Some have reported that due to this feature, the Remote Desktop Connection now consistently asks for credentials, while others are experiencing problems running the VMWare hypervisor. In this article, we are going to address what Windows Defender Credential Guard is, and how can you disable it, or enable it, if needed.
What is Windows Defender Credential Guard
The Credential Guard is part of Windows Security that was first introduced in Windows 10 Enterprise edition, which has now also been carried forward to Windows 11 Professional edition, amongst others.
What is Windows Defender Credential Guard Disable Windows Defender Credential Guard in Windows 10 Enable Hyper-V Disable Credential Guard Enable Windows Defender Credential Guard in Windows 10 Disable Windows Defender Credential Guard in Windows 11 using Group Policy Enable Windows Defender Credential Guard in Windows 11 using Group Policy Disable Windows Defender Credential Guard in Windows 11/10 from Windows Registry Enable Windows Defender Credential Guard in Windows 11/10 from Windows Registry How to Check if Windows Defender Credential Guard is Enabled or Disabled From System Information Using Windows PowerShell Closing Thoughts
The Windows Defender Credential Guard uses virtualization technology to isolate your credentials so that they cannot be stolen via unauthorized access. This feature prevents hackers from accessing vulnerable data and credential theft attacks, and only authorized systems can view or edit them. It is because of this reason that users experience repeated credentials windows when trying to access remote computers via RDP. In Windows 10, this feature is disabled by default but is automatically enabled when you enable Hyper-V. In Windows 11 Pro, this feature is enabled by default, provided that your system meets the minimum requirements. Here is a list of the minimum hardware and software requirements for Credential Guard to be enabled:
Support for Virtualization-based security Secure boot Trusted Platform Module (TPM) versions 1.2 or 2.0 UEFI lock (preferred) 64-bit CPU CPU virtualization Windows hypervisor (does not require Hyper-V Windows Feature to be installed)
Below you’ll find the methods to enable Windows Defender Credential Guard or disable it in case it is causing. The Credential Guard can be seen inside Windows Security inside “Device Security” under Core Isolation. However, there is no option to configure it. Credential Guard can be enabled or disabled using Group Policy and the Windows Registry. However, in Windows 10, the method to enable it requires an additional step. We have discussed the methods in detail below.
Disable Windows Defender Credential Guard in Windows 10
In Windows 10, the Credential Guard is automatically enabled when you enable Hyper-V, In the method below, we will show you how to disable Credential Guard while Hyper-V is still enabled. To disable Credential Guard in Windows 10, we must first enable Hyper-V.
Enable Hyper-V
Now, it is time to disable Credential Guard. This can be done via the Group Policy. The wizard will now install Hyper-V and its components.
Disable Credential Guard
The Windows Defender Credential Guard will now be disabled with the Hyper-V enabled. However, if you wish to enable Credential Guard on Windows 10, follow the guide in the next section below.
Enable Windows Defender Credential Guard in Windows 10
To enable the Credential Guard in Windows 10, follow these steps: Windows Defender Credential Guard will now be enabled.
Select Platform Security Level: Secure Boot and DMA Protection Virtualization Based Protection of Code Integrity: Enabled with UEFI Lock – So the option cannot be disabled remotely, or Enabled without lock – Windows Defender Credential Guard can be disabled remotely. Credential Guard Configuration: Enabled with UEFI Lock – So the option cannot be disabled remotely, or Enabled without lock – Windows Defender Credential Guard can be disabled remotely. Secure Launch Configuration: Not Configured – If you choose it to be configured by your domain administrator, or Enabled – If you want to turn on Secure Launch, or Disabled – If you want to disable Secure Launch
Secure Boot and DMA Protection
Enabled with UEFI Lock – So the option cannot be disabled remotely, or Enabled without lock – Windows Defender Credential Guard can be disabled remotely.
Enabled with UEFI Lock – So the option cannot be disabled remotely, or Enabled without lock – Windows Defender Credential Guard can be disabled remotely.
Not Configured – If you choose it to be configured by your domain administrator, or Enabled – If you want to turn on Secure Launch, or Disabled – If you want to disable Secure Launch
There are also other methods to disable or enable the Credential Guard in Windows 10. The following methods also apply to Windows 11.
Disable Windows Defender Credential Guard in Windows 11 using Group Policy
As mentioned earlier, the Credential Guard is enabled by default in Windows 11. You can disable it using the Windows Group Policy editor, and through Windows Registry. You can use any of the following given methods to disable it or re-enable it if needed. Follow these steps to disable the Credential Guard in Windows 11 or Windows 10 using the Group Policy editor: The Windows Defender Credential guard will now be disabled. However, to enable it, perform the steps in the next section.
Enable Windows Defender Credential Guard in Windows 11 using Group Policy
Windows Defender Credential Guard will now be enabled.
Select Platform Security Level: Secure Boot and DMA Protection Virtualization Based Protection of Code Integrity: Enabled with UEFI Lock – So the option cannot be disabled remotely, or Enabled without lock – Windows Defender Credential Guard can be disabled remotely. Credential Guard Configuration: Enabled with UEFI Lock – So the option cannot be disabled remotely, or Enabled without lock – Windows Defender Credential Guard can be disabled remotely. Secure Launch Configuration: Not Configured – If you choose it to be configured by your domain administrator, or Enabled – If you want to turn on Secure Launch, or Disabled – If you want to disable Secure Launch (Windows 11 22H2) Kernel-mode Hardware-enforced Stack Protection: Disabled – Turns off kernel-mode Hardware-enforced Stack Protection, or Enabled in audit mode – enables kernel-mode Hardware-enforced Stack Protection where shadow stack violations are not fatal and will be logged to the system event log, or Enabled in enforcement mode – enables kernel-mode Hardware-enforced Stack Protection where shadow stack violations are fatal, or Not Configured – leaves the policy setting undefined
Secure Boot and DMA Protection
Enabled with UEFI Lock – So the option cannot be disabled remotely, or Enabled without lock – Windows Defender Credential Guard can be disabled remotely.
Enabled with UEFI Lock – So the option cannot be disabled remotely, or Enabled without lock – Windows Defender Credential Guard can be disabled remotely.
Not Configured – If you choose it to be configured by your domain administrator, or Enabled – If you want to turn on Secure Launch, or Disabled – If you want to disable Secure Launch
Disabled – Turns off kernel-mode Hardware-enforced Stack Protection, or Enabled in audit mode – enables kernel-mode Hardware-enforced Stack Protection where shadow stack violations are not fatal and will be logged to the system event log, or Enabled in enforcement mode – enables kernel-mode Hardware-enforced Stack Protection where shadow stack violations are fatal, or Not Configured – leaves the policy setting undefined
You can also enable or disable the Credential Guard from Windows Registry.
Disable Windows Defender Credential Guard in Windows 11/10 from Windows Registry
If you are unable to disable the Windows Defender Credential Guard using the Group Policy editor, then you can use the Registry editor to get the job done. Here are the steps to disable the Credential Guard from Windows Registry: When the computer restarts, you will find that the Windows Defender Credential Guard has been disabled. You can also use our top selection of disk imaging and backup software so you never lose your data or operating system again. Right-click the DeviceGuard key, expand New, then click “DWORD (32-bit) Value,” and name this key “EnableVirtualizationBasedSecurity.” Note: If this or any other value inside the Windows Registry already exists, then do not create a new one. Instead, perform the following action on the existing Registry.
Enable Windows Defender Credential Guard in Windows 11/10 from Windows Registry
If you want to enable Windows Defender Credential Guard from Windows Registry, then follow these steps. Note that these steps are a little different from the ones given above to disable the feature, as it involves an additional Registry value. Windows Defender Credential Guard will now be enabled. This method can be adopted on both Windows 10 and Windows 11, as long as your PC meets the requirements. Right-click the DeviceGuard key, expand New, then click “DWORD (32-bit) Value,” and name this key “EnableVirtualizationBasedSecurity.” Note: If this or any other value inside the Windows Registry already exists, then do not create a new one. Instead, perform the action on the existing Registry.
How to Check if Windows Defender Credential Guard is Enabled or Disabled
Whether you have made changes to enable or disabled the Credential Guard, or just want to check its status, there are methods you can try.
From System Information
Using Windows PowerShell
Simply run the following cmdlet in an elevated PowerShell instance to check the current status of Credential Guard: If the value says “Credential Guard,” it means that Credential Guard is activated and running. One of the following outputs would then be generated, informing you of whether Windows Defender Credential Guard is running or not:
0 – Credential Guard is disabled 1 – Credential Guard is enabled
Closing Thoughts
The Windows Defender Credential Guard ought to be running at all times. It keeps your usernames and passwords safe from hackers. However, if it causes any trouble, such as issues with VMWare, or the fact that you are annoyed by the constant credentials prompts, you can always disable it. That said, we still recommend that you re-enable it once you are done with your work. The methods to enable and disable Windows Defender Credential Guard are given in this post for both Windows 10 and 11 and can be done from the Group Policy Editor and the Registry Editor.