Fix Credential Guard Refusing to Enable After Hyper-V Was Installed

You have installed Hyper-V on Windows 11 and now Credential Guard will not enable. The Enable-CredentialGuard PowerShell cmdlet may fail silently. The Group Policy setting for Device Guard may appear grayed out. This happens because Hyper-V and Credential Guard both require virtualization-based security, but Credential Guard needs a specific hypervisor configuration that Hyper-V can disrupt. This article explains the root cause and provides a step-by-step fix to enable Credential Guard after Hyper-V is already installed.

Why Credential Guard Fails to Enable After Hyper-V Is Installed

Credential Guard uses virtualization-based security to isolate secrets in a secure container. This requires the Windows hypervisor to start in a specific mode called Secure Kernel Mode. Hyper-V also uses the Windows hypervisor, but it starts the hypervisor in a mode optimized for virtual machine workloads. When Hyper-V is installed, the hypervisor is configured to start in a mode that does not support the Secure Kernel. As a result, Credential Guard cannot load its secure kernel, and the Enable-CredentialGuard cmdlet returns an error or does nothing.

The conflict is not permanent. Both features can coexist if the hypervisor is configured to start in a mode that supports both Hyper-V and Credential Guard. This is done by changing the hypervisor launch type from Hyper-V mode to automatic mode. The automatic mode allows the Windows hypervisor to detect and load the Secure Kernel when Credential Guard is enabled.

Steps to Enable Credential Guard After Hyper-V Is Installed

1. Open PowerShell as Administrator
   Press the Windows key, type PowerShell, right-click Windows PowerShell, and select Run as administrator. Click Yes in the User Account Control prompt.
2. Check the current hypervisor launch type
   Run the command bcdedit /enum | findstr hypervisorlaunchtype. If the output shows hypervisorlaunchtype Off or hypervisorlaunchtype HyperV, Credential Guard will not enable.
3. Set the hypervisor launch type to Auto
   Run the command bcdedit /set hypervisorlaunchtype Auto. This configures the Windows boot loader to start the hypervisor in a mode that supports both Hyper-V and Credential Guard.
4. Enable Credential Guard using Group Policy
   Press Windows key + R, type gpedit.msc, and press Enter. Navigate to Computer Configuration > Administrative Templates > System > Device Guard. Double-click Turn On Virtualization Based Security. Set it to Enabled. Under Credential Guard Configuration, select Enabled with UEFI lock or Enabled without lock. Click OK.
5. Restart the computer
   Close all applications and restart Windows. The boot process will now load the hypervisor in automatic mode, allowing Credential Guard to start.
6. Verify Credential Guard is running
   After restart, open PowerShell as Administrator and run Get-CimInstance -Namespace root/Microsoft/Windows/DeviceGuard -ClassName Win32_DeviceGuard. Look for CredentialGuard in the SecurityServicesRunning property. If it appears, Credential Guard is enabled.

Alternative Method: Enable Credential Guard via PowerShell

1. Open PowerShell as Administrator
   Follow the same method as above.
2. Run the Enable-CredentialGuard cmdlet
   Type Enable-CredentialGuard -UEFILock or Enable-CredentialGuard without the lock parameter. Press Enter. If the cmdlet succeeds, you will see no output. If it fails, ensure the hypervisor launch type is set to Auto as described in the previous method.
3. Restart and verify
   Restart the computer and run the verification command from step 6 above.

If Credential Guard Still Fails to Enable

Credential Guard does not appear in SecurityServicesRunning

Run the command msinfo32 and press Enter. In System Information, look for Virtualization-based security. If it shows Running, Credential Guard may be active but not listed. Run Get-CimInstance -Namespace root/Microsoft/Windows/DeviceGuard -ClassName Win32_DeviceGuard | Select-Object to see all properties. Check VirtualizationBasedSecurityStatus — a value of 2 means running.

Hyper-V virtual machines fail to start after enabling Credential Guard

This is rare but can happen if the hypervisor launch type is set incorrectly. Verify that bcdedit /enum | findstr hypervisorlaunchtype shows Auto. If it shows HyperV, Credential Guard will fail. If it shows Auto and VMs still fail, run bcdedit /set hypervisorlaunchtype HyperV to revert, restart, then set it to Auto again and restart.

Group Policy option is grayed out

The Group Policy setting Turn On Virtualization Based Security may be grayed out if the computer does not support virtualization or if Secure Boot is disabled. Verify that virtualization is enabled in BIOS or UEFI firmware. Also confirm that Secure Boot is enabled. To check, run msinfo32 and look for Secure Boot State — it must say On.

Hyper-V Launch Type vs Credential Guard Compatibility

Item	Hyper-V Launch Type (HyperV)	Automatic Launch Type (Auto)
Description	Hypervisor starts in Hyper-V mode only	Hypervisor starts in a mode that supports both Hyper-V and Secure Kernel
Credential Guard support	No — Secure Kernel does not load	Yes — Secure Kernel loads when configured
Hyper-V VM support	Yes	Yes
Default after Hyper-V install	Yes	No
Change via bcdedit	bcdedit /set hypervisorlaunchtype HyperV	bcdedit /set hypervisorlaunchtype Auto

You can now enable Credential Guard on a Windows 11 system that has Hyper-V installed by changing the hypervisor launch type to Auto. After applying the Group Policy or PowerShell method and restarting, verify that Credential Guard appears in the Device Guard security services. For advanced management, use the Get-CimInstance cmdlet to monitor the status of all virtualization-based security components. If you ever need to disable Credential Guard temporarily, run Disable-CredentialGuard in PowerShell, but remember that the hypervisor launch type change remains in effect until you revert it with bcdedit /set hypervisorlaunchtype HyperV.