1 | | Just in case the KB article link goes away - this is the Resolution section: |
2 | | |
3 | | To disable Device Guard or Credential Guard: |
4 | | Disable the group policy setting that was used to enable Credential Guard. |
5 | | On the host operating system, click Start > Run, type gpedit.msc, and click Ok. The Local group Policy Editor opens. |
6 | | Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security. |
7 | | Select Disabled. |
8 | | |
9 | | Go to Control Panel > Uninstall a Program > Turn Windows features on or off to turn off Hyper-V. |
10 | | Select Do not restart. |
11 | | Delete the related EFI variables by launching a command prompt on the host machine using an Administrator account and run these commands: |
12 | | |
13 | | mountvol X: /s |
14 | | copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y |
15 | | bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader |
16 | | bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" |
17 | | bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} |
18 | | bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS |
19 | | bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: |
20 | | mountvol X: /d |
21 | | |
22 | | Note: Ensure X is an unused drive, else change to another drive. |
23 | | |
24 | | Restart the host. |
25 | | Accept the prompt on the boot screen to disable Device Guard or Credential Guard. |