Windows: Disable Credential- ,Device Guard and Virtualization based security

Hi,

new features in Windows 10 prevents Virtual Machines based on VMware Workstation or Virtual Box from starting.
Typical Errors are:

  • VirtualBox: VERR_SUPDRV_NO_RAW_MODE_HYPER_V_ROOT or VT-x is not available (VERR_VMX_NO_VMX)
    error: Details: code E_FAIL (0x80004005), component ConsoleWrap, interface IConsole
  • VMware Workstation: VMware Workstation and Device/Credential Guard are not compatible. VMware Workstation can be run after disabling Device/Credential Guard


This features called Device Guard, Credentials Guard and Virtualization based security. They used the Microsoft Hyperviser Hyper-V to strictly separate parts of the Operating System.

According to: “There can only be one” no other hyper visor could started, because the VT-x or AMD-V CPU flags are not exposed to VMware Workstation or Virtual Box when Hyper-V is active.

You can check this by the systeminfo command.

D:\> systeminfo | findstr Hyper

Be aware that the following steps disables some enhanced Windows 10 security features. Check this against your company policies to be compliant.

Disable Hyper-V launch, remove all Hyper-V features and set Registry Keys to disable virtualization based security

D:\> bcdedit /set hypervisorlaunchtype off
D:\> dism /Online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All /NoRestart
D:\> reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA /v LsaCfgFlags /d 0 /f /t REG_DWORD
D:\> reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Device Guard" /v EnableVirtualizationBasedSecurity /d 0 /f /t REG_DWORD

Delete the Credential Guard and the VBS UEFI variables. To mount the UEFI partition determine an unused drive letter and set the environment Variable FREE_MOUNT_VOL_DRIVELETTER.

D:\> set FREE_MOUNT_VOL_DRIVELETTER=L:
D:\> mountvol %FREE_MOUNT_VOL_DRIVELETTER% /s 
D:\> copy C:\WINDOWS\System32\SecConfig.efi L:\EFI\Microsoft\Boot\SecConfig.efi /Y 
D:\> bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DG" /application osloader 
D:\> bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" 
D:\> bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} 
D:\> bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS 
D:\> bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=%FREE_MOUNT_VOL_DRIVELETTER% 
D:\> mountvol %FREE_MOUNT_VOL_DRIVELETTER% /d
D:\> shutdown /t 0 /r

At next boot time this forces two prompts to disable Credentials Guard and virtualization based security. Accept both with F3.

Disable Credential Guard

Disable Credential Guard

Disable virtualization based Security

Disable virtualization based Security

Michael

Time limit is exhausted. Please reload CAPTCHA.

Original Theme by Schiy · Powered by WordPress