Preventing passkey invalidation when upgrading from Windows 10 to Windows 11

This article explains how to prevent TPM key invalidation and passkey issues when upgrading from Windows 10 to Windows 11 by disabling and later re-enabling Credential Guard.

Overview

Upgrading a device from Windows 10 to Windows 11 can invalidate passkeys stored in the Trusted Platform Module (TPM) if Credential Guard is enabled during the upgrade process. In some cases, this causes existing passkeys to become unusable due to changes in how cryptographic keys are protected and accessed during the operating system transition. This article explains why passkey invalidation can occur during the upgrade, how Credential Guard contributes to the issue, and the steps required to prevent passkey loss by temporarily disabling and re-enabling Credential Guard.

Solution

To prevent this issue, it is necessary to disable Credential Guard before performing the upgrade. After the successful upgrade to Windows 11, Credential Guard can be re-enabled.

Methods to Disable Credential Guard Before Upgrading

Method 1: Using Group Policy Editor

1. Open Group Policy Editor.

   • Press Win + R to open the Run dialog.

   • Type gpedit.msc and press Enter.

2. Navigate to Credential Guard Settings,

   • Go to Computer Configuration -> Administrative Templates -> System -> Device Guard.

3. Disable Credential Guard.

   • Find the policy named Turn On Virtualization Based Security.

   • Set this policy to Disabled.

   • Click OK to apply the changes.

4. Reboot the System.

   • Restart your computer to ensure the changes take effect.

Method 2: Using Registry Editor

1. Open registry editor.

   • Press Win + R to open the Run dialog.

   • Type regedit and press Enter.

2. Navigate to the Registry Key.

   • Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard.

3. Modify the Registry Key.

   • Set the EnableVirtualizationBasedSecurity DWORD to 0.

4. Delete Additional Keys.

   • Delete the LsaCfgFlags DWORD from HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.

5. Reboot the System.

   • Restart your computer to ensure the changes take effect.

Method 3: Using PowerShell

1. Open PowerShell as Administrator:

   • Right-click the Start button and select Windows PowerShell (Admin).

2. Run the Command.

   • Execute the following command:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1 
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -PropertyType DWORD -Value 1

3. Reboot the System:

   • Restart your computer to ensure the changes take effect.

Methods to Re-enable Credential Guard After Upgrading

Method 1: Using Group Policy Editor

1. Open Group Policy Editor.

   • Press Win + R to open the Run dialog.

   • Type gpedit.msc and press Enter.

2. Navigate to Credential Guard Settings.

   • Go to Computer Configuration -> Administrative Templates -> System -> Device Guard

3. Enable Credential Guard.

   • Find the policy named Turn On Virtualization Based Security.

   • Set this policy to Enabled.

   • Click OK to apply the changes.

4. Reboot the System.

   • Restart your computer to ensure the changes take effect.

Method 2: Using Registry Editor

1. Open Registry Editor.

   • Press Win + R to open the Run dialog

   • Type regedit and press Enter.

2. Navigate to the Registry Key.

   • Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard

3. Modify the Registry Key.

   • Set the EnableVirtualizationBasedSecurity DWORD to 1.

4. Add Additional Keys.

   • Create a DWORD named LsaCfgFlags in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa and set it to 1.

5. Reboot the System.

   • Restart your computer to ensure the changes take effect.

Method 3: Using PowerShell

1. Open PowerShell as Administrator.

   • Right-click the Start button and select Windows PowerShell (Admin).

2. Run the Command.

   • Execute the following command:

   • Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1 
     New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -PropertyType DWORD -Value 1

3. Reboot the System.

   • Restart your computer to ensure the changes take effect.

Resources

For more detailed instructions and additional considerations, refer to the following resources:

• Considerations and Known Issues During Upgrading

• How to Disable Credential Guard

By following these steps, you can ensure a smooth upgrade process from Windows 10 to Windows 11 without encountering issues related to TPM key invalidation.