Search the VMware Knowledge Base (KB)
View by Article ID

Windows 10 host where Credential Guard or Device Guard is enabled fails when running Workstation (2146361)

  • 545 Ratings
Language Editions


Running Workstation on a Windows 10 host where Credential Guard or Device Guard is enabled fails with a blue diagnostic screen (BSOD).


This article provides steps to disable Credential Guard or Device Guard for a Windows 10 Enterprise host.


This issue occurs because Device Guard or Credential Guard is incompatible with Workstation.


To disable Device Guard or Credential Guard on Itanium based computers:

  1. Disable the group policy setting that was used to enable Credential Guard.

    1. On the host operating system, click Start > Run, type gpedit.msc, and click Ok. The Local group Policy Editor opens.
    2. Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security.
    3. Select Disabled.

  2. Go to Control Panel > Uninstall a Program > Turn Windows features on or off to turn off Hyper-V.
  3. Select Do not restart.
  4. Delete the related EFI variables by launching a command prompt on the host machine using an Administrator account and run these commands:

    mountvol X: /s
    copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
    bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
    bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
    mountvol X: /d

    Note: Ensure X is an unused drive, else change to another drive.

  5. Restart the host.
  6. Accept the prompt on the boot screen to disable Device Guard or Credential Guard.

If you have a machine with Legacy BIOS boot:
  1. Open the command prompt as Administrator on host.
  2. Run this command:

    bcdedit /set hypervisorlaunchtype off

  3. Reboot the host.
Note: To find EFI or BIOS type msinfo32.exe in the Run tab.

See Also

Language Editions


Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 545 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 545 Ratings