Unable to disable Credential Guard using Intune

Copper Contributor

Hi There.

We need to disable Credential Guard for our devices but when we configure this do be disabled using Intune, it stays enabled.

All devices are Intune managed, no local AD and thus also no group policies. All devices have been factory reset. Devices are a mix of Windows 10/11 22H2.  I know W11 22h2 enables this by default, bu we should be able to disable it.

 

We used below Settings Catalog profile setting to disable:

Credential Guard1.png

We also tried the Endpoint Security > Account protection route, but that didn't work either. Now we have both settings set to disable.

We also tried removing Credential Guard EFI variables in case they might be present using the instructions found here:https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-g...

 

After a while it seems Credential Guard is enabled again and this puzzles me as i have no clue why this is happening. To my knowledge i have done everything possible to disable Credential Guard but it still gets enabled...

 

2 questions:

- Does anyone have another great idea to why Credential Guard gets enabled? Might there be a different place where we can enable/disable credential guard that i am missing?

- Is there a way to check if credential guard has been enabled before WITH UEFI lock using a command or other way?

4 Replies

@Summa040 try to disable it using the security baseline from the endpoint security section 

 

eliekarkafy_0-1689263999579.png

 

Have you looked at the MDM diagnostic log for clues?
Hi guys. Excuse me for the late reply...
Using the baseline also does not disable credential guard and nothing relevant is found in the MDM logs.

The only way we are able to disable credential guard on a test device is by manually changing the LsaCfgFlags to 0 from the registry in the path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa and then rebooting the device.

But to us that is some kind of workaround that we dont want to implement. We want to make use of the tools MS is providing us from here: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?ta...

We thought it might be UEFI lock, so to be sure we also removed any possible UEFI lock as described here https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?ta...

Any more ideas anyone?

@Summa040 Have you found solution for this other than registry method?