,
On a Windows 10/11 Pro-based computer with Credential Guard enabled, you may see the following error when trying to update Group Policy:
gpupdate /force
Updating policy…Computer Policy update has completed successfully.
The following warnings were encountered during computer policy processing:
Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings. {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings might have its own log file. Please click on the “More information” link.
User Policy update has completed successfully.For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
The reported error occurs when Windows Credential Guard is enabled on a system that does not meet the hardware and software requirements for Credential Guard. More specifically Credential Guard requires the following features to work:
- Virtualization-based security (VBS)
- Secure boot
When one of the above features is missing, you will get the error “Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings” when trying to update the policy using the “gpupdate /force” command, and one of the following errors in the Event Viewer > Application and services logs > Microsoft > Windows > DeviceGuard > Operational:
- Device Guard failed to process the Group Policy to enable Virtualization Based Security (Status = 0x80070057)
- Device Guard failed to process the Group Policy to enable Virtualization Based Security (Status = 0x80071149): Secure Boot is not enabled on this machine.
How to fix Device Guard Errors 0x80070057 & 0x80071149 when applying group policy settings.
To fix the error “Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings” in gpupdate/force command, proceed as follows:
Step 1. Enable Secure Boot.
As mentioned above, Credential Guard needs the “Secure Boot” feature to work. So, first verify that “Secure Boot” is enabled on your system. To do that:
+ R keys to open the run command box.
2. Type “msinfo32.exe” and click OK.
3. Now in System Summary, look at the “Secure Boot State” status and proceed as follows according the result:
- If the Secure Boot State is Off, enter in BIOS/UEFI settings and enable the Secure Boot feature.* Then run the “gupudate /force” command to update to policy.
* Note: If you don’t want to enable Secure Boot, or if the Secure Boot feature is already enabled in BIOS (Secure Boot State = On) and you receive the same error after giving the “gpupdate /forcce” command, skip to step-2.
- If the Secure Boot State is Unsupported, skip to step-2.
Step 2. Change “Virtualization Based Security” settings.
Open the Group Policy Editor and change the “Virtualization Based Security” policy settings as instructed below:
+ R keys to open the run command box.
2. Type “gpedit.msc” and click OK.
3. In Group Policy Editor, navigate to this path:
-
Computer ConfigurationAdministrative TemplatesSystemDevice Guard
4. Then open the Turn on Virtualization Based Security policy on the right pane.
5. Here do one of the following changes, according your case:
-
If the policy setting is Enabled, and your system supports Secure Boot (Secure Boot State = On), first ensure that the Platform Security level is set to “Secure Boot” or “Secure boot and DMA Protection” and then set below the Virtualization Based Protection of Code Integrity to Disabled.
-
If the policy setting is set to “Not configured” or “Enabled” but your system doesn’t support Secure Boot (Secure Boot State = Unsupported or Off) change the policy to Disabled and click OK.
5. When done, click Apply > OK and close the Group Policy Editor.
6. Now try to update the policy again, using the “gpudpate /force” command. Normally now you should not see any errors.
That’s all folks! Please leave a comment in the comment section below or even better: like and share this blog post in the social networks to help spread the word about this solution.