Restart failure if Device Guard or Credential Guard isn't disabled correctly in Windows 10 Version 1607

How to avoid getting into this situation

• Keep Hyper-V disabled during the operating system upgrade.

• Reset the Device Guard registry keys (delete the Device Guard registry key node) and then enabled Hyper-V in Windows 10 Version 1607.

• Reset the Device Guard registry keys (delete the Device Guard registry key node) and then upgrade to Windows 10 Version 1607.

• Disable BitLocker until you install update 3176934.

How to recover from this issue

1. Start into another operating system on the computer and then start the Command Prompt window

   • from the Windows Recovery Environment by selecting Troubleshoot > Advanced Options > Command Prompt

   • Or from a bootable Windows 10 Setup. You can follow this instruction to prepare a bootable USB drive.

2. Unlock the operating system drive by running:

   Manage-bde-unlock-rp <recovery password> <operating system drive:>

   
   Note The operating system drive may be a different letter than in the main operating system.
   
   To do this, you should first recover your BitLocker key. See information about this from get your recovery password. You need to get the recovery ID first by running the following command:

   Manage-bde-status <opertaing system drive:>

3. Suspend BitLocker by running the following command at the command prompt:
   

   Manage-bde-protectors-disable <operating system drive:>

4. Restart and set below registry key from the main operating system:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
   DWORD EnableVirtualizationBasedSecurity set to 0
   DWORD RequirePlatformSecurityFeatures set to 0