Search the VMware Knowledge Base (KB)
View by Article ID

Windows 10 host where Credential Guard or Device Guard is enabled fails when running Workstation (2146361)

  • 457 Ratings
Language Editions

Symptoms

Running Workstation on a Windows 10 host where Credential Guard or Device Guard is enabled fails with a blue diagnostic screen (BSOD).

Purpose

This article provides steps to disable Credential Guard or Device Guard for a Windows 10 Enterprise host.

Cause

This issue occurs because Device Guard or Credential Guard is incompatible with Workstation.

Resolution

To disable Device Guard or Credential Guard on Itanium based computers:

  1. Disable the group policy setting that was used to enable Credential Guard.

    1. On the host operating system, click Start > Run, type gpedit.msc, and click Ok. The Local group Policy Editor opens.
    2. Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security.
    3. Select Disabled.

  2. Go to Control Panel > Uninstall a Program > Turn Windows features on or off to turn off Hyper-V.
  3. Select Do not restart.
  4. Delete the related EFI variables by launching a command prompt on the host machine using an Administrator account and run these commands:

    mountvol X: /s
    copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
    bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
    bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
    mountvol X: /d

    Note: Ensure X is an unused drive, else change to another drive.

  5. Restart the host.
  6. Accept the prompt on the boot screen to disable Device Guard or Credential Guard.

If you have a machine with Legacy BIOS boot:
  1. Open the command prompt as Administrator on host.
  2. Run this command:

    bcdedit /set hypervisorlaunchtype off

  3. Reboot the host.
Note: To find EFI or BIOS type msinfo32.exe in the Run tab.

See Also

Language Editions

zh_cn,2148465

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 457 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 457 Ratings
Actions
KB: