How to Enable Credential Guard and LSA Protection Across Client Devices

Local Security Authority (LSA) protection and Microsoft Credential Guard are critical Windows security features that should be enabled on all Windows client devices in enterprise deployments to help ensure security and compliance. This guide explains how to use the Windows Settings interface, PowerShell, Group Policy, and Windows Registry to enable LSA and Credential Guard on individual Windows 10 and Windows 11 devices.

Prerequisites for enabling Credential Guard and Local Security Authority (LSA) protection across your organization

LSA and Microsoft Credential Guard are key components of modern Windows security, and should be enabled wherever supported, in addition to the use of anti-malware and other security features.

The benefits of enabling Credential Guard/LSA include:

• Protection of NTLM, Kerberos, and TGT credentials
• Reduced risk from privilege escalation and lateral movement
• Compliance with zero trust and NIST security models

To use Credential Guard and LSA, you’ll need to meet the following requirements:

• Windows 10 or 11 Enterprise or Education
• UEFI with Secure Boot and virtualization extensions enabled
• Hyper-V support on client systems
• Administrative privileges
• Managed environment (Intune or Group Policy in Active Directory) for enterprise-wide configuration

If your hardware does not support enabling these technologies, you should strongly consider upgrading your organization’s devices, as they present an ongoing security and compliance risk. You can use this readiness tool to assess whether your hardware is compatible.

How to enable Microsoft Credential Guard via Windows Security UI

To enable Microsoft Credential Guard on individual or unmanaged devices, follow these steps:

1. Right-click on the Start button and click Settings
2. Click on Privacy & security then Windows Security
3. Select Open Windows Security
4. Open Device Security
5. Under Core isolation, click Core isolation details
6. Toggle Memory integrity to On
7. Reboot when prompted
8. Credential Guard will be enabled automatically on supported devices

Note that you will not be able to enable these settings on unsupported devices.

Enable Credential Guard and LSA via Group Policy

Group Policy Objects (GPOs) can be used to enable Credential Guard for all supported devices connected to your organization’s Windows Domain. You can also use the Local Group Policy Editor on unmanaged devices.

Enable Credential Guard via Group Policy

To enable Credential Guard using Group Policy, do the following:

1. Press Win + R, type gpmc.msc, and press Ctrl + Shift + Enter.

2. Navigate to:

Computer Configuration > Administrative Templates > System > Device Guard.

3. Double-click Turn On Virtualization Based Security.

4. Select Enabled.

5. Under Credential Guard Configuration, choose one of the following:

1. 1. Enabled with UEFI lock  – prevents Credential Guard from being disabled without wiping the system.
   2. Enabled without lock – allows remote disabling if required.

Enable LSA Protection via Group Policy

To enable LSA enabled using GPO, do the following:

1. Press Win + R, type gpmc.msc, and press Ctrl + Shift + Enter.

2. Navigate to:

Computer Configuration > Administrative Templates > System > Local Security Authority

3. Double-click Configure LSASS to run as a protected process.

4. Set the policy to Enabled.

5. Choose either:

1. Enabled with UEFI lock
2. Enable without UEFI Lock

You can target these GPO settings at different groups of devices by their organization unit, and force your group policies to update by running gpupdate /force on client devices.

If configuring multiple unmanaged devices, you can export settings from Local Group Policy and import them on other devices using scripts.

Enable Credential Guard and LSA via Registry Editor

You can also configure LSA and Credential Guard using the Windows Registry Editor:

1. Right-click on the Start button and select Run
2. Enter the command regedit.exe and press OK to launch the Registry Editor
3. To configure Credential Guard, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
4. Create or modify the following DWORD values:
   1. EnableVirtualizationBasedSecurity = 1
   2. RequirePlatformSecurityFeatures = 1
   3. HypervisorEnforcedCodeIntegrity = 1 (optional)
5. Then, to configure LSA, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
6. Modify or create the following DWORD values:
   1. LsaCfgFlags = 1 (enable Credential Guard)
   2. RunAsPPL = 1 (enable LSA Protection)
7. Restart the system to apply the changes

Enable Credential Guard and LSA via PowerShell

Enable Credential Guard and LSA Protection programmatically using the following commands in an elevated PowerShell session.

1. Enable virtualization-based security and Credential Guard by running these commands:

Enable-WindowsOptionalFeature -Online -FeatureName IsolatedUserMode -All

Enable-WindowsOptionalFeature -Online -FeatureName HypervisorPlatform -All

2. Set registry values for Credential Guard by running these commands (this uses PowerShell to modify the Windows Registry values detailed above):

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard” -Name “EnableVirtualizationBasedSecurity” -Value 1

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard” -Name “RequirePlatformSecurityFeatures” -Value 1

3. Enable Credential Guard by programmatically altering Registry values:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa” -Name “LsaCfgFlags” -Value 1

4. Enable LSA Protection by programmatically altering Registry values:

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa” -Name “RunAsPPL” -Value 1 -PropertyType DWORD -Force

5. You’ll need to reboot your Windows 10 or Windows 11 device to apply these changes.

Enable Credential Guard/LSA via the Windows Command Prompt

You can also modify the Windows Registry values to enable Credential Guard and LSA using the legacy Windows Command Prompt with the following commands:

reg add “HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard” /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f

reg add “HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard” /v RequirePlatformSecurityFeatures /t REG_DWORD /d 1 /f

reg add “HKLM\SYSTEM\CurrentControlSet\Control\Lsa” /v LsaCfgFlags /t REG_DWORD /d 1 /f

reg add “HKLM\SYSTEM\CurrentControlSet\Control\Lsa” /v RunAsPPL /t REG_DWORD /d 1 /f

bcdedit /set hypervisorlaunchtype auto

Then, reboot by running:

shutdown /r /t 0

Command Prompt and PowerShell methods can be used in batch deployments or as part of onboarding scripts.

Method 6: Enable Credential Guard via the Microsoft Intune settings catalog

For enterprise fleets of Windows devices managed by Microsoft Intune, you can configure Credential Guard by:

1. From Intune, navigate to Endpoint Manager > Devices > Configuration profiles
2. Create a profile with the following:
   1. Platform: Windows 10 and later
   2. Profile type: Settings Catalog
3. Search and add these settings:
   1. Credential Guard > Turn On Virtualization Based Security = Enabled
   2. LSA Protection > Configure LSASS to run as a protected process = Enabled
   3. Secure Boot Required = Enabled
   4. Memory integrity = Enabled
4. Assign profile to required device groups

You should then monitor the deployment of this policy to ensure it takes effect.

Troubleshooting and additional considerations

Secure boot and virtualization must be enabled in UEFI for Credential Guard to be available. You may also need to disable legacy antivirus or drivers that can block LSASS protections (these will be listed if you attempt to enable these features). If GPO settings are not applied, confirm that the correct organizational units are targeted, no conflicting settings exist, and that the devices have been restarted.

When updating drivers for compatibility, ensure that backups are taken first in case you need to roll back to resolve boot issues.

Note that enabling Credential Guard with UEFI lock prevents you from disabling it without wiping the system.

NinjaOne provides centralized oversight of security and compliance for your entire enterprise fleet

Internal IT teams and managed service providers (MSPs) must ensure that device security features are fully configurable and consistent at scale. Enforcing Credential Guard and LSA protection policies across fleets of Windows devices presents a challenge, even with tools like Intune.

NinjaOne’s comprehensive suite of IT administration, ITSM, and MSP tools, including unified remote monitoring and management (RMM), makes remote management effortless. With remote PowerShell scripting, GPO policy deployment, and monitoring, you can deploy security configurations and monitor for non-compliance.

By augmenting native Windows security features with NinjaOne, you can enhance cross-tenant visibility and automate security measures to ensure you maintain the best possible security posture across your organization or client base.