You have a PC that supports Hyper-V, but Credential Guard fails to enable through Windows Defender Device Guard or Group Policy. The Enable-CredentialGuard PowerShell cmdlet returns errors, or the feature remains listed as Not Enabled in System Information. This is not a hardware problem in most cases. The root cause is often a conflict between Credential Guard and a specific Windows virtualization feature, a missing UEFI lock, or a Secure Boot configuration that does not meet Microsoft’s requirements. This article explains the exact technical reasons why Credential Guard refuses to enable and provides step-by-step fixes.
Key Takeaways: Why Credential Guard Won’t Enable on Windows 11
- Virtualization-Based Security (VBS) prerequisites: Secure Boot, TPM 2.0, UEFI firmware, and 4 GB or more RAM must all be present and enabled.
- Group Policy > Computer Configuration > Administrative Templates > System > Device Guard: Turn On Virtualization Based Security must be set to Enabled with Credential Guard configured as Enabled with UEFI lock.
- PowerShell command Enable-CredentialGuard: Requires an elevated prompt and a reboot; errors indicate a missing prerequisite or a conflict with Hyper-V isolation containers.
Why Credential Guard Fails to Enable on a Hyper-V Capable PC
Credential Guard uses Virtualization-Based Security to isolate secrets inside a secure virtual machine. This requires the same hardware features as Hyper-V: SLAT, VM Monitor Mode extensions, and Second Level Address Translation. Even if a PC supports Hyper-V, Credential Guard may still fail for one of the following reasons.
Missing UEFI Firmware Lock
Microsoft requires that the UEFI firmware lock the Secure Boot keys and the platform security processor before Credential Guard can run. Many consumer PCs ship with Secure Boot enabled but without the firmware lock. Without the lock, the operating system cannot guarantee that the secure environment has not been tampered with. To check, open System Information and look for Device Guard Virtualization Based Security and Credential Guard. If either shows Not Enabled, the firmware lock is likely missing.
Hyper-V Isolation Container Conflict
Windows 11 includes Hyper-V Containers, which use a separate virtualization stack. When Hyper-V is installed with the Containers feature, Credential Guard may refuse to enable because both features try to claim the same hardware virtualization resources. The error message in the System event log is Event ID 6401 from Microsoft-Windows-Hyper-V-Kmcl. This conflict is the most common reason for a failed enable attempt on an otherwise capable PC.
Secure Boot Not in UEFI Mode
Credential Guard requires Secure Boot to be enabled and configured in UEFI mode, not Legacy or CSM mode. Even if Secure Boot appears enabled in the BIOS, the system may be booting in Legacy mode. Verify this by running bcdedit /enum and checking that path is set to \WINDOWS\system32\winload.efi. If it shows winload.exe, the system is in Legacy mode.
TPM 2.0 Disabled or Non-Functional
Credential Guard uses the TPM to seal the secure kernel. If the TPM is disabled in firmware, or if it is version 1.2 instead of 2.0, the enable process will fail. Check the TPM status by running tpm.msc. The status must show The TPM is ready for use and the specification version must be 2.0.
Steps to Enable Credential Guard on Windows 11
Before starting, ensure the PC meets all prerequisites. Then follow the steps below to enable Credential Guard using Group Policy or PowerShell.
Enable Credential Guard Using Group Policy
- Open the Local Group Policy Editor
Press Win + R, type gpedit.msc, and press Enter. If the Group Policy Editor is not available, you are using Windows 11 Home edition. Upgrade to Pro or Enterprise, or use the PowerShell method below. - Navigate to the Device Guard policy
Go to Computer Configuration > Administrative Templates > System > Device Guard. Double-click Turn On Virtualization Based Security. - Configure the policy
Set the policy to Enabled. In the Options pane, set Credential Guard Configuration to Enabled with UEFI lock. This ensures Credential Guard stays on after a reboot. Click OK. - Reboot the PC
Restart Windows 11. After the reboot, open System Information and verify that Credential Guard shows Running. If it still shows Not Enabled, proceed to the next method.
Enable Credential Guard Using PowerShell
- Open PowerShell as Administrator
Press Win + X and select Windows Terminal (Admin). If you see PowerShell, type powershell and press Enter. - Install the Device Guard module
Run Install-Module -Name DeviceGuard -Force. This downloads the required PowerShell module from the PowerShell Gallery. - Enable Credential Guard
Run Enable-CredentialGuard -UEFILock. The command does not return a success message. It schedules the enable for the next boot. - Reboot the PC
Restart Windows 11. After the reboot, run Get-CredentialGuard to confirm the status. The output should show Enabled.
Remove the Hyper-V Container Conflict
- Open Windows Features
Press Win + R, type optionalfeatures, and press Enter. - Disable Hyper-V and Containers
Uncheck Hyper-V and Windows Containers. Click OK and reboot. After the reboot, retry the enable steps above. Once Credential Guard is running, you can re-enable Hyper-V if needed. Credential Guard and Hyper-V can coexist as long as Containers is not installed.
If Credential Guard Still Fails After the Main Fix
Credential Guard Shows Not Enabled After Reboot
If the Group Policy or PowerShell method did not work, the UEFI firmware lock is likely missing. To force enable without the lock, run Enable-CredentialGuard without the -UEFILock parameter. This allows the feature to run without the firmware lock but leaves it vulnerable to being disabled by a malicious boot loader. Use this only for testing.
Event ID 6401 in System Log
This event indicates that Hyper-V and Credential Guard are in conflict. Uninstall Hyper-V and Windows Containers completely, reboot, and then enable Credential Guard. After it is running, reinstall Hyper-V only. Do not install Windows Containers.
Secure Boot Is Enabled but System Is in Legacy Mode
Convert the disk from MBR to GPT using the MBR2GPT tool. Then change the BIOS boot mode from Legacy to UEFI. After the conversion, reinstall Windows 11 to ensure the boot loader uses winload.efi. Then retry the Credential Guard enable steps.
TPM Is Not Detected
Open the firmware settings during boot and locate the TPM configuration. Set it to Enabled and Firmware TPM if available. Ensure the TPM is version 2.0. If the TPM is disabled in the BIOS, Windows will not detect it, and Credential Guard will not enable.
| Item | Group Policy Method | PowerShell Method |
|---|---|---|
| Edition requirement | Windows 11 Pro, Enterprise, or Education | Windows 11 Pro, Enterprise, or Education |
| UEFI lock support | Yes, when Enabled with UEFI lock is selected | Yes, when -UEFILock parameter is used |
| Reboot required | Yes | Yes |
| Rollback method | Set policy to Not Configured | Run Disable-CredentialGuard |
| Conflict with Hyper-V Containers | Yes, same conflict applies | Yes, same conflict applies |
After resolving the conflict and enabling Credential Guard, verify the status regularly using Get-CredentialGuard or by checking System Information. If you later need to disable Credential Guard, use the Disable-CredentialGuard PowerShell command or set the Group Policy to Not Configured. Keep the firmware lock enabled in production environments to prevent tampering. For advanced troubleshooting, review the Microsoft-Windows-DeviceGuard-Operational event log under Applications and Services Logs > Microsoft > Windows > DeviceGuard.