Windows: Disable Credential- ,Device Guard and Virtualization based security

Hi,

new features in Windows 10 prevents Virtual Machines based on VMware Workstation or Virtual Box from starting.
Typical Errors are:

  • VirtualBox: VERR_SUPDRV_NO_RAW_MODE_HYPER_V_ROOT or VT-x is not available (VERR_VMX_NO_VMX)
    error: Details: code E_FAIL (0x80004005), component ConsoleWrap, interface IConsole
  • VMware Workstation: VMware Workstation and Device/Credential Guard are not compatible. VMware Workstation can be run after disabling Device/Credential Guard


This features called Device Guard, Credentials Guard and Virtualization based security. They used the Microsoft Hyperviser Hyper-V to strictly separate parts of the Operating System.

According to: “There can only be one” no other hyper visor could started, because the VT-x or AMD-V CPU flags are not exposed to VMware Workstation or Virtual Box when Hyper-V is active.

You can check this by the systeminfo command.

D:\> systeminfo | findstr Hyper
...
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Be aware that the following steps disables some enhanced Windows 10 security features. Check this against your company policies to be compliant.

Disable Hyper-V launch, remove all Hyper-V features and set Registry Keys to disable virtualization based security

D:\> bcdedit /set hypervisorlaunchtype off
D:\> dism /Online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All /NoRestart
D:\> reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA /v LsaCfgFlags /d 0 /f /t REG_DWORD
D:\> reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Device Guard" /v EnableVirtualizationBasedSecurity /d 0 /f /t REG_DWORD

Delete the Credential Guard and the VBS UEFI variables. To mount the UEFI partition determine an unused drive letter and set the environment Variable FREE_MOUNT_VOL_DRIVELETTER.

D:\> set FREE_MOUNT_VOL_DRIVELETTER=L:
D:\> mountvol %FREE_MOUNT_VOL_DRIVELETTER% /s 
D:\> copy C:\WINDOWS\System32\SecConfig.efi L:\EFI\Microsoft\Boot\SecConfig.efi /Y 
D:\> bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DG" /application osloader 
D:\> bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" 
D:\> bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} 
D:\> bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS 
D:\> bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=%FREE_MOUNT_VOL_DRIVELETTER% 
D:\> mountvol %FREE_MOUNT_VOL_DRIVELETTER% /d
D:\> shutdown /t 0 /r

At next boot time this forces two prompts to disable Credentials Guard and virtualization based security. Accept both with F3.

Disable Credential Guard
Disable Credential Guard
Disable virtualization based Security
Disable virtualization based Security

A tool is available to check if a driver is compatible with device guard code integrity. See also Driver Verifier

Michael

17 thoughts on “Windows: Disable Credential- ,Device Guard and Virtualization based security”

  1. there is a typo in “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Device Guard”

    must be “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard”

  2. Is there a way to not have to hit F3 upon reboot?

    I access my machine remotely, which is sometimes rebooted without my knowledge.

    Thanks,

    Jeff

  3. Hi Michael:

    I have struggled with this issue, unable to run virtualbox on 64 bit machines, for the past full day. I tried many ideas until I realized that UEFI Boot and virtual security was blocking my effort. Then I narrowed my search to your article. I followed it along with the suggestion to correct one spelling error “DeviceGuard”. On first boot I got a BSOD with “WORKER_INVALID” message. But ignoring this message was all I needed to do.

    Your article worked very well. Thank you.

  4. AWESOME. Worked perfectly. I have struggled with this error for weeks, having to REINSTALL Windows 10 each time. What’s really irritating is that one of my machines is Windows 10 HOME, no Hyper-V (at least that’s what I thought), so I never considered Hyper-V related features to be the reason for this issue.

  5. Thank you so much, I have been running with issues recently after Windows 10 auto-update. tried differnt solutions but this one worked!! You’re awesome mate!

  6. Haven’t been able to use my VMs for over a month, finally found your page. I only was able to follow as far as up to the ‘mountvol’ stuff because there’s no ‘/s’ parameter in my version, but that was enough: I’m up and running now. Thanks!

  7. Holy MFJ (I am not Christian, I can say that..) you saved me from suicide.. Our Company has this in GPO, fortunately I have rights to overwrite it with our on Location, so I have disabled it in GPO, but problem persited. Thing is, it was already in place, so I had to delete the data from the section VBS UEFI variables. Now works!! VmWare/VBox, both works great πŸ™‚ thank you a lot πŸ™‚

  8. Every time I restart my machine, I get the same thing. I get to start my VMWare Workstation once but when I reboot, I need to run the script again to reboot and F3 the solution. Would it be possible to persist the changes?

  9. Hi Mike
    I do get everything as mentioned in the post but i do not get second option so as to press F3 rather the moment I press F3 for the first time, after that it takes me to BIOS
    Please let me know what wrong is here?

  10. Thanks so much! It was a huge pain in the ass before, but it was an even bigger one after the Windows 10 updates. Thanks so much for that last script, that was the critical component I was missing.

  11. THANK YOU! The official Microsoft instructions don’t explain how to disable Virtualization-Based Security at the same time as disabling Device Guard. Without disabling both of those at once, VMware Player is stuck depending on the inferior Microsoft Hyper-V API to run virtual machines. Now I can get back to running my VMs properly, without lag caused by Hyper-V.

Leave a Reply