How to Disable Credential Guard on Windows 11 [4 Steps]

Some readers want to disable Windows Defender Credential Guard on Windows 11. Microsoft introduced this security feature to the Windows 10 Enterprise in 2016. Some report that the Credential Guard needs to be disabled to run VMware on their PCs.

What is Microsoft Defender Credential Guard?

Windows Defender Credential Guard is a security feature that protects and manages users’ login credentials by isolating users’ from the rest of the system. Its central concept is to keep users’ login information out of hackers’ reach, preventing them from taking control of your PC.

After its incorporation into Windows 10 Enterprise and Windows Server 2016, Microsoft decided to include it in Windows 11. Also, the Windows Defender Credential Guard secures any domain credentials generated from your apps.

However, running some programs alongside this feature can be difficult as it blocks their authentication access.

Likewise, it doesn’t support Domain Controllers, third-party security software, Active Directory database, or any other encryption support program. Also, VMware is not compatible with Credential Guard on Windows 10.

Nevertheless, the Windows Defender Credential Guard isolates the secret credentials on your PC, keeping it protected from theft. Users can enable the Credential Guard on Windows 11 or disable it depending on their preferences and what type of programs they run on their PCs.

How do I disable the Windows Defender Credential Guard on Windows 11?

Before going through any steps for disabling Windows Defender Credential Guard, observe the following preliminary checks:

• Disconnect any remote connection on your PC.
• Disable third-party antivirus ruining on your computer.
• Close background apps.

The above steps will prepare your PC for the process.

1. Disable via Group Policy

1. Press Windows + R key to open the Run dialog box, type gpedit.msc in the text space, and click OK to open the Group Policy Editor.
2. Navigate to the following location: Computer Configuration\Administrative Templates\System\Device Guard
3. Click on Device Guard and double-click the Turn on Virtualization Based Security policy option.
4. Then, click the Disabled or the Not Configured option and the OK button to save the changes.
5. Exit and restart your PC to effect the change you made.

Selecting the disabled option or Not configured will stop the activities of Windows Defender Credentials Guard on your Windows 11. Also, you can check the fixes for missing gpedit on Windows 11 if you cannot find it.

2. Disable via Registry Keys

1. Left-click the Start button, type Regedit in the search box, and select Registry Editor.
2. Navigate to the following keys and set their values to 0 to disable the virtualization-based security: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
3. Restart your computer.

Note that you must set the registry settings to 0 to disable virtualization-based security.

Read more about this topic

• Microsoft Edge Search bar on Windows 11 now allows to use Google Search right from the desktop
• Want to update and shut down your PC? Tough luck, as bugs still plague this feature
• A new Windows Photos feature will let you use Microsoft Designer directly
• Microsoft Edge may lock its Settings on Nonactivated Windows 
• Blast from the past: Windows 11 still uses legacy icons

3. Disable via UEFI Lock

1. Left-click the Start button, type comm in the search space, and select Run as Administrator.
2. Click Yes when the User Account Control window appears.
3. Run the following command and click ENTER: bcdedit
4. Then copy and paste the following commands in the Command Prompt:

mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d

Before the booting process completes, confirm the prompt notifying you that UEFI was modified. Also, ensure the prompt will implement the changes you made.

4. Disable Virtualization-Based Security

1. Left-click the Start button, type comm in the search space, and select Run as Administrator.
2. Click Yes when the User Account Control window appears.
3. Run the following command and click ENTER: bcdedit
4. Then copy and paste the following commands and press ENTER: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS bcdedit /set vsmlaunchtype off
5. Finally, restart your PC to implement the changes.

The Windows Defender Credential Guard is dependent on VBS (Virtualization-Based Security). Hence, disabling the Virtual-Based Security will automatically disable the Credential Guard on your Windows device.

Ensure to follow the steps strictly to avoid complicating your PC further.

Nonetheless, check our article about disabling Windows Defender Credential Guard on Windows 10 for more details.

Kindly tell us which solutions worked for you in the comments section. For further queries, leave them, and we will get back to you.