VMware (Workstation or Player) and Device/Credential Guard are not compatible.

If you’ve tried running a VM on VMWare’s Workstation or Player on a Windows PC, you may have run into the following error:

“VMware Workstation (or VMWare Player) and Device/Credential Guard are not compatible. VMware Player can be run after disabling Device/Credential Guard. Please visit http://www.wmware.com/go/turnoff_CG_DG for more details.”

Yeah – that site isn’t too helpful. Visit it if you want. Itwill further direct you to Microsoft’s page: https://support.microsoft.com/en-us/help/3204980/virtualization-applications-do-not-work-together-with-hyper-v-device-g

The problem is, all the additional sites weren’t too helpful either. Some say uninstall the Hyper-V additional features – which might work, but in my case I hadn’t ever installed them – while others say just try opening a command prompt (in Administrator mode) and entering bcdedit /set hypervisorlaunchtype off and the restarting your machine. Which disables Hyper-V from starting any VMs (if you had it installed) but if you don’t have Hyper-V installed it does nothing.

Other sites (such as https://www.tenforums.com/tutorials/68935-enable-disable-credential-guard-windows-10-a.html) suggest a myriad of options such as gpedit.msc settings (which weren’t set on my PC) or regedit settingg (which also weren’t effective.)

But one list of commands was. Note that Microsoft considers this a security override and leaves your computer open to external bad guys to make a change to something or other. Just letting you know in advance. Hopefully if you’re working with VMs you already know enough to not leave your files and settings unsecured, but caveat emptor.

Anyhow – execute the following commands from the command prompt (with Administrator privileges). Note: Below it says to mount the volume as drive X. If you already have a drive X – use another drive letter that isn’t already in use.

mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d

Then reboot. Upon reboot you will see a text box window asking if you want to disable Device Guard or Credential Guard, and to confirm you do by pressing the F3 or Windows button/key. Confirm you do by pressing the appropriate key, and once Windows boots up, you can run VMWare VMs without the error.

One additional note: VirtualBox does not seem to have this conflict, so if you can run your VM in VirtualBox and don’t want to disable the Device/Credential Guard, this might be a preferred alternative.

Tagged , , , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.