Credential Guard is a powerful security feature in Windows 11 that safeguards your domain credentials from potential hackers and malware. By isolating credential information in a secure environment, it significantly reduces the risk of unauthorized access to your enterprise networks. This guide will walk you through the process of enabling or disabling Credential Guard using Group Policy in Windows 11.
Prerequisites for Credential Guard
Before we begin, ensure your system meets the following requirements:
- Windows 11 Enterprise Edition (Credential Guard is not available in Pro or Education editions)
- 64-bit processor with virtualization support
- UEFI firmware with Secure Boot capability
- Trusted Platform Module (TPM) 2.0
Enabling Credential Guard via Group Policy
Step 1: Open the Group Policy Editor by pressing Win + R, typing gpedit.msc, and hitting Enter.
Step 2: Navigate to Computer Configuration > Administrative Templates > System > Device Guard.
Step 3: Double-click on “Turn On Virtualization Based Security”.
Step 4: In the new window, select “Enabled” to turn on Virtualization Based Security.
Step 5: Under the “Select Platform Security Level” option, choose either “Secure Boot” or “Secure Boot and DMA Protection”. The latter provides additional security but may not be compatible with all hardware.
Step 6: In the “Credential Guard Configuration” box, select one of these options:
- “Enabled with UEFI lock” – This setting provides the highest security but requires physical access to the machine to disable Credential Guard.
- “Enabled without lock” – This allows Credential Guard to be disabled remotely, which is useful for troubleshooting but less secure.
Step 7: Click “Apply” and then “OK” to save the changes.
Step 8: Restart your computer for the changes to take effect.
Disabling Credential Guard via Group Policy
If you need to disable Credential Guard, follow these steps:
Step 1: Open the Group Policy Editor as described earlier.
Step 2: Navigate to the same location: Computer Configuration > Administrative Templates > System > Device Guard.
Step 3: Double-click on “Turn On Virtualization Based Security”.
Step 4: Select “Disabled” and click “Apply” then “OK”.
Step 5: Restart your computer to apply the changes.
Verifying Credential Guard Status
To confirm whether Credential Guard is running on your system:
Step 1: Press Win + R, type msinfo32.exe, and press Enter to open System Information.
Step 2: In the System Summary section, look for “Virtualization-based Security Services Running”. If you see “Credential Guard” listed here, it means the feature is active and running.
Alternative Method: Enabling Credential Guard via Registry
For advanced users or in situations where Group Policy is not available, you can use the Registry Editor to enable Credential Guard:
Step 1: Open Registry Editor by pressing Win + R, typing regedit, and pressing Enter.
Step 2: Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.
Step 3: Right-click in the right pane, select New > DWORD (32-bit) Value, and name it “EnableVirtualizationBasedSecurity”.
Step 4: Set the value to 1 to enable virtualization-based security.
Step 5: Create another DWORD value named “RequirePlatformSecurityFeatures” and set it to 1 for Secure Boot only, or 3 for Secure Boot and DMA protection.
Step 6: Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
Step 7: Create a new DWORD value named “LsaCfgFlags”. Set it to 1 to enable Credential Guard with UEFI lock, or 2 to enable without UEFI lock.
Step 8: Close Registry Editor and restart your computer.
By following these steps, you’ve successfully configured Credential Guard on your Windows 11 system. Remember, while Credential Guard significantly improves security, it’s just one part of a comprehensive security strategy. Keep your system and software up-to-date, and always follow best practices for password management and network security.