Август КСНУМКС, КСНУМКС

in прозори by админ

Омогућите или онемогућите Цредентиал Гуард у оперативном систему Виндовс 10

Enable or Disable Credential Guard in Windows 10: Windows Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.

By enabling Windows Credential Guard the following features and solutions are provided:

Сигурност хардвера
Безбедност заснована на виртуелизацији
Better protection against advanced persistent threats

Now you know the importance of the Credential Guard, you should definitely enable this for your system. So without wasting any time let’s see How to Enable or Disable Credential Guard in Windows 10 with the help of the below-listed tutorial.

Омогућите или онемогућите Цредентиал Гуард у оперативном систему Виндовс 10

Обавезно креирајте тачку враћања у случају да нешто крене наопако.

Method 1: Enable or Disable Credential Guard in Windows 10 using Group Policy Editor

Белешка: This method only works if you have Windows Pro, Education, or Enterprise Edtion. For Windows Home version users skip this method and follow the next one.

1. Притисните тастер Виндовс + Р, а затим откуцајте регедит и притисните Ентер да бисте отворили Едитор групних политика.

Покрените команду регедит

2. Идите на следећу путању:

Computer Configuration > Administrative Templates > System > Device Guard

3. Обавезно изаберите Девице Гуард than in right window pane double-click on “Turn On Virtualization Based Security” политика.

Double-click on Turn On Virtualization Based Security Policy

4.In the Properties window of the above policy make sure to select Омогућено.

Set Turn On Virtualization Based Security to Enabled

5.Now from the “Select Platform Security Level” drop-down select Secure Boot or Secure Boot and DMA Заштита.

From Select Platform Security Level drop-down select Secure Boot or Secure Boot and DMA Protection

6.Next, from “Credential Guard Configuration” drop-down select Enabled with UEFI lock. If you want to turn off Credential Guard remotely, choose Enabled without lock instead of Enabled with UEFI lock.

7.Once finished, click Apply followed by OK.

8. Поново покрените рачунар да бисте сачували промене.

Method 2: Enable or Disable Credential Guard in Windows 10 using Registry Editor

Credential Guard uses virtualization-based security features which have to be enabled first from Windows feature before you can enable or disable Credential Guard in Registry Editor. Make sure to only use one of the below-listed methods to enable virtualization-based security features.

Add the virtualization-based security features by using Programs and Features

1. Притисните тастер Виндовс + Р, а затим откуцајте аппвиз.цпл и притисните Ентер да бисте отворили Program and Features.

откуцајте аппвиз.цпл и притисните Ентер да бисте отворили Програме и функције

2.From the left-hand window click on “Укључити или искључити карактеристике Виндовса".

укључити или искључити карактеристике Виндовса

3.Find and expand Хипер-В then similarly expand Hyper-V Platform.

4.Under Hyper-V Platform квачица "Hyper-V Hypervisor".

Under Hyper-V Platform checkmark Hyper-V Hypervisor

5.Now scroll down and checkmark “Isolated User Mode” и кликните ОК.

Add the virtualization-based security features to an offline image by using DISM

1. Притисните тастер Виндовс + Кс, а затим изаберите Командна линија (Админ).

командни редак са администраторским правима

2.Type the following command into cmd to add the Hyper-V Hypervisor and hit Enter:

dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
OR
dism /Online /Enable-Feature:Microsoft-Hyper-V /All

Add the virtualization-based security features to an offline image by using DISM

3.Add the Isolated User Mode feature by running the following command:

dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
OR
dism /Online /Enable-Feature /FeatureName:IsolatedUserMode

Add the Isolated User Mode feature

4.Once finished, you can close the command prompt.

Омогућите или онемогућите Цредентиал Гуард у оперативном систему Виндовс 10

1. Притисните тастер Виндовс + Р, а затим откуцајте регедит и притисните Ентер да бисте отворили Регистри Едитор.

Покрените команду регедит

2. Дођите до следећег кључа регистратора:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlDeviceGuard

3. Кликните десним тастером миша на ДевицеГуард а затим изаберите Ново > ДВОРД (32-битна) вредност.

Right-click on DeviceGuard then select New DWORD (32-bit) Value

4. Именујте овај новокреирани ДВОРД као ЕнаблеВиртуализатионБаседСецурити и притисните Ентер.

Name this newly created DWORD as EnableVirtualizationBasedSecurity and hit Enter

5.Double-click on EnableVirtualizationBasedSecurity DWORD then change its value to:

To Enable Virtualization-based Security: 1
To Disable Virtualization-based Security: 0

To Enable Virtualization-based Security change the value of the DWORD to 1

6.Now again right-click on DeviceGuard then select Нова> ДВОРД (32-битна) вредност и назовите ову ДВОРД као RequirePlatformSecurityFeatures онда притисните Ентер.

Name this DWORD as RequirePlatformSecurityFeatures then hit Enter

7.Double-click on RequirePlatformSecurityFeatures DWORD and change it’s value to 1 to use Secure Boot only or set it to 3 to use Secure Boot and DMA protection.

Change it's value to 1 to use Secure Boot only or set it to 3 to use Secure Boot and DMA protection.

8. Сада идите до следећег кључа регистратора:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA

9.Right-click on LSA then select Нова> ДВОРД (32-битна) вредност then name this DWORD as ЛсаЦфгФлагс и притисните Ентер.

Right-click on LSA then select New then DWORD (32-bit) Value

10.Double-click on LsaCfgFlags DWORD and change its value according to:

Disable Credential Guard: 0
Enable Credential Guard with UEFI lock: 1
Enable Credential Guard without lock: 2

Double-click on LsaCfgFlags DWORD and change its value according to

11.Once finished, close Registry Editor.

Disable Credential Guard in Windows 10

If Credential Guard was enabled without UEFI Lock then you can Disable Windows Credential Guard коришћењем Device Guard and Credential Guard hardware readiness tool or the following method:

Покрените команду регедит

2.Navigate and delete the following registry keys:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSALsaCfgFlags
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsDeviceGuardEnableVirtualizationBasedSecurity
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsDeviceGuardRequirePlatformSecurityFeatures

Disable Windows Credential Guard

3.Delete the Windows Credential Guard EFI variables by using bcdedit. Press Windows Key + X then select Командна линија (Админ).

командни редак са администраторским правима

4.Укуцајте следећу команду у цмд и притисните Ентер:

mountvol X: /s
copy %WINDIR%System32SecConfig.efi X:EFIMicrosoftBootSecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "EFIMicrosoftBootSecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d

5.Once finished, close command prompt and reboot your PC.

6.Accept the prompt to disable Windows Credential Guard.

Препоручује се:

То је то што сте успешно научили How to Enable or Disable Credential Guard in Windows 10 али ако и даље имате било каквих питања у вези са овим водичем, слободно их питајте у одељку за коментаре.