Highlighted
Contributor
Contributor

Windows Sandbox Feature enables windows defender credential guard feature sets. Does not play well with VMware Workstation

Hello Vmware community;

I have concluded that windows sandbox does not work with VMware workstation in windows 10 build 18329.1.  Enabling windows sandbox also enables windows defender credential guard features which causes the following error when trying to power on a virtual machine in vmware:

"VMware Workstation and Device/Credential Guard are not compatible. VMware Workstation can be run after disabling Device/Credential Guard."

Upon searching you will find Vmware Knowledge Base Article 2146361 which references a link to the following Microsoft KB article:

Manage Windows Defender Credential Guard (Windows 10) | Microsoft Docs

Neither document mentions that the windows sandbox feature enables credential guard features.  Here is how to disable credential guard after uninstalling windows sandbox: https://kb.vmware.com/s/article/2146361

1. Hit the windows key+s for "Search" and type "windows security settings" and press enter. Navigate to:

Windows Security -->> Device Security -->> Core Isolation -->> Memory Integrity -->> Select Off

2. Hit the windows key+r for "Run" and type "gpedit.msc" and press enter. Navigate to:

Local Computer Policy ->> Computer Configuration ->> Administrative Templates ->> System - Device Guard ->> Turn on Virtualization

Double click that .... and select "Disable" ...

3. Go to Control Panel ->> Uninstall a Program ->> Turn Windows features on or off ->> (uncheck/turn off): Hyper-V & Windows Sandbox.

*Click OK

*Select Do not restart.

4. Type the following cmds in cmd prompt.. to Delete the related EFI variables from the BCD file...

Launch cmd as administrator...

bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"

bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS

bcdedit /set hypervisorlaunchtype off

5. Restart your system ...

This howto has been kinda, sort of covered in various internet searches.  But no one seems to detail clearly how windows sandbox enables windows defender credential guard.  I found this out upgrading to window 10 build 18329.1. I hope this thread is helpful to someone.

7 Replies
Highlighted
Contributor
Contributor

just ran into this myself.  thank you for this post, undoubtedly saved me a substantial amount of time and frustration.  Darn shame, woulda liked to use it.  Its pretty darned quick and convenient but not at the expense of losing all my vms. 

0 Kudos
Highlighted
Contributor
Contributor

Hi all.

As per the article you linked cosmic, it seems that the easiest way to disable credential guard is to download the Download Device Guard and Credential Guard hardware readiness tool and then run

DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot

That seems to have done the trick for me.  Make sure on reboot you only choose to disable the credential guard (at the first prompt) and not virtualization based security (the second).

0 Kudos
Highlighted
Contributor
Contributor

My PC running VMware Workstation got the May 2019 update and I enabled Windows Sandbox and tried it.

Afterward I couldn't launch VMs under VMware Workstation.

Running DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot repaired it.

This is a hoot, because the W10 Preview VM (now up to build 18898) under VMware Workstation still throws up an error message and won't run.

I guess it doesn't matter if Windows Sandbox runs inside the VM, when I can run it as needed on the host.

0 Kudos
Highlighted
Contributor
Contributor

I just started seeing this error today, but according to the page(s) referenced by the error message, I do not have Credential Guard enabled:

vmware-broke.png

Notice that System Information shows that no Virtualization-based security services are configured.  Also, the setting specifically mentioned by this article is off:

core-iso.png

I *did* install Windows Sandbox last week in order to test something, so that is probably what has killed VMware, but nothing here seems to match the articles I am finding.  I uninstalled Windows Sandbox and the Core Isolation setting didn't change (it was off when Sandbox was installed and remained off after I removed it.)

I would not have wanted to use the sandbox if it were just as easy to spontaneously generate a complete, clean Windows 10 environment for a single test usage in VMware -- but that takes time and effort (including booting the image weekly to ensure it stays up to date, etc.)

OTOH, I am extremely upset with Microsoft for not warning me about the products that would be broken by installing their tool, too.  Hopefully VMware can put their big brains to work and find a way to fix this.  Until then, I cannot perform my job because the VMs were my code and tools exist will no longer run.  Great.

FOLLOW UP:  On my system (Win 10 Pro x64 version 1903 build 18362.175) both settings in (1) and (2) were already set as recommended before and after (3) uninstalling hyper-v and sandbox.  The first command in (4) failed, but the others appeared to work and after rebooting, VMware is now starting my VMs again.

SO... while much of this solution doesn't match today's version of windows, some of the "secret" codes given at the end still helped.  Thanks.

Highlighted
Contributor
Contributor

This worked for me when other solutions (including the ones VMware links to at Microsoft) didn't.

Despite having already turned off Windows Sandbox and Hyper-V features, and having used the DG_Readiness_tool_v3.6.ps1 tool, I was unable to use VMware Workstation 12 until following this guide.

I believe it may have been "bcdedit /set hypervisorlaunchtype off" that finally forced whatever components that were left to turn off.

Kudos to cosmic665

0 Kudos
Highlighted
Contributor
Contributor

Hit the windows key+s for "Search"

I feel I should mention, you don't have to press Win+S for search. You can just press Win and start typing.

Hit the windows key+r for "Run" and type "gpedit.msc"

You also don't have to do Run for that. You can just press Win, type "gpedit.msc" and hit enter. It has the same effect. But to each his own Smiley Happy

0 Kudos
Highlighted
Contributor
Contributor

I just joined this community because I'm having this exact problem.

Thank you for posting your experience, nurbles.

Going to try your stated solutions and hopefully everything will be back to normal for me.

I have 2 virtual machines and the latest Windows Update broke both.  Have tried the same, exact troubleshooting steps.

Cheers.

0 Kudos