在 Windows 10 中启用或禁用 Credential Guard：  ^{(Enable or Disable Credential Guard in Windows 10: )}Windows Credential Guard使用基于虚拟化的安全性来隔离机密，以便只有特权系统软件才能访问它们。未经授权访问这些机密可能会导致凭证盗窃攻击，例如Pass-the-Hash或Pass-The-Ticket。Windows Credential Guard通过保护NTLM密码哈希、Kerberos Ticket Granting Tickets以及应用程序存储为域凭据的凭据来防止这些攻击。

通过启用 Windows Credential Guard，可提供以下功能和解决方案：^{(By enabling Windows Credential Guard the following features and solutions are provided:)}

硬件安全^{(Hardware security)}
基于虚拟化的安全^{(Virtualization-based security)}
更好地防御高级持续性威胁^{(Better protection against advanced persistent threats)}

现在您知道Credential Guard^{(Credential Guard)}的重要性，您绝对应该为您的系统启用它。因此，不要浪费任何时间，让我们在下面列出的教程的帮助下查看如何在Windows 10中启用或^{(Windows 10)}禁用 Credential Guard 。^{(Disable Credential Guard)}

在Windows 10中启用或禁用 Credential Guard

确保 创建一个还原点^{(create a restore point)} 以防万一出现问题。

方法 1：使用组策略编辑器在 Windows 10 中启用或禁用 Credential Guard^{(Method 1: Enable or Disable Credential Guard in Windows 10 using Group Policy Editor)}

注意：^(Note:)此方法仅适用于您拥有 Windows Pro、Education或Enterprise Edtion的情况。对于Windows Home版本，用户跳过此方法并遵循下一个方法。

1.按 Windows 键 + R 然后键入regedit并按 Enter 打开组策略编辑器。^{( Group Policy Editor.)}

2.导航到以下路径：

Computer Configuration > Administrative Templates > System > Device Guard

3.确保选择Device Guard而不是在右侧窗格中双击“打开基于虚拟化的安全”^{(“Turn On Virtualization Based Security”)}策略。

4.在上述策略的属性^(Properties)窗口中，确保选择启用。^(Enabled.)

5.现在从“ Select Platform Security Level ”下拉菜单中选择Secure Boot 或 Secure Boot and DMA^{( Secure Boot or Secure Boot and DMA)} Protection。

6.接下来，从“ Credential Guard Configuration ”下拉列表中选择Enabled with UEFI lock。如果要远程关闭Credential Guard，请选择 Enabled without lock 而不是 Enabled with UEFI lock。

7.完成后，单击应用^(Apply)，然后单击确定。

8.重新启动您的 PC 以保存更改。

方法 2：使用注册表编辑器在 Windows 10 中启用或禁用 Credential Guard^{(Method 2: Enable or Disable Credential Guard in Windows 10 using Registry Editor)}

Credential Guard使用基于虚拟化的安全功能，必须先从Windows功能启用，然后才能在注册表编辑器^{(Registry Editor)}中启用或禁用 Credential Guard。确保^(Make)仅使用下列方法之一来启用基于虚拟化的安全功能。

使用程序和功能添加基于虚拟化的安全功能^{(Add the virtualization-based security features by using Programs and Features)}

1.按 Windows 键 + R 然后键入appwiz.cpl并按 Enter 打开程序和功能。^{(Program and Features.)}

2.从左侧窗口单击“打开或关闭 Windows 功能^{(Turn Windows Features on or off)}”。

3.找到并展开Hyper-V然后同样展开Hyper-V Platform。

4.在Hyper-V平台下勾选^(checkmark)“ Hyper-V Hypervisor ”。

5.现在向下滚动并选中“隔离用户模式”^{(checkmark “Isolated User Mode”)}，然后单击“确定”。

使用 DISM 将基于虚拟化的安全功能添加到脱机映像^{(Add the virtualization-based security features to an offline image by using DISM)}

1.按Windows Key + X然后选择命令提示符（管理员）。^{(Command Prompt (Admin).)}

2.在 cmd 中键入以下命令以添加Hyper-V Hypervisor并按Enter：

dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
OR
dism /Online /Enable-Feature:Microsoft-Hyper-V /All

3.通过运行以下命令添加隔离用户模式功能：^{(Isolated User Mode)}

dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
OR
dism /Online /Enable-Feature /FeatureName:IsolatedUserMode

4.完成后，您可以关闭命令提示符。

在 Windows 10 中启用或禁用 Credential Guard^{(Enable or Disable Credential Guard in Windows 10)}

1.按 Windows 键 + R 然后键入regedit并按 Enter 打开注册表编辑器。^{(Registry Editor.)}

2.导航到以下注册表项：

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard

3.右键单击DeviceGuard ，然后选择New > DWORD (32-bit) Value.

4.将此新创建的 DWORD 命名为EnableVirtualizationBasedSecurity并按 Enter。

5.双击EnableVirtualizationBasedSecurity DWORD然后将其值更改为：

启用基于虚拟化的安全性：1^{(To Enable Virtualization-based Security: 1)}
禁用基于虚拟化的安全性：0^{(To Disable Virtualization-based Security: 0)}

6. 现在再次右键单击DeviceGuard ，然后选择 New > DWORD (32-bit) Value并将此 DWORD 命名为RequirePlatformSecurityFeatures ，然后按 Enter。

7. 双击RequirePlatformSecurityFeatures DWORD并将其值更改为 1 以仅使用安全启动或 ^{(change it’s value to 1 to use Secure Boot only or )}将其设置为 3 以使用安全启动和 DMA 保护。^{(set it to 3 to use Secure Boot and DMA protection.)}

8.现在导航到以下注册表项：

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

9.右键单击 LSA，然后选择 New > DWORD (32-bit) Value，然后将此 DWORD 命名为LsaCfgFlags并按 Enter。

10.双击LsaCfgFlags DWORD并根据以下内容更改其值：

禁用 Credential Guard：0^{(Disable Credential Guard: 0)}
启用带 UEFI 锁的 Credential Guard：1^{(Enable Credential Guard with UEFI lock: 1)}
启用不带锁的 Credential Guard：2^{(Enable Credential Guard without lock: 2)}

11.完成后，关闭注册表编辑器^{(Registry Editor)}。

在 Windows 10 中禁用 Credential Guard^{(Disable Credential Guard in Windows 10)}

如果在没有UEFI 锁定^{(UEFI Lock)}的情况下启用Credential Guard ，则可以使用Device Guard 和 Credential Guard 硬件准备工具^{(Device Guard and Credential Guard hardware readiness tool)}或以下方法 禁用 Windows Credential Guard ：^{( Disable Windows Credential Guard)}

1.按 Windows 键 + R 然后键入regedit并按 Enter 打开注册表编辑器。^{( Registry Editor.)}

2.导航并删除以下注册表项：

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LsaCfgFlags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures

3.使用 bcdedit 删除 Windows Credential Guard EFI 变量^{(Delete the Windows Credential Guard EFI variables by using bcdedit)}。按Windows Key + X，然后选择命令提示符（管理员）。^{(Command Prompt (Admin).)}

4.在 cmd 中键入以下命令并按Enter：

mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d

5.完成后，关闭命令提示符并重新启动您的 PC。

6.接受提示以禁用Windows Credential Guard。

受到推崇的：^{(Recommended:)}

• 允许或阻止 Windows 10 主题更改桌面图标^{(Allow or Prevent Windows 10 Themes to Change Desktop Icons)}
• 在 Windows 10 中启用详细或高度详细的状态消息^{(Enable Verbose or Highly Detailed Status Messages in Windows 10)}
• 在 Windows 10 中启用或禁用开发人员模式^{(Enable or Disable Developer Mode in Windows 10)}
• 在 Windows 10 中禁用桌面壁纸 JPEG 质量降低^{(Disable Desktop Wallpaper JPEG Quality Reduction in Windows 10)}

就是这样，您已经成功学习了如何在 Windows 10 中启用或禁用 Credential Guard，^{(How to Enable or Disable Credential Guard in Windows 10)}但是如果您对本教程仍有任何疑问，请随时在评论部分询问他们。

Enable or Disable Credential Guard in Windows 10

Enable or Disable Credential Guard in Windows 10: Windows Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.

By enabling Windows Credential Guard the following features and solutions are provided:

Hardware security
Virtualization-based security
Better protection against advanced persistent threats

Now you know the importance of the Credential Guard, you should definitely enable this for your system. So without wasting any time let’s see How to Enable or Disable Credential Guard in Windows 10 with the help of the below-listed tutorial.

Enable or Disable Credential Guard in Windows 10

Make sure to create a restore point just in case something goes wrong.

Method 1: Enable or Disable Credential Guard in Windows 10 using Group Policy Editor

Note: This method only works if you have Windows Pro, Education, or Enterprise Edtion. For Windows Home version users skip this method and follow the next one.

1.Press Windows Key + R then type regedit and hit Enter to open Group Policy Editor.

2.Navigate to the following path:

Computer Configuration > Administrative Templates > System > Device Guard

3.Make sure to select Device Guard than in right window pane double-click on “Turn On Virtualization Based Security” policy.

4.In the Properties window of the above policy make sure to select Enabled.

5.Now from the “Select Platform Security Level” drop-down select Secure Boot or Secure Boot and DMA Protection.

6.Next, from “Credential Guard Configuration” drop-down select Enabled with UEFI lock. If you want to turn off Credential Guard remotely, choose Enabled without lock instead of Enabled with UEFI lock.

7.Once finished, click Apply followed by OK.

8.Reboot your PC to save changes.

Method 2: Enable or Disable Credential Guard in Windows 10 using Registry Editor

Credential Guard uses virtualization-based security features which have to be enabled first from Windows feature before you can enable or disable Credential Guard in Registry Editor. Make sure to only use one of the below-listed methods to enable virtualization-based security features.

Add the virtualization-based security features by using Programs and Features

1.Press Windows Key + R then type appwiz.cpl and hit Enter to open Program and Features.

2.From the left-hand window click on “Turn Windows Features on or off“.

3.Find and expand Hyper-V then similarly expand Hyper-V Platform.

4.Under Hyper-V Platform checkmark “Hyper-V Hypervisor“.

5.Now scroll down and checkmark “Isolated User Mode” and click OK.

Add the virtualization-based security features to an offline image by using DISM

1.Press Windows Key + X then select Command Prompt (Admin).

2.Type the following command into cmd to add the Hyper-V Hypervisor and hit Enter:

dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
OR
dism /Online /Enable-Feature:Microsoft-Hyper-V /All

3.Add the Isolated User Mode feature by running the following command:

dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
OR
dism /Online /Enable-Feature /FeatureName:IsolatedUserMode

4.Once finished, you can close the command prompt.

Enable or Disable Credential Guard in Windows 10

1.Press Windows Key + R then type regedit and hit Enter to open Registry Editor.

2.Navigate to the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard

3.Right-click on DeviceGuard then select New > DWORD (32-bit) Value.

4.Name this newly created DWORD as EnableVirtualizationBasedSecurity and hit Enter.

5.Double-click on EnableVirtualizationBasedSecurity DWORD then change its value to:

To Enable Virtualization-based Security: 1
To Disable Virtualization-based Security: 0

6.Now again right-click on DeviceGuard then select New > DWORD (32-bit) Value and name this DWORD as RequirePlatformSecurityFeatures then hit Enter.

7.Double-click on RequirePlatformSecurityFeatures DWORD and change it’s value to 1 to use Secure Boot only or set it to 3 to use Secure Boot and DMA protection.

8.Now navigate to the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

9.Right-click on LSA then select New > DWORD (32-bit) Value then name this DWORD as LsaCfgFlags and hit Enter.

10.Double-click on LsaCfgFlags DWORD and change its value according to:

Disable Credential Guard: 0
Enable Credential Guard with UEFI lock: 1
Enable Credential Guard without lock: 2

11.Once finished, close Registry Editor.

Disable Credential Guard in Windows 10

If Credential Guard was enabled without UEFI Lock then you can Disable Windows Credential Guard using the Device Guard and Credential Guard hardware readiness tool or the following method:

1.Press Windows Key + R then type regedit and hit Enter to open Registry Editor.

2.Navigate and delete the following registry keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LsaCfgFlags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures

3.Delete the Windows Credential Guard EFI variables by using bcdedit. Press Windows Key + X then select Command Prompt (Admin).

4.Type the following command into cmd and hit Enter:

mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d

5.Once finished, close command prompt and reboot your PC.

6.Accept the prompt to disable Windows Credential Guard.

Recommended:

• Allow or Prevent Windows 10 Themes to Change Desktop Icons
• Enable Verbose or Highly Detailed Status Messages in Windows 10
• Enable or Disable Developer Mode in Windows 10
• Disable Desktop Wallpaper JPEG Quality Reduction in Windows 10

That’s it you have successfully learned How to Enable or Disable Credential Guard in Windows 10 but if you still have any queries regarding this tutorial then feel free to ask them in the comment’s section.

Related posts

• 禁用Windows 10中的夹夹Zoom Feature

• 在Windows 10中创建Full System Image Backup [终极指南]

• 如何在Windows 10中创建System Image Backup

• 如何在Windows 10中删除Volume or Drive Partition

• 如何在Windows 10中禁用粘滞Corners

• Allow or Prevent Devices在Windows 10中唤醒Computer

• Windows 10中的Rename User Profile Folder

• Windows 10中的Fix Microsoft Compatibility Telemetry High Disk Usage

• 如何完全从Windows 10卸载McAfee

• 在Windows 10中禁用User Account Control（UAC）

• 禁用Windows 10中的Desktop Background Image

• 强制清除Windows 10中的Print Queue

• 3 Ways至Windows 10中的Increase Dedicated VRAM

• 3 Ways至Add Album Art至Z86152至Windows 10中的MP3

• Windows 10缺少Fix VCRUNTIME140.dll

• 如何在Windows 10上运行JAR Files

• 在Windows 10中更改Operating Systems的Time至Display List Startup

• Windows 10 User Find Security Identifier（SID）

• Fix Alt+Tab不在Windows 10工作

• Windows 10中的Fix Task Host Window Prevents Shut Down