Fix VMware Workstation and Credential Guard are not compatible

Posted on Christian By Christian No Comments on Fix VMware Workstation and Credential Guard are not compatible
Vmware-workstation-player-and-devicecredential-guard-not-compatible

The Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. In this article, we will learn how to fix VMware Workstation and Device/Credential Guard are not compatible with VMware Workstation. Please see How to disable side-channel mitigations on VMware Workstation, and How to install ESXi on VirtualBox.

Note: The steps described in this article also apply to VirtualBox and KVMs. Here is an article from Broadcom as referenced by Microsoft.

You may also want to see Enable or disable Windows Defender Credential Guard, How to fix VMware and HyperV are not compatible, and how to Protect Remote Desktop credentials with Windows Defender Remote Credential Guard or Restricted Admin Mode.

Why was the error “VMware Workstation and Device/Credential Guard not compatible” prompted?

At the time of writing this article. According to VMware, VMware Workstation 12.5 or later displays an error when you power on a virtual machine on Windows under the following conditions.

  • Credential Guard/Device Guard is enabled.
  • Windows Sandbox is enabled.
  • A Virtual machine platform, such as VirtualBox, is enabled.
  • When WSL2 is enabled.
  • When Hyper V is enabled.

Note, with the Virtual Machine Platform and Hyper Virtualization Platform. You may not not encounter any issues. This behaviour might not be the same for you. See this hyperlink to learn more about VBS.

Disable Hyper-V

Ensure you take a backup of your data. This ensures you have the system restore points as a safety measure.

Note: The following features would not work anymore once the Hyper-V is disabled

  • Credential Guard/Device Guard
  • Windows Sandbox
  • Virtual machine platform
  • WSL2
  • Hyper-V

Is Virtualization-based Security (VBS) enabled?

First, you have to verify if VBS is enabled.

To do this, open msinfo32/system information. Under System Summary on the Right-hand page, scroll down to Virtualization-based Security and ensure the Value is set to running as shown below.

Virtualization-based-Security

As you can see above. The value is set to running and we have to disable this.

Turn Off Hyper-V

As suggested by VMware, the steps below will help you resolve this issue. Launch Windows “Turn Windows features on or off” features.

Launch-Windows-features-On-or-Off

Make sure Hyper-v is not ticked. If it is Ticked, untick it and click “OK”.

Untick-Hyper-V-platform

As you can see below. The Windows Hypervisor Platform is unchecked.

HyperV-feature-removed

You will be required to restart your device to apply changes.

Reboot-1

Disable the Hypervisor launch Type

To do this, open the command prompt window as an administrator. Run “bcdedit /enum {current}”

hypervisorlaunchtype
As you can see above, this is set to auto currently.

Run “bcdedit /set hypervisorlaunchtype off” to disable hypervisor Close the command prompt after   executing the commands and restart the system.

Disabled-Hypervisorlaunchtype

We should be able to power on the Virtual Machine in Workstation now.

Can-now-access-VM-again

Turn off VBS

The below steps can be followed to turn off virtualization-based Security via GPO and Windows Registry.

Navigate to the key below in the left pane of Local Group Policy Editor.

 Computer Configuration\Administrative Templates\System\Device Guard

On the right-hand side, double-click on Turn off virtualization-based Security

turn-off-virtualization-based-Security

Double-click on “Turn On Virtualization Security”. 

This is set to "Not Configured", Select "Disable" and click "Ok"
Disable-Virtualization-based-security

As shown below, the turn off virtualization based security has been disabled.

Disabled

Close the Group Policy Editor. Restart the system.

Disable via Windows Registry

In case you wish to try this via the Windows Registry. Please follow the steps below.

Open Registry Editor
Go to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > DeviceGuard
On the right-hand side, write a new key
      a. Right Click > New > DWORD (32-bit) Value

      b. Name this Value "EnableVirtualizationBasedSecurity"

          By default, it should be 0, Double click, and confirm the value

      4. Go to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Lsa
      5. On the right-hand side, write a new key

       a. Right Click > New > DWORD (32-bit) Value

       b. Name this Value "LsaCfgFlags"

 By default, it should be 0, Double click, and confirm the value

I hope you found this guide useful “Fix VMware Workstation and Device/Credential Guard are not compatible with VMware Workstation”. Please feel free to leave a comment below.

5/5 - (1 vote)
Virtualization Tags:, , ,

Related Posts

More Related Articles

nested virtualization Enable the Virtual Machine Platform Windows Feature and ensure Virtualization is enabled in the BIOS Virtualization
How to configure Azure container register with secured connection with container apps Configure Azure Container Registry for a secure connection with Azure Container Apps AWS/Azure/OpenShift
Windows Server 2019 The virtual machine has terminated unexpectedly during startup with exit code 1 (1×0): Failed to open a session for the virtual machine Windows Server 2019 Virtualization
oracle virtualbox Fix VirtualBox Virtual Machine Encountered a Non-Fatal problem Virtualization
savds VM is not accessible: Fix Taking ownership of a VM failed Virtualization
screenshot 2020 03 21 at 22.44.04 1 How to create a Microsoft HyperV checkpoint Virtualization

Leave a Reply