{
	"id": "d34e3cc7-592c-4985-9eb9-99b4e828e6af",
	"created_at": "2026-04-06T00:17:16.603761Z",
	"updated_at": "2026-04-10T03:20:01.458294Z",
	"deleted_at": null,
	"sha1_hash": "e997c5d3209a58906e25aae5efe43cdcdc973576",
	"title": "Configure Credential Guard",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 81576,
	"plain_text": "Configure Credential Guard\r\nBy officedocspr5\r\nArchived: 2026-04-05 21:47:27 UTC\r\nThis article describes how to configure Credential Guard using Microsoft Intune, Group Policy, or the registry.\r\nStarting in Windows 11, 22H2 and Windows Server 2025, Credential Guard is enabled by default on devices\r\nwhich meet the requirements.\r\nSystem administrators can explicitly enable or disable Credential Guard using one of the methods described in this\r\narticle. Explicitly configured values overwrite the default enablement state after a reboot.\r\nIf a device has Credential Guard explicitly turned off before updating to a newer version of Windows where\r\nCredential Guard is enabled by default, it will remain disabled even after the update.\r\nCredential Guard should be enabled before a device is joined to a domain or before a domain user signs in for the\r\nfirst time. If Credential Guard is enabled after domain join, the user and device secrets may already be\r\ncompromised.\r\nTo enable Credential Guard, you can use:\r\nMicrosoft Intune/MDM\r\nGroup policy\r\nRegistry\r\nThe following instructions provide details about how to configure your devices. Select the option that best suits\r\nyour needs.\r\n Intune/CSP\r\n GPO\r\n Registry\r\nTo configure devices with Microsoft Intune, create a Settings catalog policy and use the following settings:\r\nCategory Setting name Value\r\nDevice Guard Credential Guard\r\nSelect one of the options:\r\n - Enabled with UEFI lock\r\n - Enabled without lock\r\nImportant\r\nIf you want to be able to turn off Credential Guard remotely, choose the option Enabled without lock.\r\nhttps://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage\r\nPage 1 of 5\n\nAssign the policy to a group that contains as members the devices or users that you want to configure.\r\nAlternatively, you can configure devices using a custom policy with the DeviceGuard Policy CSP.\r\nSetting\r\nSetting name: Turn On Virtualization Based Security\r\nOMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity\r\nData type: int\r\nValue: 1\r\nSetting name: Credential Guard Configuration\r\nOMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags\r\nData type: int\r\nValue:\r\n Enabled with UEFI lock: 1\r\n Enabled without lock: 2\r\nOnce the policy is applied, restart the device.\r\nChecking Task Manager if LsaIso.exe is running isn't a recommended method for determining whether\r\nCredential Guard is running. Instead, use one of the following methods:\r\nSystem Information\r\nPowerShell\r\nEvent Viewer\r\nYou can use System Information to determine whether Credential Guard is running on a device.\r\n1. Select Start, type msinfo32.exe , and then select System Information\r\n2. Select System Summary\r\n3. Confirm that Credential Guard is shown next to Virtualization-based Security Services Running\r\nYou can use PowerShell to determine whether Credential Guard is running on a device. From an elevated\r\nPowerShell session, use the following command:\r\n(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\\Microsoft\\Windows\\DeviceGuard).SecurityServicesRu\r\nThe command generates the following output:\r\n0: Credential Guard is disabled (not running)\r\n1: Credential Guard is enabled (running)\r\nPerform regular reviews of the devices that have Credential Guard enabled, using security audit policies or WMI\r\nqueries.\r\nhttps://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage\r\nPage 2 of 5\n\nOpen the Event Viewer ( eventvwr.exe ) and go to Windows Logs\\System and filter the event sources for\r\nWinInit:\r\nEvent ID\r\nDescription\r\n13 (Information)\r\nCredential Guard (LsaIso.exe) was started and will protect LSA credentials.\r\n14 (Information)\r\nCredential Guard (LsaIso.exe) configuration: [**0x0** | **0x1** | **0x2**], **0**\r\nThe first variable: 0x1 or 0x2 means that Credential Guard is configured to run. 0x0 means that it's not\r\nconfigured to run.\r\nThe second variable: 0 means that it's configured to run in protect mode. 1 means that it's configured to run\r\nin test mode. This variable should always be 0.\r\n15 (Warning)\r\nCredential Guard (LsaIso.exe) is configured but the secure kernel isn't running;\r\ncontinuing without Credential Guard.\r\n16 (Warning)\r\nCredential Guard (LsaIso.exe) failed to launch: [error code]\r\n17\r\nError reading Credential Guard (LsaIso.exe) UEFI configuration: [error code]\r\nThere are different options to disable Credential Guard. The option you choose depends on how Credential Guard\r\nis configured:\r\nCredential Guard running in a virtual machine can be disabled by the host\r\nIf Credential Guard is enabled with UEFI Lock, follow the procedure described in disable Credential\r\nGuard with UEFI Lock\r\nIf Credential Guard is enabled without UEFI Lock, or as part of the default enablement update, use one of\r\nthe following options to disable it:\r\nMicrosoft Intune/MDM\r\nGroup policy\r\nhttps://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage\r\nPage 3 of 5\n\nRegistry\r\nThe following instructions provide details about how to configure your devices. Select the option that best suits\r\nyour needs.\r\n Intune/CSP\r\n GPO\r\n Registry\r\nIf Credential Guard is enabled via Intune and without UEFI Lock, disabling the same policy setting disables\r\nCredential Guard.\r\nTo configure devices with Microsoft Intune, create a Settings catalog policy and use the following settings:\r\nCategory Setting name Value\r\nDevice Guard Credential Guard Disabled\r\nAssign the policy to a group that contains as members the devices or users that you want to configure.\r\nAlternatively, you can configure devices using a custom policy with the DeviceGuard Policy CSP.\r\nSetting\r\nSetting name: Credential Guard Configuration\r\nOMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags\r\nData type: int\r\nValue: 0\r\nOnce the policy is applied, restart the device.\r\nIf Credential Guard is enabled with UEFI lock, follow this procedure since the settings are persisted in EFI\r\n(firmware) variables.\r\nNote\r\nThis scenario requires physical presence at the machine to press a function key to accept the change.\r\n1. Follow the steps in Disable Credential Guard\r\n2. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the\r\nfollowing commands:\r\nmountvol X: /s\r\ncopy %WINDIR%\\System32\\SecConfig.efi X:\\EFI\\Microsoft\\Boot\\SecConfig.efi /Y\r\nbcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d \"DebugTool\" /application osloader\r\nbcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path \"\\EFI\\Microsoft\\Boot\\SecConfig.efi\"\r\nhttps://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage\r\nPage 4 of 5\n\nbcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}\r\nbcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO\r\nbcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:\r\nmountvol X: /d\r\n3. Restart the device. Before the OS boots, a prompt appears notifying that UEFI was modified, and asking\r\nfor confirmation. The prompt must be confirmed for the changes to persist.\r\nFrom the host, you can disable Credential Guard for a virtual machine with the following command:\r\nSet-VMSecurity -VMName \u003cVMName\u003e -VirtualizationBasedSecurityOptOut $true\r\nReview the advice and sample code for making your environment more secure and robust with Credential\r\nGuard in the Additional mitigations article\r\nReview considerations and known issues when using Credential Guard\r\nSource: https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage\r\nhttps://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage"
	],
	"report_names": [
		"credential-guard-manage"
	],
	"threat_actors": [],
	"ts_created_at": 1775434636,
	"ts_updated_at": 1775791201,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e997c5d3209a58906e25aae5efe43cdcdc973576.pdf",
		"text": "https://archive.orkl.eu/e997c5d3209a58906e25aae5efe43cdcdc973576.txt",
		"img": "https://archive.orkl.eu/e997c5d3209a58906e25aae5efe43cdcdc973576.jpg"
	}
}