Share via

We are about to roll out Windows 11 on all machines from Windows 10 22H2. Shall we disable the Windows Credential Guard to avoid any known/unknown issues? What will happen if we decide to disable it?

RSA111 211 Reputation points
2025-06-04T08:11:33.7033333+00:00

We have 500+ endpoints running with Windows 10 22H2 19045 which might be getting OOS in coming months. Hence we need to perform in place upgrade on them to the Windows 11 23H2 or 24H2.

Our main concern is shall we enable or disable Credential guard to avoid future issues that are known or unknown.

Please advise,

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments
Accepted answer
  1. BblytheX 705 Reputation points Microsoft External Staff
    2025-06-05T07:48:33.8133333+00:00

    Hi RSA111:

    Based on your upcoming migration of 500+ endpoints from Windows 10 22H2 to Windows 11 23H2/24H2, I strongly advise against disabling Credential Guard (CG). Below is a structured analysis of risks, trade-offs, and recommendations:

    Key Risks of Disabling Credential Guard

    1. Increased Vulnerability to Credential Theft CG blocks critical attack vectors like pass-the-hash and pass-the-ticket by isolating NTLM/Kerberos secrets in a hardware-backed virtual container . Disabling it exposes credentials to memory-scraping malware, especially dangerous with admin privileges.
    2. Compliance & Security Posture Degradation CG aligns with frameworks like NIST, ISO 27001, and SOC 2 . Disabling it may violate audit requirements and increase breach risks in regulated industries.
    3. Lateral Movement Threats Without CG, compromised endpoints allow attackers to pivot across your network using stolen hashes/TGTs . This is critical for flat-network enterprises.

    Compatibility Issues with CG Enabled (and Solutions)

    | Issue | Affected Workloads | Mitigation |

    |-------------------------------|-------------------------------------|-------------------------------|

    | WiFi/VPN SSO Failure | PEAP-MSCHAPv2 networks | Migrate to EAP-TLS with Intune-deployed certificates |

    | Legacy App Authentication | Kerberos DES/unconstrained delegation, NTLMv1 | Test with CG via App Assure; update apps or use shims |

    | Hyper-V Live Migration | Windows Server 2025 clusters | Replace CredSSP with Kerberos Constrained Delegation |

    | TPM Key Invalidation | Windows 10→11 upgrades | Disable CG temporarily during upgrade (re-enable after) |

    Note: CG blocks MSCHAPv2 SSO by design due to protocol vulnerabilities . Microsoft explicitly recommends EAP-TLS as the long-term fix.

    Why Enabling CG Is Safer (Despite Risks)

    1. Default in Windows 11/Server 2025 CG activates automatically on compatible hardware post-upgrade . Proactively disabling it creates technical debt and complicates future security baselines.
    2. Minimal Performance Impact Modern CPUs (Intel vPro/AMD PRO) handle VBS efficiently. Test shows <5% overhead on 8th-gen+ Intel or Ryzen Pro systems .
    3. Reversible Configuration If issues arise, CG can be disabled later via:
      • Intune (Settings Catalog → "Credential Guard: Disabled")
      • Group Policy (Computer Configuration → Device Guard)
      • Registry (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa → LsaCfgFlags=0)

    Migration Recommendations

    1. Pre-Upgrade Actions
      • Audit WiFi/VPN dependencies on MSCHAPv2; prioritize EAP-TLS migration .
      • Use Intune's Endpoint Analytics to identify incompatible apps/hardware .
      • Test upgrades on 5-10 high-risk devices (e.g., legacy apps/ARM64).
    2. Post-Upgrade Verification Confirm CG is active via: 
      
   (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning

   # Output: "1" = Enabled
      • Check Event Viewer for CG errors (IDs 15-17 under System → WinInit) .
    3. Contingency for Break-Fix If critical apps fail:
      • Temporarily disable CG via Intune (without UEFI lock) .
      • Use Microsoft App Assure for free compatibility support .

    Decision Summary

    | Option | Security | Compatibility | Long-Term Viability |

    |----------------------|--------------|-------------------|--------------------------|

    | Disable CG | ❌ High risk | ✅ Fewer issues | ❌ (Delays EAP-TLS migration) |

    | Enable CG + Fixes| ✅ Robust | ⚠️ Manageable | ✅ Aligns with Microsoft roadmap |

    Final Advice: Enable CG and address dependencies proactively. For 500+ endpoints, delaying EAP-TLS migration or disabling CG exposes the network to credential-theft attacks that CG was designed to prevent . If MSCHAPv2 cannot be replaced immediately, implement Azure AD Join with Cloud PKI as an interim solution .

    Please feel free to let me know if you still have any questions.

    Best regards,

    BblytheX

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.