Restart failure if Device Guard or Credential Guard isn't disabled correctly in Windows 10 Version 1607


A Hyper-V user with BitLocker enabled may encounter a restart failure if the Device Guard or Credential Guard feature has not been disabled or has not been uninstalled cleanly. Specifically, upon restart, you receive following error message on a blue screen:

Your PC/Device needs to be repaired.

A required file couldn’t be accessed because your BitLocker key wasn’t loaded correctly.

Error code: 0xc0210000

You’ll need to use recovery tools. If you don’t have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.

Press Enter to try again
Press F8 for Startup Settings


To fix this issue, install Cumulative update for Windows 10 Version 1607: August 23, 2016 (KB3176934).

How to avoid getting into this situation

  • Keep Hyper-V disabled during the operating system upgrade.

  • Reset the Device Guard registry keys (delete the Device Guard registry key node) and then enabled Hyper-V in Windows 10 Version 1607.

  • Reset the Device Guard registry keys (delete the Device Guard registry key node) and then upgrade to Windows 10 Version 1607.

  • Disable BitLocker until you install update 3176934.

How to recover from this issue

  1. Start into another operating system on the computer and then start the Command Prompt window

    • from the Windows Recovery Environment by selecting Troubleshoot > Advanced Options > Command Prompt

    • Or from a bootable Windows 10 Setup. You can follow this instruction to prepare a bootable USB drive.

  2. Unlock the operating system drive by running:

    Manage-bde-unlock-rp <recovery password> <operating system drive:>

    Note The operating system drive may be a different letter than in the main operating system.

    To do this, you should first recover your BitLocker key. See information about this from get your recovery password. You need to get the recovery ID first by running the following command:

    Manage-bde-status <opertaing system drive:>

  3. Suspend BitLocker by running the following command at the command prompt:

    Manage-bde-protectors-disable <operating system drive:>
  4. Restart and set below registry key from the main operating system:

    DWORD EnableVirtualizationBasedSecurity set to 0
    DWORD RequirePlatformSecurityFeatures set to 0


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


Learn about the terminology that Microsoft uses to describe software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.