Windows 10: Enable or Disable Credential Guard in Windows 10

Discus and support Enable or Disable Credential Guard in Windows 10 in Windows 10 Tutorials to solve the problem; How to: Enable or Disable Credential Guard in Windows 10 How to Enable or Disable Credential Guard in Windows 10 Credential Guard uses... Discussion in 'Windows 10 Tutorials' started by Brink, Feb 20, 2017.

  1. Brink
    Brink New Member

    Enable or Disable Credential Guard in Windows 10


    How to: Enable or Disable Credential Guard in Windows 10

    How to Enable or Disable Credential Guard in Windows 10


    Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.

    Credential Guard offers the following features and solutions:
    • Hardware security Credential Guard increases the security of derived domain credentials by taking advantage of platform security features including, Secure Boot and virtualization.
    • Virtualization-based security Windows services that manage derived domain credentials and other secrets run in a protected environment that is isolated from the running operating system.
    • Better protection against advanced persistent threats Securing derived domain credentials using the virtualization-based security blocks the credential theft attack techniques and tools used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
    • Manageability You can manage Credential Guard by using Group Policy, WMI, from a command prompt, and Windows PowerShell.
    Credential Guard references: (recommend to read)
    This tutorial will show you how to enable or disable Credential Guard virtualization-based security on Windows 10 Enterprise and Windows 10 Education PCs.

    You must be signed in as an administrator to enable or disable Credential Guard.



    Here's How:

    1. Open Windows Features, and:
    *Arrow In Windows 10 Enterprise/Education version 1607 and newer, check Hyper-V Hypervisor under Hyper-V, and click/tap on OK. (see left screenshot below)

    OR

    *Arrow In Windows 10 Enterprise/Education versions earlier than 1607, check Hyper-V Hypervisor under Hyper-V, check Isolated User Mode, and click/tap on OK. (see right screenshot below)


    Enable or Disable Credential Guard in Windows 10 [​IMG]

    Enable or Disable Credential Guard in Windows 10 [​IMG]


    2. Open the Local Group Policy Editor.

    3. Navigate to the key below in the left pane of Local Group Policy Editor. (see screenshot below)
    *Arrow Computer Configuration\Administrative Templates\System\Device Guard


    Enable or Disable Credential Guard in Windows 10 [​IMG]

    4. In the right pane of Device Guard in Local Group Policy Editor, double click/tap on the Turn On Virtualization Based Security policy to edit it. (see screenshot above)

    5. Do step 6 (enable) or step 7 (disable) below for what you would like to do.


    6. To Enable Credential Guard
    A) Select (dot) Enabled. (see screenshot below step 7)

    B) Under Options, select Secure Boot or Secure Boot and DMA Protection in the Select Platform Security Level drop menu for what you want.

    *note The Secure Boot (recommended) option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.

    The Secure Boot with DMA will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.


    C) If you like, you could also enable Device Guard by selecting Enabled with UEFI lock or Enabled without lock in the Virtualization Based Protection of Code Integrity drop menu for what you want.

    *note The Enabled with UEFI lock option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.

    The Enabled without lock option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy.


    D) Under Options, select Enabled with UEFI lock or Enabled without lock in the Credential Guard Configuration drop menu for what you want.

    *note The Enabled with UEFI lock option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.

    The Enabled without lock option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).


    E) Go to step 8 below.

    7. To Disable Credential Guard
    A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 8 below. (see screenshot below)

    NOTE: Not Configured is the default setting.


    Enable or Disable Credential Guard in Windows 10 [​IMG]


    8. Close the Local Group Policy Editor.

    9. Restart the computer to apply.


    That's it,
    Shawn


    Related Tutorials

    :)
     
    Brink, Feb 20, 2017
    #1
  2. Brink Win User

    Credential Guard lab companion


    Source: Credential Guard lab companion Datacenter and Private Cloud Security Blog


    See also:
     
    Brink, Oct 26, 2019
    #2
  3. Brink Win User
    Windows 10 Device Guard and Credential Guard Demystified

    Source: Windows 10 Device Guard and Credential Guard Demystified - Microsoft Tech Community - 376419


    Enable or Disable Credential Guard in Windows 10 [​IMG]
    Tip How to Enable or Disable Device Guard in Windows 10

    How to Verify if Device Guard is Enabled or Disabled in Windows 10

    How to Enable or Disable Credential Guard in Windows 10

    How to Verify if Credential Guard is Enabled or Disabled in Windows 10
     
    Brink, Oct 26, 2019
    #3
  4. Brink Win User

    Enable or Disable Credential Guard in Windows 10

    Windows 10 Device Guard and Credential Guard Demystified


    Source: Windows 10 Device Guard and Credential Guard Demystified - Microsoft Tech Community - 376419


    Enable or Disable Credential Guard in Windows 10 [​IMG]
    Tip How to Enable or Disable Device Guard in Windows 10

    How to Verify if Device Guard is Enabled or Disabled in Windows 10

    How to Enable or Disable Credential Guard in Windows 10

    How to Verify if Credential Guard is Enabled or Disabled in Windows 10
     
    Brink, Oct 26, 2019
    #4
  5. VMware Error about Credential/Device guard ON/OFF on Windows 10 Home Edition

    Since the upgrade to Windows 10 Version 1903, I am unable to open Virtual Machine using VMWare Workstation Player

    Have looked at the Enable/Disable Credential Docs page here - Manage Windows Defender Credential Guard (Windows 10) but it did not give specifics to fix the
    issue on Home Edition.

    Any help would be appreciated. Thank you.
     
    BangBangET, Oct 26, 2019
    #5
  6. Credential Guard

    When will Credential Guard be supported on the same Windows 10 Enterprise device as Barkly and VMWare Workstation Pro.

    It would be nice to be able to run these products without sacrificing Credential Guard.

    Moved from Insider
     
    IvanPiacun, Oct 26, 2019
    #6
Thema:

Enable or Disable Credential Guard in Windows 10

Loading...
  1. Enable or Disable Credential Guard in Windows 10 - Similar Threads - Enable Disable Credential

  2. How to disable Windows 11 Defender Credential Guard?

    in Windows 10 Gaming
    How to disable Windows 11 Defender Credential Guard?: After upgrading to Windows 11 2022H2, RDP always prompts for credentials and Edge Dev doesn't autofill credentials. According to this, Windows 11 H2 enables Windows Defender Credential Guard. I tried to follow the steps to disable it in the Group Policy Editor it was set to...
  3. How to disable Windows 11 Defender Credential Guard?

    in Windows 10 Software and Apps
    How to disable Windows 11 Defender Credential Guard?: After upgrading to Windows 11 2022H2, RDP always prompts for credentials and Edge Dev doesn't autofill credentials. According to this, Windows 11 H2 enables Windows Defender Credential Guard. I tried to follow the steps to disable it in the Group Policy Editor it was set to...
  4. LSASS.DMP still have my credential after enabling Credential Guard

    in AntiVirus, Firewalls and System Security
    LSASS.DMP still have my credential after enabling Credential Guard: Hi, I might sound noob but want to clarify something regarding Credential Guard. Scenario: I have a domain joined system for a year now and recently I enabled Credential Guard to test and play around with it. Output below shows that CredGuard is enabled: PS C:\temp>...
  5. Windows 10 Device Guard and Credential Guard Demystified

    in Windows 10 Ask Insider
    Windows 10 Device Guard and Credential Guard Demystified: [ATTACH] submitted by /u/Wireless_Life [link] [comments] https://www.reddit.com/r/Windows10/comments/l7w0j3/windows_10_device_guard_and_credential_guard/
  6. Disabling Windows Device/Credential Guard in Windows 10 Home

    in AntiVirus, Firewalls and System Security
    Disabling Windows Device/Credential Guard in Windows 10 Home: How do I disable Device/Credential Guard in Windows 10 Home to use VMware Player? https://file.io/nxqbvg VirtualBox isn't working either, and Windows 10 Home doesn't have Hyper-V (but I wish it would, especially because of Android Studio.) Anyone have a solution besides...
  7. Windows 10 Device Guard and Credential Guard Demystified

    in Windows 10 News
    Windows 10 Device Guard and Credential Guard Demystified: While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I've observed there's still a lot of confusion regarding the security features of the operating system. This is a shame since some of the key benefits of Windows 10 involve these deep...
  8. Verify if Credential Guard is Enabled or Disabled in Windows 10

    in Windows 10 Tutorials
    Verify if Credential Guard is Enabled or Disabled in Windows 10: How to: Verify if Credential Guard is Enabled or Disabled in Windows 10 How to Verify if Credential Guard is Enabled or Disabled in Windows 10 [img] Information Credential Guard uses virtualization-based security to isolate secrets so that only privileged system...
  9. Verify if Device Guard is Enabled or Disabled in Windows 10

    in Windows 10 Tutorials
    Verify if Device Guard is Enabled or Disabled in Windows 10: How to: Verify if Device Guard is Enabled or Disabled in Windows 10 How to Verify if Device Guard is Enabled or Disabled in Windows 10 Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a...
  10. Enable or Disable Device Guard in Windows 10

    in Windows 10 Tutorials
    Enable or Disable Device Guard in Windows 10: How to: Enable or Disable Device Guard in Windows 10 How to Enable or Disable Device Guard in Windows 10 Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can...

Users found this page by searching for:

  1. windows 10 credentials guard disbale powershell

    ,
  2. how to check if credential guard is enabled locally