persists through OS reinstallation)
   • Enabled without lock (easier to disable later)
6. Click OK and restart your PC.

⚠️ Note: Credential Guard requires Secure Boot and virtualization support in BIOS/UEFI. Make sure these are enabled first.

Option 2: Using Windows Features (Optional)

1. Open Control Panel → Programs → Turn Windows features on or off.
2. Check:
   • Isolated User Mode
   • Hyper-V Hypervisor (if not already enabled)
3. Click OK and reboot.

🚫 How to Disable Credential Guard

Need to turn it off for compatibility or testing? Here’s how:

Option 1: Disable via Group Policy

1. Press Win + R, type gpedit.msc, and press Enter.
2. Go to:
   Computer Configuration → Administrative Templates → System → Device Guard
3. Double-click “Turn On Virtualization Based Security”.
4. Set it to Disabled.
5. Click OK, then restart.

If you enabled it with UEFI lock, this won’t be enough. You’ll need to clear the UEFI variable.

Option 2: Disable with Registry + UEFI Cleanup

1. Open Registry Editor (regedit.exe)
2. Navigate to:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
3. Delete or set the value of EnableVirtualizationBasedSecurity to 0.
4. Go to:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
5. Set LsaCfgFlags to 0.

Then, to fully disable:

• Boot into BIOS/UEFI settings.
• Look for a setting like “Credential Guard” or “Virtualization-based Security”.
• Clear it, disable it, or reset Secure Boot keys (varies by manufacturer).
• Save changes and reboot.

🧠 Final Tips

• Use MSINFO32 (type it in Start) to check if Credential Guard is running.
• Enabling Credential Guard may cause conflicts with older drivers or certain apps. Always test in a staging environment first if you’re rolling this out broadly.
• For enterprise environments, consider using Microsoft Endpoint Manager or Intune for centralized management.

Got questions or ran into an issue? Drop a comment below and I’ll help you troubleshoot.

If this helped, share it! 👇