LSACfgFlags = 1 Changed to 2

Changing the LsaCfgFlags from 1 (enabled with UEFI lock) to 2 (enabled without lock) on a server running Credential Guard can lead to potential issues during the reboot process. Since Credential Guard with UEFI lock is designed to prevent modifications to its settings via the registry, attempting to change this value may not take effect as expected. The server may revert the registry back to 1 upon reboot, and there is a risk of encountering boot issues such as boot loops or BSOD (Blue Screen of Death) if the system does not handle the change gracefully.

It's important to ensure that you have proper backups and recovery options in place before making such changes, as the behavior can vary depending on the specific configuration and environment of your server.

Hi SCCNewbie,

In general, changing the LSACfgFlags value from 1 to 2 will not cause a boot loop, BSOD, or prevent the server from starting. Instead, the system will continue to boot normally, but because Credential Guard is protected by UEFI lock, the registry modification will not persist. In practice, the registry will revert back to its enforced state (value 1) after reboot, ensuring Credential Guard remains active.

This behavior is by design, as the UEFI lock ensures Credential Guard cannot be disabled or bypassed through registry changes alone. The outcome you can expect is a normal boot sequence with no disruption, but no effective change to the Credential Guard configuration. If you need to alter Credential Guard settings, the supported path is through Group Policy or UEFI firmware configuration rather than registry edits.

I hope this clarifies the expected behavior. If you find this answer helpful, please consider hitting “Accept Answer” 😊. It helps us know we’ve addressed your concern.

Jason.

Hi SCCNewbie,
Just checking in, were you able to get the issue resolved? If so, it would be great if you could mark the answer as Accepted so others in the community can benefit from your experience. Thank you!