Credential Guard is a Windows 11 security feature that isolates and protects login credentials using virtualization-based security. While it strengthens protection against credential theft, it can conflict with certain legacy apps, older VPN clients, or third-party virtualization tools that need direct access to authentication data. Credential Guard is only supported on Windows 11 Enterprise and Education editions, and on Windows 11 22H2 and later it is enabled by default on devices that meet the hardware requirements. Here is how to turn it off and verify the change.

When You Need to Turn Off Credential Guard
Credential Guard blocks a specific set of everyday workflows once enabled.
- Remote Desktop Connection stops storing reusable passwords, since NTLM credentials can no longer be saved locally.
- VMware Workstation and VirtualBox fail to launch VMs, often with a Device Guard or Credential Guard compatibility error.
- Wi-Fi and VPN logins using MSCHAPv2, PEAP-MSCHAPv2, or EAP-MSCHAPv2 stop authenticating.
- Apps relying on NTLMv1 or unconstrained Kerberos delegation no longer function correctly.
- Single Sign-On fails on Remote Desktop Services hosts, forcing repeated credential prompts.
Running Credential Guard on domain controllers is also not recommended, since it adds no meaningful security benefit there and can cause compatibility issues with third-party software.
Check Whether Credential Guard Is Running
Confirm the current state before making any changes, since some systems have it enabled by default without any manual setup.
- Open PowerShell as Administrator.
- Run the following command:
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning- This returns an array of numbers, not a simple true/false value. Each number represents a different virtualization-based security service:
| Value | Meaning |
|---|---|
| 0 | None running |
| 1 | Credential Guard |
| 2 | HVCI (Hypervisor-Enforced Code Integrity) |
| 3 | System Guard Secure Launch |
| 4 | SMM Firmware Measurement |
- Look specifically for
1in the returned array. If1is present, Credential Guard is running. A result like2alone means only HVCI is active, and Credential Guard itself is off. No output at all means none of these services are running.
Disable Credential Guard With Group Policy and the Registry
This is the standard path on systems without a UEFI lock. Use whichever tool you’re most comfortable with, since all three edit the same underlying setting.
Method 1: Group Policy Editor
- Press
Win + R, typegpedit.msc, and press Enter. - Navigate to
Computer Configuration > Administrative Templates > System > Device Guard. - Double-click Turn On Virtualization Based Security.
- Select Disabled, then click Apply and OK.
- Restart your PC for the change to take effect.
Method 2: Registry Editor
- Press
Win + R, typeregedit, and press Enter. - Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA. - Find or create a DWORD value named
LsaCfgFlagsand set it to0. - If Credential Guard was enabled through policy, also check
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuardfor a matchingLsaCfgFlagsvalue and set it to0as well. - Close Registry Editor and restart your computer.
Method 3: Command Prompt
- Open Command Prompt as Administrator.
- Run the following command to disable the virtualization-based security registry key:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v LsaCfgFlags /t REG_DWORD /d 0 /f- Restart the system to apply the change.
Remove Credential Guard When a UEFI Lock Is Enabled
If Credential Guard was originally enabled with a UEFI Lock, the registry and Group Policy changes above will not disable it on their own, since the lock overrides those settings at boot. There are two ways to remove it.
Option A: Using the readiness tool script
- Download the Device Guard and Credential Guard hardware readiness tool from Microsoft and extract the zip file, which contains
DG_Readiness_Tool_v3.6.ps1. - Open PowerShell as Administrator, navigate to the extracted folder, and run the script with the disable parameter:
.\DG_Readiness_Tool_v3.6.ps1 -Disable. - Restart the computer.
- During restart, a prompt appears asking to confirm the change. Press
F3within a few seconds to confirm disabling Credential Guard, otherwise the change is cancelled and Credential Guard stays active.
Option B: Manually staging a boot entry
If you’d rather not run a third-party script, you can stage the disable action directly through the built-in SecConfig.efi tool and a temporary boot entry.
- Open Command Prompt as Administrator and mount the EFI system partition:
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d- Restart the computer. Early in boot, the Credential Guard Opt-out Tool prompts for confirmation.
- Press
F3within a few seconds to confirm, otherwise the boot loader change is cancelled and Credential Guard stays on.
How to Confirm Credential Guard Is Disabled
After restarting, confirm the feature is disabled before assuming the change worked.
- Press
Win + R, typemsinfo32, and press Enter to open System Information. - Check the Virtualization-based security Services Running field.
- If it shows None or the field is blank, Credential Guard is disabled.
- Alternatively, open PowerShell and run the same
SecurityServicesRunningcommand from the check above. If1is no longer in the returned array, Credential Guard is disabled, even if other values like2for HVCI remain.
If Credential Guard Still Shows Enabled
Sometimes the check still returns a running value even after following the steps above.
- The
F3confirmation prompt during boot was skipped or missed, cancelling the disable request. - The Group Policy setting was left on Not Configured instead of explicitly set to Disabled.
- A firmware-level Credential Guard or Virtualization-Based Security option is still turned on in BIOS/UEFI and needs to be disabled there directly.
- Hyper-V or another virtualization feature is still installed, which keeps a dependency VBS relies on active. Removing unused virtualization features can close this gap.
Frequently Asked Questions
Does disabling Credential Guard reduce Windows 11 security?
Yes, disabling it removes an extra layer of protection against credential theft attacks like pass-the-hash. Only disable it if a specific compatibility issue requires it.
Can I re-enable Credential Guard later?
Yes, reversing any of the methods above and restarting the system re-enables Credential Guard.
Does Credential Guard require a restart to disable?
Yes, a restart is required after any of the methods above for the change to take effect.
Is it safe to disable Credential Guard on a personal laptop?
Yes, for most home and personal use cases the risk is low, since Credential Guard mainly protects against advanced credential theft techniques seen in enterprise and domain environments. Keep other basic protections like Windows Defender and Secure Boot active.
Will disabling Credential Guard affect Hyper-V or WSL2?
No, disabling Credential Guard alone does not remove Hyper-V or WSL2. It only turns off the credential isolation layer. Virtualization-based security features tied to Hyper-V continue working unless you also disable virtualization-based security separately.
Related Guides
- How to Enable Hyper-V on Windows 11: Step-by-Step Guide
- WSL Containers Public Preview: How to Install and Use wslc.exe on Windows 11
- Fix: Hyper-V Cannot Delete Checkpoint – Catastrophic Failure (0x8000FFFF)
- Hyper-V Failed to Connect to Local Computer
- Windows 11 Requirements for VMware and Hyper-V (Complete Setup Guide)
