How to disable Device Guard or Credential Guard

Device Guard can prevent the installation of USS Agent for Windows and as such, you may decide to disable it. The following instructions can help.

  1. On the host operating system, click StartRun, type
gpedit.msc

and click OK. The Local Group Policy Editor opens.

  1. Go to Local Computer PolicyComputer ConfigurationAdministrative TemplatesSystemDevice GuardTurn on Virtualization Based Security.
  1. Select Disabled and Apply.
  1. Next, you must disable the Hyper-V feature.
You'll be able to re-enable Hyper-V once the USS Agent installation is complete.

Go to Control PanelUninstall a ProgramTurn Windows features on or off. Uncheck Hyper-V.

  1. Click OK.
  1. Reboot the host machine.
  2. Now, you must delete the related EFI variables by launching an elevated command prompt (e.g. Run as Administrator) and run the following commands:
Ensure X is an unused drive, else change to another drive.
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi
X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
  1. Reboot the host machine (again).
Accept any prompts that may appear to disable Device Guard or Credential Manager during boot up
After the reboot, if you require the Hyper-V feature, you can enable it again through Control PanelUninstall a ProgramTurn Windows features on or off.

Back to top


How did we do?