Windows: Disable Credential- ,Device Guard and Virtualization based security

Hi,

new features in Windows 10 prevents Virtual Machines based on VMware Workstation or Virtual Box from starting.
Typical Errors are:

  • VirtualBox: VERR_SUPDRV_NO_RAW_MODE_HYPER_V_ROOT or VT-x is not available (VERR_VMX_NO_VMX)
    error: Details: code E_FAIL (0x80004005), component ConsoleWrap, interface IConsole
  • VMware Workstation: VMware Workstation and Device/Credential Guard are not compatible. VMware Workstation can be run after disabling Device/Credential Guard


This features called Device Guard, Credentials Guard and Virtualization based security. They used the Microsoft Hyperviser Hyper-V to strictly separate parts of the Operating System.

According to: “There can only be one” no other hyper visor could started, because the VT-x or AMD-V CPU flags are not exposed to VMware Workstation or Virtual Box when Hyper-V is active.

You can check this by the systeminfo command.

D:\> systeminfo | findstr Hyper
...
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Be aware that the following steps disables some enhanced Windows 10 security features. Check this against your company policies to be compliant.

Disable Hyper-V launch, remove all Hyper-V features and set Registry Keys to disable virtualization based security

D:\> bcdedit /set hypervisorlaunchtype off
D:\> dism /Online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All /NoRestart
D:\> reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA /v LsaCfgFlags /d 0 /f /t REG_DWORD
D:\> reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Device Guard" /v EnableVirtualizationBasedSecurity /d 0 /f /t REG_DWORD

Delete the Credential Guard and the VBS UEFI variables. To mount the UEFI partition determine an unused drive letter and set the environment Variable FREE_MOUNT_VOL_DRIVELETTER.

D:\> set FREE_MOUNT_VOL_DRIVELETTER=L:
D:\> mountvol %FREE_MOUNT_VOL_DRIVELETTER% /s 
D:\> copy C:\WINDOWS\System32\SecConfig.efi L:\EFI\Microsoft\Boot\SecConfig.efi /Y 
D:\> bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DG" /application osloader 
D:\> bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" 
D:\> bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} 
D:\> bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS 
D:\> bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=%FREE_MOUNT_VOL_DRIVELETTER% 
D:\> mountvol %FREE_MOUNT_VOL_DRIVELETTER% /d
D:\> shutdown /t 0 /r

At next boot time this forces two prompts to disable Credentials Guard and virtualization based security. Accept both with F3.

Disable Credential Guard

Disable Credential Guard

Disable virtualization based Security

Disable virtualization based Security

Michael

Advertisment to support michlstechblog.info

Add a comment »14 comments to this article

  1. How can I re-enable them?

    Reply

  2. How can I re-enable them?

    Reply

  3. there is a typo in “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Device Guard”

    must be “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard”

    Reply

  4. Is there a way to not have to hit F3 upon reboot?

    I access my machine remotely, which is sometimes rebooted without my knowledge.

    Thanks,

    Jeff

    Reply

  5. Hi,
    can i use this article on my website ?

    Reply

  6. Hi Michael:

    I have struggled with this issue, unable to run virtualbox on 64 bit machines, for the past full day. I tried many ideas until I realized that UEFI Boot and virtual security was blocking my effort. Then I narrowed my search to your article. I followed it along with the suggestion to correct one spelling error “DeviceGuard”. On first boot I got a BSOD with “WORKER_INVALID” message. But ignoring this message was all I needed to do.

    Your article worked very well. Thank you.

    Reply

  7. AWESOME. Worked perfectly. I have struggled with this error for weeks, having to REINSTALL Windows 10 each time. What’s really irritating is that one of my machines is Windows 10 HOME, no Hyper-V (at least that’s what I thought), so I never considered Hyper-V related features to be the reason for this issue.

    Reply

  8. Thank you so much, I have been running with issues recently after Windows 10 auto-update. tried differnt solutions but this one worked!! You’re awesome mate!

    Reply

  9. Haven’t been able to use my VMs for over a month, finally found your page. I only was able to follow as far as up to the ‘mountvol’ stuff because there’s no ‘/s’ parameter in my version, but that was enough: I’m up and running now. Thanks!

    Reply

  10. Thank you for this, I kept getting errors saying invalid due to hypervisor and such and this fixed it. Thanks so much.

    Reply

  11. Holy MFJ (I am not Christian, I can say that..) you saved me from suicide.. Our Company has this in GPO, fortunately I have rights to overwrite it with our on Location, so I have disabled it in GPO, but problem persited. Thing is, it was already in place, so I had to delete the data from the section VBS UEFI variables. Now works!! VmWare/VBox, both works great 🙂 thank you a lot 🙂

    Reply

  12. Every time I restart my machine, I get the same thing. I get to start my VMWare Workstation once but when I reboot, I need to run the script again to reboot and F3 the solution. Would it be possible to persist the changes?

    Reply

  13. Hi Mike
    I do get everything as mentioned in the post but i do not get second option so as to press F3 rather the moment I press F3 for the first time, after that it takes me to BIOS
    Please let me know what wrong is here?

    Reply

  14. Thank you! I struggled with getting this all turned off.

    Reply

Leave a Reply to Ron Fredericks Cancel reply

Time limit is exhausted. Please reload CAPTCHA.

Original Theme by Schiy · Powered by WordPress