How to Disable Windows Defender Credential Guard on Windows 10

In this article, we explain how to disable Windows Defender Credential Guard on Windows 10. Read along to know more!

In Windows 10, Credential Guard is one of the major security features available. It facilitates protection against hacking of domain credentials and thus protects hackers from assessing the enterprise networks. Primarily, Credential Guard utilizes virtualization-based security to separate secrets, so only privileged system software could gain access to them. It is known that unauthorized access to such secrets can allow credential theft attacks.

These attacks are Pass-the-Hash or Pass-The-Ticket. Furthermore, the Credential Guard avoids these attacks by protecting NTLM password messes as well as Kerberos Ticket Granting Tickets.

What are the features of Credential Guard?

Virtualization-based security:

Those Windows services which handle derived domain credentials and few other secrets execute in a protected environment which is secluded from the operating system.

Hardware security:

Credential Guard enhances the safety of the derived domain credentials by making the most of platform security features that include virtualization and secure boot.

Enhanced protection against the latest persistent threats:

Securing derived domain credentials making use of the virtualization depended on security chunks the credential theft attack methods and tools utilized in several targeted attacks. The malware executing in the OS with administrative privileges could not access secrets that are being protected by virtualization depended on security. On the other hand, Credential Guard is effective mitigation, so continual threat attacks will probably move to new attack techniques. You must include Device Guard and a few other security tactics and architectures.

What are the disadvantages of Credential Guard?

Whenever Windows Defender Credential Guard is set up on a virtual machine, it is observed that the Windows Defender Credential Guard defends secrets from attacks within the virtual machine. But it does not offer extra protection against privileged system attacks resultant from the host. Also, it does not avoid an attacker with malware on the computer from accessing the privileges linked with any credential. It is advisable to use dedicated PCs for high-value accounts.

Once you enable Credential Guard in Windows, you would be unable to use Kerberos unconstrained allocation or DES encryption. The hassle-free distribution could facilitate attackers to use Kerberos keys from the secluded LSA process. As an alternative, Windows 10 users can use controlled or resource-based Kerberos delegation.

The two considerations below further highlight the drawback of Credential Guard:

3rd Party Security Support Providers Considerations-

There are certain 3rd party Security Support Providers (SSPs and APs) which may not work with Windows Defender Credential Guard. This is because it does not permit third-party SSPs to inquire for password hash from LSA. But APs and SSPs will still get informed of the password whenever any users log on or alter their password. It is also vital to keep in mind that the use of undocumented APIs in custom SSPs and APs are not supported.

It is advisable that the custom implementations of SSPs or APs are verified with the Windows Defender Credential Guard. Those APs and SSPs that rely on any undocumented or unsupported behaviors would not succeed. For instance, KerbQuerySupplementalCredentialsMessage API is not supported.

Upgrade Considerations-

When the extent of protection offered by Credential Guard is raised, the succeeding releases of Windows 10 with Credential Guard running might influence scenarios that worked previously. To understand this, for instance, the Credential Guard might hamper the use of a specific type of credential or a specific component to avoid malware from obtaining benefits of vulnerabilities. Prior upgrading to a device by using Credential Guard, you have to test scenarios needed for operations in an organization.

How to disable Windows Defender Credential Guard?

The below set of procedures are helpful to disable Windows Defender Credential Guard. In case the Credential Guard got enabled with UEFI Lock, you should use the process mentioned below.

This is because the settings are saved within the EFI (firmware) variables, and it would need a physical presence at the machine to hit a function key to admit the change. In case the Credential Guard got enabled in the absence of using the UEFI Lock then you could quickly turn off by the use of Group Policy. Follow the below steps to disable Windows Defender Credential Guard:

In case you have used Group Policy, you need to disable the Group Policy setting which you have used to activate Windows Defender Credential Guard. Firstly, go to ‘Computer Configuration’ and open ‘Administrative Templates,’ from there open ‘System’ and select ‘Device Guard.’ Now finally, ‘Turn On Virtualization Based Security.’

Now you need to delete the below-mentioned registry settings:

HKEY_LOCAL_MACHINE>SystemCurrentControlSe>tControl>LSALsaCfgFlags

HKEY_LOCAL_MACHINE>SoftwarePolicies>MicrosoftWindows>DeviceGuardLsaCfgFlags

In case you want to disable virtualization-based security, make sure you remove the below registry settings:

HKEY_LOCAL_MACHINE>SoftwarePolicies>MicrosoftWindows>DeviceGuard>EnableVirtualizationBasedSecurity

HKEY_LOCAL_MACHINE>SoftwarePolicies>MicrosoftWindows>DeviceGuard>RequirePlatformSecurityFeatures

You need to delete the Windows Defender Credential Guard EFI variables with the help of bcdedit. From the displayed command prompt, you need to type the below commands:

mountvol X: /s

copy %WINDIR%System32SecConfig.efi X:EFIMicrosoftBootSecConfig.efi /Y

bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "EFIMicrosoftBootSecConfig.efi"

bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:

mountvol X: /d

After entering the above commands, restart the PC.

Now accept the prompt to turn off Windows Defender Credential Guard. Additionally, you can easily disable the virtualization-based security features to disable Windows Defender Credential Guard.

Disabling Windows Defender Credential Guard using Windows Features:

Step 1: First of all, open Windows Features. Now in Windows 10 Enterprise/Education version 1607 and the latest version, look for the ‘Hyper-V Hypervisor’ present under ‘Hyper-V.’ Now, hit on, OK. Alternatively, under Hyper-V, you can check ‘Isolated User Mode,’ and then click on OK.
Step 2: Now open the Local Group Policy Editor.
Step 3: Search for the key located below within the left pane of Local Group Policy Editor.
Step 4: Now in the right-side pane of ‘Device Guard’ present in Local Group Policy Editor, you have to double click on the ‘Turn On Virtualization Based Security’ policy to edit it.
Step 5: After the above step, now to disable the Credential Device Guard, choose (dot) Not Configured or Disabled. Now click on, OK.
Step 6: Shut down the Local Group Policy Editor.
Step 7: Finally, restart your computer to apply the changes done.

How to disable Windows Defender Credential Guard from Registry Editor:

Step 1: Initially, press Windows Key + R and type ‘Regedit.’ Now press Enter to open Registry Editor.
Step 2: Search for the following registry key:

HKEY_LOCAL_MACHINE>SystemCurrentControlSet>ControlDeviceGuard

Step 3: In this step, right-click on ‘DeviceGuard’ and choose ‘DWORD (32-bit) Value’ from the NEW option.
Step 4: You need to name something to this recently generated DWORD. Name it as ‘EnableVirtualizationBasedSecurity’ and then press Enter.
Step 5: Now double-click on EnableVirtualizationBasedSecurity DWORD and modify its value to 1 if you want to enable virtualization-based security else to change it to 0 to disable.
Step 6: You need to once again right-click on DeviceGuard and choose ‘DWORD (32-bit) Value’ from the NEW. The newly created DWORD needs to be entitled as ‘RequirePlatformSecurityFeatures’ after it has been named, press Enter.
Step 7: In this step, double-click on RequirePlatformSecurityFeatures DWORD and modify its value to 1 to use Secure Boot only. Alternatively, you can change its value to 3 if you want to use Secure Boot and DMA protection.
Step 8: Search for the below registry key:

HKEY_LOCAL_MACHINE>SystemCurrentControlSet>ControlLSA

Step 9: Now right-click on LSA and choose ‘DWORD (32-bit) Value’ from New. You now need to name this DWORD as LsaCfgFlags and then press Enter.
Step 10: Make sure to double-click on LsaCfgFlags DWORD and modify its value to 0 to disable Windows Defender Credential Guard.
Step 11: Once it gets disabled, close the Registry Editor.

Conclusion:

Though Windows Defender Credential Guard comes with tons of useful features, it is occasionally required to disable it. The prominent reason behind the same can be protected against attacks from the host, and several other reasons discussed above. The practical methods described above are sure to disable Windows Defender Credential Guard without any problems.

Disclaimer: The Questions and Answers provided on https://www.gigxp.com are for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose.