| 1 | | Just in case the KB article link goes away - this is the Resolution section: |
| 2 | | |
| 3 | | To disable Device Guard or Credential Guard: |
| 4 | | Disable the group policy setting that was used to enable Credential Guard. |
| 5 | | On the host operating system, click Start > Run, type gpedit.msc, and click Ok. The Local group Policy Editor opens. |
| 6 | | Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security. |
| 7 | | Select Disabled. |
| 8 | | |
| 9 | | Go to Control Panel > Uninstall a Program > Turn Windows features on or off to turn off Hyper-V. |
| 10 | | Select Do not restart. |
| 11 | | Delete the related EFI variables by launching a command prompt on the host machine using an Administrator account and run these commands: |
| 12 | | |
| 13 | | mountvol X: /s |
| 14 | | copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y |
| 15 | | bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader |
| 16 | | bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" |
| 17 | | bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} |
| 18 | | bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS |
| 19 | | bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: |
| 20 | | mountvol X: /d |
| 21 | | |
| 22 | | Note: Ensure X is an unused drive, else change to another drive. |
| 23 | | |
| 24 | | Restart the host. |
| 25 | | Accept the prompt on the boot screen to disable Device Guard or Credential Guard. |
