Passkeys can be invalidated during update from Windows 10 to Windows 11

Issue

During the update from Windows 10 to Windows 11, keys stored in the Trusted Platform Module (TPM) can become invalidated. This issue can cause passkeys to become invalid due to a problem with Credential Guard during the update process.

Solution

To prevent this issue, it is necessary to disable Credential Guard before performing the upgrade. After the successful upgrade to Windows 11, Credential Guard can be re-enabled.

Methods to Disable Credential Guard Before Upgrading

Method 1: Using Group Policy Editor

1. Open Group Policy Editor:
   • Press Win + R to open the Run dialog.
   • Type gpedit.msc and press Enter.
     
     
2.  Navigate to Credential Guard Settings:
   • Go to Computer Configuration -> Administrative Templates -> System -> Device Guard.
     
     
3.  Disable Credential Guard:
   • Find the policy named Turn On Virtualization Based Security.
   • Set this policy to Disabled.
   • Click OK to apply the changes.
     
     
4.  Reboot the System:
   • Restart your computer to ensure the changes take effect.

Method 2: Using Registry Editor

1. Open registry editor:

   • Press Win + R to open the Run dialog.

   • Type regedit and press Enter.

2. Navigate to the Registry Key:

   • Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard.

3. Modify the Registry Key:

   • Set the EnableVirtualizationBasedSecurity DWORD to 0.

4. Delete Additional Keys:

   • Delete the LsaCfgFlags DWORD from HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.

5. Reboot the System:

   • Restart your computer to ensure the changes take effect.

Method 3: Using PowerShell

1. Open PowerShell as Administrator:
   • Right-click the Start button and select Windows PowerShell (Admin).
     
     
2. Run the Command:
   • Execute the following command:
     

     Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1 New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -PropertyType DWORD -Value 1
     
     

3.  Reboot the System:
   • Restart your computer to ensure the changes take effect.

Methods to Re-enable Credential Guard After Upgrading

Method 1: Using Group Policy Editor

1. Open Group Policy Editor:
   • Press Win + R to open the Run dialog.
   • Type gpedit.msc and press Enter.
2.  Navigate to Credential Guard Settings:
   • Go to Computer Configuration -> Administrative Templates -> System -> Device Guard
3.  Enable Credential Guard:
   • Find the policy named Turn On Virtualization Based Security.
   • Set this policy to Enabled.
   • Click OK to apply the changes.
4.  Reboot the System:
   • Restart your computer to ensure the changes take effect.

Method 2: Using Registry Editor

1. Open Registry Editor:
   • Press Win + R to open the Run dialog
   • Type regedit and press Enter.
     
     
2.  Navigate to the Registry Key:
   • Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
     
     
3.  Modify the Registry Key:
   • Set the EnableVirtualizationBasedSecurity DWORD to 1.

4. Add Additional Keys:

   • Create a DWORD named LsaCfgFlags in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa and set it to 1.

5. Reboot the System:

   • Restart your computer to ensure the changes take effect.

Method 3: Using PowerShell

1. Open PowerShell as Administrator:
   • Right-click the Start button and select Windows PowerShell (Admin).

2. Run the Command:

   • Execute the following command:

     Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1 New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -PropertyType DWORD -Value 1

3. Reboot the System:

   • Restart your computer to ensure the changes take effect.

Resources

For more detailed instructions and additional considerations, refer to the following resources:

• Considerations and Known Issues During Upgrading
• How to Disable Credential Guard

By following these steps, you can ensure a smooth upgrade process from Windows 10 to Windows 11 without encountering issues related to TPM key invalidation.