Issue
During the update from Windows 10 to Windows 11, keys stored in the Trusted Platform Module (TPM) can become invalidated. This issue can cause passkeys to become invalid due to a problem with Credential Guard during the update process.
Solution
To prevent this issue, it is necessary to disable Credential Guard before performing the upgrade. After the successful upgrade to Windows 11, Credential Guard can be re-enabled.
Methods to Disable Credential Guard Before Upgrading
Method 1: Using Group Policy Editor
-
Open Group Policy Editor:
- Press
Win + R
to open the Run dialog. - Type
gpedit.msc
and press Enter.
- Press
- Navigate to Credential Guard Settings:
- Go to
Computer Configuration
->Administrative Templates
->System
->Device Guard
.
- Go to
- Disable Credential Guard:
- Find the policy named
Turn On Virtualization Based Security
. - Set this policy to
Disabled
. - Click
OK
to apply the changes.
- Find the policy named
- Reboot the System:
- Restart your computer to ensure the changes take effect.
Method 2: Using Registry Editor
-
Open registry editor:
-
Press Win + R to open the Run dialog.
-
Type regedit and press Enter.
-
-
Navigate to the Registry Key:
- Go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
.
- Go to
-
Modify the Registry Key:
- Set the
EnableVirtualizationBasedSecurity
DWORD to0
.
- Set the
-
Delete Additional Keys:
- Delete the
LsaCfgFlags
DWORD fromHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
.
- Delete the
-
Reboot the System:
- Restart your computer to ensure the changes take effect.
Method 3: Using PowerShell
-
Open PowerShell as Administrator:
- Right-click the Start button and select
Windows PowerShell (Admin)
.
- Right-click the Start button and select
-
Run the Command:
- Execute the following command:
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1 New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -PropertyType DWORD -Value 1
- Execute the following command:
- Reboot the System:
- Restart your computer to ensure the changes take effect.
Methods to Re-enable Credential Guard After Upgrading
Method 1: Using Group Policy Editor
-
Open Group Policy Editor:
- Press
Win + R
to open the Run dialog. - Type
gpedit.msc
and press Enter.
- Press
- Navigate to Credential Guard Settings:
- Go to
Computer Configuration
->Administrative Templates
->System
->Device Guard
- Go to
- Enable Credential Guard:
- Find the policy named
Turn On Virtualization Based Security
. - Set this policy to
Enabled
. - Click
OK
to apply the changes.
- Find the policy named
- Reboot the System:
- Restart your computer to ensure the changes take effect.
Method 2: Using Registry Editor
-
Open Registry Editor:
- Press
Win + R
to open the Run dialog - Type
regedit
and press Enter.
- Press
- Navigate to the Registry Key:
- Go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
- Go to
- Modify the Registry Key:
-
Set the
EnableVirtualizationBasedSecurity
DWORD to1
.
-
Set the
-
Add Additional Keys:
-
Create a DWORD named
LsaCfgFlags
inHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
and set it to1
.
-
-
Reboot the System:
-
Restart your computer to ensure the changes take effect.
-
Method 3: Using PowerShell
-
Open PowerShell as Administrator:
- Right-click the Start button and select
Windows PowerShell (Admin)
.
- Right-click the Start button and select
-
Run the Command:
-
Execute the following command:
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1 New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -PropertyType DWORD -Value 1
-
-
Reboot the System:
-
Restart your computer to ensure the changes take effect.
-
Resources
For more detailed instructions and additional considerations, refer to the following resources:
By following these steps, you can ensure a smooth upgrade process from Windows 10 to Windows 11 without encountering issues related to TPM key invalidation.
Comments
0 comments
Please sign in to leave a comment.