7 Replies Latest reply on Sep 9, 2019 3:08 AM by SumYungTech

    Windows Sandbox Feature enables windows defender credential guard feature sets. Does not play well with VMware Workstation

    cosmic665 Lurker

      Hello Vmware community;

       

      I have concluded that windows sandbox does not work with VMware workstation in windows 10 build 18329.1.  Enabling windows sandbox also enables windows defender credential guard features which causes the following error when trying to power on a virtual machine in vmware:

       

      "VMware Workstation and Device/Credential Guard are not compatible. VMware Workstation can be run after disabling Device/Credential Guard."

       

      Upon searching you will find Vmware Knowledge Base Article 2146361 which references a link to the following Microsoft KB article:

       

      Manage Windows Defender Credential Guard (Windows 10) | Microsoft Docs

       

      Neither document mentions that the windows sandbox feature enables credential guard features.  Here is how to disable credential guard after uninstalling windows sandbox: https://kb.vmware.com/s/article/2146361

       

      1. Hit the windows key+s for "Search" and type "windows security settings" and press enter. Navigate to:

      Windows Security -->> Device Security -->> Core Isolation -->> Memory Integrity -->> Select Off

       

      2. Hit the windows key+r for "Run" and type "gpedit.msc" and press enter. Navigate to:

      Local Computer Policy ->> Computer Configuration ->> Administrative Templates ->> System - Device Guard ->> Turn on Virtualization

      Double click that .... and select "Disable" ...

       

      3. Go to Control Panel ->> Uninstall a Program ->> Turn Windows features on or off ->> (uncheck/turn off): Hyper-V & Windows Sandbox.

      *Click OK

      *Select Do not restart.

       

      4. Type the following cmds in cmd prompt.. to Delete the related EFI variables from the BCD file...

      Launch cmd as administrator...

       

      bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader

      bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"

      bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}

      bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS

      bcdedit /set hypervisorlaunchtype off

       

      5. Restart your system ...

       

      This howto has been kinda, sort of covered in various internet searches.  But no one seems to detail clearly how windows sandbox enables windows defender credential guard.  I found this out upgrading to window 10 build 18329.1. I hope this thread is helpful to someone.