VMware Workstation and Device Credential Guard are not compatible

Question

I have been running VMware for the last year no problems, today I opened it up to start one of my VM and get an error message, see screen shot.

I did follow the link and went through the steps, on step 4 I need to mount a volume using "mountvol". when I try to mount a volume using mountvol X: \\?\Volume{5593b5bd-0000-0000-0000-c0f373000000}\ it keeps saying The directory is not empty. I even created a partition with 2GB and still the same message.

My Questions:

How can I mount the volume that is not empty even though it is?

Why did this Device/Credential Guard auto enable itself and how can I get rid of it or disable it.

CMD:

User · Answer

Well Boys and Girls after reading through the release notes for build 17093 in the wee small hours of the night, I have found the change point that affects my VMware Workstation VM's causing them not to work, it is the Core Isolation settings under Device Security under windows security (new name for windows defender page) in settings.

By default it is turned on, however when I turned it off and restarted my pc all my VMware VM's resumed working correctly. Perhaps a by device option could be incorporated in the next build to allow us to test individual devices / Apps responses to allow the core isolation to be on or off per device or App as required .

User · Answer

To make it super easy    Just download this script directly from Microsoft  Run your Powershell as an admin and then execute following commands    To Verify if DG CG is enabled DG Readiness ps1 -Ready  To Disable DG CG  DG Readiness ps1 -Disable

User · Answer

If you are someone who maintains an open customized "Run as administrator" command prompt or powershell command line window at all the times you can optionally setup the following aliases / macros to simplify executing the commands mentioned by @gue22 for simply disabling hyper-v hypervisor when needing to use vmware player or workstation and then enabling it again when done.

doskey hpvEnb = choice /c:yn /cs /d n /t 30 /m "Are you running from elevated command prompt" ^& if not errorlevel 2 ( bcdedit /set hypervisorlaunchtype auto ^& echo.^&echo now reboot to enable hyper-v hypervisor )
doskey hpvDis = choice /c:yn /cs /d n /t 30 /m "Are you running from elevated command prompt" ^& if not errorlevel 2 ( bcdedit /set hypervisorlaunchtype off ^& echo.^&echo now reboot to disable hyper-v hypervisor )
doskey bcdL = bcdedit /enum ^& echo.^&echo now see boot configuration data store {current} boot loader settings

With the above in place you just type "hpvenb" [ hypervisor enabled at boot ], "hpvdis" [ hypervisor disabled at boot ] and "bcdl" [ boot configuration devices list ] commands to execute the on, off, list commands.

User · Answer

I had the same problem  I had VMware Workstation 15 5 4 and Windows 10 version 1909 and installed Docker Desktop  Here how I solved it   Install new VMware Workstation 16 1 0 Update my Windows 10 from 1909 to 20H2  As VMware Guide said in this link  If your Host has Windows 10 20H1 build 19041 264 or newer  upgrade update to Workstation 15 5 6 or above  If your Host has Windows 10 1909 or earlier  disable Hyper-V on the host to resolve this issue   Now VMware and Hyper-V can be at the same time and have both Docker and VMware at my Windows

User · Answer

I also struggled a lot with this issue  The answers in this thread were helpful but were not enough to resolve my error  You will need to disable Hyper-V and Device guard like the other answers have suggested  More info on that can be found in here   I am including the changes needed to be done in addition to the answers provided above  The link that finally helped me was this   My answer is going to summarize only the difference between the rest of the answers  i e  Disabling Hyper-V and Device guard  and the following steps      If you used Group Policy  disable the Group Policy setting that you used to enable Windows Defender Credential Guard  Computer Configuration -  Administrative Templates -  System -  Device Guard -  Turn on Virtualization Based Security   Delete the following registry settings   HKEY LOCAL MACHINE System CurrentControlSet Control LSA LsaCfgFlags HKEY LOCAL MACHINE Software Policies Microsoft Windows DeviceGuard EnableVirtualizationBasedSecurity HKEY LOCAL MACHINE Software Policies Microsoft Windows DeviceGuard RequirePlatformSecurityFeatures  Important   If you manually remove these registry settings  make sure to delete them all  If you don t remove them all  the device might go into BitLocker recovery  Delete the Windows Defender Credential Guard EFI variables by using bcdedit  From an elevated command prompt start in admin mode   type the following commands    mountvol X   s   copy  WINDIR  System32 SecConfig efi X  EFI Microsoft Boot SecConfig efi  Y   bcdedit  create  0cb3b571-2f2e-4343-a879-d86a476d7215   d  DebugTool   application osloader   bcdedit  set  0cb3b571-2f2e-4343-a879-d86a476d7215  path   EFI Microsoft Boot SecConfig efi    bcdedit  set  bootmgr  bootsequence  0cb3b571-2f2e-4343-a879-d86a476d7215    bcdedit  set  0cb3b571-2f2e-4343-a879-d86a476d7215  loadoptions DISABLE-LSA-ISO   bcdedit  set  0cb3b571-2f2e-4343-a879-d86a476d7215  device partition X    mountvol X   d  Restart the PC  Accept the prompt to disable Windows Defender Credential Guard  Alternatively  you can disable the virtualization-based security features to turn off Windows Defender Credential Guard

User · Answer

I m still not convinced that Hyper-V is The Thing for me  even with last year s Docker trials and tribulations and I guess you won t want to switch very frequently  so rather than creating a new boot and confirming the boot default or waiting out the timeout with every boot I switch on demand in the console in admin mode by  bcdedit  set hypervisorlaunchtype off   Another reason for this post -- to save you some headache  You thought you switch Hyper-V on with the  on  argument again  Nope  Too simple for MiRKoS  t  It s auto   Have fun  G

User · Answer

the simplest solution for this issue is to download the "Device Guard and Credential Guard hardware readiness tool" to correct the incompatibility :

https://www.microsoft.com/en-us/download/details.aspx?id=53337
Decompress the zip
you will find :
execute the "DG_Readiness_Tool_v3.6.ps1" with PowerShell
Now you should be able to power on your virtual machine normally .

User · Answer

There is a much better way to handle this issue. Rather than removing Hyper-V altogether, you just make alternate boot to temporarily disable it when you need to use VMWare. As shown here...

http://www.hanselman.com/blog/SwitchEasilyBetweenVirtualBoxAndHyperVWithABCDEditBootEntryInWindows81.aspx

C:\>bcdedit /copy {current} /d "No Hyper-V" 
The entry was successfully copied to {ff-23-113-824e-5c5144ea}. 

C:\>bcdedit /set {ff-23-113-824e-5c5144ea} hypervisorlaunchtype off 
The operation completed successfully.

note: The ID generated from the first command is what you use in the second one. Don't just run it verbatim.

When you restart, you'll then just see a menu with two options...

Windows 10
No Hyper-V

So using VMWare is then just a matter of rebooting and choosing the No Hyper-V option.

If you want to remove a boot entry again. You can use the /delete option for bcdedit.

First, get a list of the current boot entries...

C:\>bcdedit /v

This lists all of the entries with their ID's. Copy the relevant ID, and then remove it like so...

C:\>bcdedit /delete {ff-23-113-824e-5c5144ea}

As mentioned in the comments, you need to do this from an elevated command prompt, not powershell. In powershell the command will error.

update: It is possible to run these commands in powershell, if the curly braces are escaped with backtick (`). Like so...

C:\WINDOWS\system32> bcdedit /copy `{current`} /d "No Hyper-V"

User · Answer

install the latest vmware workstation  gt  15 5 5 version which has support of Hyper-V Host  With the release of VMware Workstation Player 15 5  5 or  gt   we are very excited and proud to announce support for Windows hosts with Hyper-V mode enabled  As you may know  this is a joint project from both Microsoft and VMware  https   blogs vmware com workstation 2020 05 vmware-workstation-now-supports-hyper-v-mode html i installed the VMware Workstation Pro 16 1 0 and now it fixed my issue now i am using docker  amp  vmware same time even my window Hyper-V mode is enabled

User · Answer

QUICK SOLUTION EVERY STEP  Fixed error in VMware Workstation on Windows 10 host Transport  VMDB  error -14  Pipe connection has been broken  Today we will be fixing VMWare error on a windows 10 computer   In RUN box type  quot gpedit quot  then Goto   ERROR SEE POINT 3   1- Computer Configuration 2- Administrative Templates 3- System - Device Guard   IF NO DEVICE GUARD    DOWNLOAD https   www microsoft com en-us download 100591  install this  quot c  Program Files  x86  Microsoft Group Policy Windows 10 November 2019 Update  1909  PolicyDefinitions quot  COPY to c  windows PolicyDefinitions   4- Turn on Virtualization Based Security  Now Double click that and  quot Disable quot   Open Command Prompt as Administrator and type the following gpupdate  force  DONT DO IF YOU DONT HAVE DEVICE GUARD ELSE IT WILL GO AGAIN   Open Registry Editor  now Go to HKEY LOCAL MACHINE System CurrentControlSet Control DeviceGuard  Add a new DWORD value named EnableVirtualizationBasedSecurity and set it to 0 to disable it  Next Go to HKEY LOCAL MACHINE System CurrentControlSet Control LSA   Add a new DWORD value named LsaCfgFlags and set it to 0 to disable it   In RUN box  type Turn Windows features on or off  now uncheck Hyper-V and restart system   Open command prompt as a administrator and type the following commands       bcdedit  create  0cb3b571-2f2e-4343-a879-d86a476d7215   d  quot DebugTool quot   application osloader      bcdedit  set  0cb3b571-2f2e-4343-a879-d86a476d7215  path  quot  EFI Microsoft Boot SecConfig efi quot       bcdedit  set  bootmgr  bootsequence  0cb3b571-2f2e-4343-a879-d86a476d7215           bcdedit  set  0cb3b571-2f2e-4343-a879-d86a476d7215  loadoptions DISABLE-LSA-ISO DISABLE-VBS      bcdedit  set hypervisorlaunchtype off  Now  Restart your system

User · Answer

I don t know why but version 3 6 of DG Readiness Tool didn t work for me  After I restarted my laptop problem still persisted  I was looking for solution and finally I came across version 3 7 of the  tool and this time problem went away  Here you can find latest powershell script   DG Readiness Tool v3 7

User · Answer

For those who might be encountering this issue with recent changes to your computer involving Hyper-V, you'll need to disable it while using VMWare or VirtualBox. They don't work together. Windows Sandbox and WSL 2 need the Hyper-V Hypervisor on, which currently breaks VMWare. Basically, you'll need to run the following commands to enable/disable Hyper-V services on next reboot.

To disable Hyper-V and get VMWare working, in PowerShell as Admin:

bcdedit /set hypervisorlaunchtype off

To re-enable Hyper-V and break VMWare for now, in PowerShell as Admin:

bcdedit /set hypervisorlaunchtype auto

You'll need to reboot after that. I've written a PowerShell script that will toggle this for you and confirm it with dialog boxes. It even self-elevates to Administrator using this technique so that you can just right click and run the script to quickly change your Hyper-V mode. It could easily be modified to reboot for you as well, but I personally didn't want that to happen. Save this as hypervisor.ps1 and make sure you've run Set-ExecutionPolicy RemoteSigned so that you can run PowerShell scripts.

# Get the ID and security principal of the current user account
$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent();
$myWindowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($myWindowsID);

# Get the security principal for the administrator role
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator;

# Check to see if we are currently running as an administrator
if ($myWindowsPrincipal.IsInRole($adminRole))
{
    # We are running as an administrator, so change the title and background colour to indicate this
    $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)";
    $Host.UI.RawUI.BackgroundColor = "DarkBlue";
    Clear-Host;
}
else {
    # We are not running as an administrator, so relaunch as administrator

    # Create a new process object that starts PowerShell
    $newProcess = New-Object System.Diagnostics.ProcessStartInfo "PowerShell";

    # Specify the current script path and name as a parameter with added scope and support for scripts with spaces in it's path
    $newProcess.Arguments = "-windowstyle hidden & '" + $script:MyInvocation.MyCommand.Path + "'"

    # Indicate that the process should be elevated
    $newProcess.Verb = "runas";

    # Start the new process
    [System.Diagnostics.Process]::Start($newProcess);

    # Exit from the current, unelevated, process
    Exit;
}

Add-Type -AssemblyName System.Windows.Forms


$state = bcdedit /enum | Select-String -Pattern 'hypervisorlaunchtype\s*(\w+)\s*'


if ($state.matches.groups[1].ToString() -eq "Off"){

    $UserResponse= [System.Windows.Forms.MessageBox]::Show("Enable Hyper-V?" , "Hypervisor" , 4)

    if ($UserResponse -eq "YES" ) 
    {

        bcdedit /set hypervisorlaunchtype auto
        [System.Windows.Forms.MessageBox]::Show("Enabled Hyper-V. Reboot to apply." , "Hypervisor")

    } 

    else 

    { 

        [System.Windows.Forms.MessageBox]::Show("No change was made." , "Hypervisor")
        exit

    }

} else {

    $UserResponse= [System.Windows.Forms.MessageBox]::Show("Disable Hyper-V?" , "Hypervisor" , 4)

    if ($UserResponse -eq "YES" ) 
    {

        bcdedit /set hypervisorlaunchtype off
        [System.Windows.Forms.MessageBox]::Show("Disabled Hyper-V. Reboot to apply." , "Hypervisor")

    } 

    else 

    { 

        [System.Windows.Forms.MessageBox]::Show("No change was made." , "Hypervisor")
        exit

    }

}

User · Answer

Device Credential Guard is a Hyper-V based Virtual Machine Virtual Secure Mode that hosts a secure kernel to make Windows 10 much more secure           the VSM instance is segregated from the normal operating   system functions and is protected by attempts to read information in   that mode  The protections are hardware assisted  since the hypervisor   is requesting the hardware treat those memory pages differently  This   is the same way to two virtual machines on the same host cannot   interact with each other  their memory is independent and hardware   regulated to ensure each VM can only access it   s own data       From here  we now have a protected mode where we can run security   sensitive operations  At the time of writing  we support three   capabilities that can reside here  the Local Security Authority  LSA     and Code Integrity control functions in the form of Kernel Mode Code   Integrity  KMCI  and the hypervisor code integrity control itself    which is called Hypervisor Code Integrity  HVCI          When these capabilities are handled by Trustlets in VSM  the Host OS   simply communicates with them through standard channels and   capabilities inside of the OS  While this Trustlet-specific   communication is allowed  having malicious code or users in the Host   OS attempt to read or manipulate the data in VSM will be significantly   harder than on a system without this configured  providing the   security benefit       Running LSA in VSM  causes the LSA process itself  LSASS  to remain in   the Host OS  and a special  additional instance of LSA  called LSAIso       which stands for LSA Isolated  is created  This is to allow all of   the standard calls to LSA to still succeed  offering excellent legacy   and backwards compatibility  even for services or capabilities that   require direct communication with LSA  In this respect  you can think   of the remaining LSA instance in the Host OS as a    proxy    or    stub      instance that simply communicates with the isolated version in   prescribed ways     And Hyper-V and VMware didn t work the same time until 2020  when VMware used Hyper-V Platform to co-exist with Hyper-V starting with Version 15 5 5       How does VMware Workstation work before version 15 5 5        VMware Workstation traditionally has used a Virtual Machine Monitor    VMM  which operates in privileged mode requiring direct access to the   CPU as well as access to the CPU   s built in virtualization support    Intel   s VT-x and AMD   s AMD-V    When a Windows host enables   Virtualization Based Security     VBS     features  Windows adds a   hypervisor layer based on Hyper-V between the hardware and Windows     Any attempt to run VMware   s traditional VMM fails because being inside   Hyper-V the VMM no longer has access to the hardware   s virtualization   support       Introducing User Level Monitor      To fix this Hyper-V Host VBS compatibility issue  VMware   s platform   team re-architected VMware   s Hypervisor to use Microsoft   s WHP APIs    This means changing our VMM to run at user level instead of in   privileged mode  as well modifying it to use the WHP APIs to manage   the execution of a guest instead of using the underlying hardware   directly       What does this mean to you       VMware Workstation Player can now run when Hyper-V is enabled  You no   longer have to choose between running VMware Workstation and Windows   features like WSL  Device Guard and Credential Guard  When Hyper-V is   enabled  ULM mode will automatically be used so you can run VMware   Workstation normally  If you don   t use Hyper-V at all  VMware   Workstation is smart enough to detect this and the VMM will be used       System Requirements      To run Workstation Player using the Windows Hypervisor APIs  the   minimum required Windows 10 version is Windows 10 20H1 build   19041 264  VMware Workstation Player minimum version is 15 5 5    To avoid the error  update your Windows 10 to Version 2004 Build 19041  Mai 2020 Update  and use at least VMware 15 5 5

User · Answer

Here are proper instructions so that everyone can follow.

First download Device Guard and Credential Guard hardware readiness tool from this link: https://www.microsoft.com/en-us/download/details.aspx?id=53337
extract the zip folder content to some location like: C:\guard_tool
you will have files like this copy file name of ps1 extension file in my case its v3.6 so it will be : DG_Readiness_Tool_v3.6.ps1

Next click on start menu and search for powershell and then right click on it and run as Administrator.

After that you will see blue color terminal enter command cd C:\guard_tool , replace the path after cd with your extracted location of the tool
Now enter command: .\DG_Readiness_Tool_v3.6.ps1 -Disable
After that reboot system
When your system is restarting it boot time system will show notification with black background to verify that you want to disable these features so press F3 to confirm.
do +1 if it helped :)

[cmd] VMware Workstation and Device/Credential Guard are not compatible

The answer is

To make it super easy:

Examples related to cmd

Examples related to windows-10

Examples related to vmware

Examples related to mount

Examples related to vmware-workstation

Tags