VMware Workstation 및 Device / Credential Guard는 호환되지 않습니다.

VMware Workstation 및 Device / Credential Guard는 호환되지 않습니다.

---

작년에 VMware를 아무 문제없이 실행 해 왔으며 오늘은 VM 중 하나를 시작하고 오류 메시지가 표시됩니다. 스크린 샷을 참조하십시오.

링크를 따라 단계를 수행했습니다. 4 단계에서 "mountvol"을 사용하여 볼륨을 마운트해야합니다. 내가 사용하여 볼륨을 마운트 할 때 mountvol X: \\?\Volume{5593b5bd-0000-0000-0000-c0f373000000}\이 말을 계속 The directory is not empty.심지어 2기가바이트있는 파티션과 여전히 같은 메시지를 만들었습니다.

내 질문 :

비어 있지만 비어 있지 않은 볼륨을 어떻게 마운트 할 수 있습니까?

이 Device / Credential Guard가 자동으로 활성화 된 이유는 무엇이며 어떻게 제거하거나 비활성화 할 수 있습니까?

CMD :

---

Device / Credential Guard는 Windows 10을 훨씬 더 안전하게 만들기 위해 보안 커널을 호스팅 하는 Hyper-V 기반 가상 컴퓨터 / 가상 보안 모드 입니다.

... VSM 인스턴스는 일반 운영 체제 기능과 분리되며 해당 모드에서 정보를 읽으려는 시도에 의해 보호됩니다. 하이퍼 바이저가 하드웨어에 해당 메모리 페이지를 다르게 처리하도록 요청하기 때문에 보호는 하드웨어 지원입니다. 이는 동일한 호스트에있는 두 개의 가상 머신이 서로 상호 작용할 수없는 동일한 방식입니다. 메모리는 독립적이며 각 VM이 자체 데이터에만 액세스 할 수 있도록 하드웨어가 규제됩니다.

여기에서 보안에 민감한 작업을 실행할 수있는 보호 모드가 생겼습니다. 작성 시점에 우리는 여기에 상주 할 수있는 세 가지 기능인 LSA (로컬 보안 기관), KMCI (Kernel Mode Code Integrity) 및 하이퍼 바이저 코드 무결성 제어 자체의 형태로 코드 무결성 제어 기능을 지원합니다. HVCI (Hypervisor Code Integrity).

When these capabilities are handled by Trustlets in VSM, the Host OS simply communicates with them through standard channels and capabilities inside of the OS. While this Trustlet-specific communication is allowed, having malicious code or users in the Host OS attempt to read or manipulate the data in VSM will be significantly harder than on a system without this configured, providing the security benefit.

Running LSA in VSM, causes the LSA process itself (LSASS) to remain in the Host OS, and a special, additional instance of LSA (called LSAIso – which stands for LSA Isolated) is created. This is to allow all of the standard calls to LSA to still succeed, offering excellent legacy and backwards compatibility, even for services or capabilities that require direct communication with LSA. In this respect, you can think of the remaining LSA instance in the Host OS as a ‘proxy’ or ‘stub’ instance that simply communicates with the isolated version in prescribed ways.

And Hyper-V and VMware can't work the same time until 2020, when VMware uses Hyper-V Platform to co-exist with Hyper-V.

In Windows 10 we have introduced many security features that utilize the Windows Hypervisor. Credential Guard, Windows Defender Application Guard, and Virtualization Based Security all utilize the Windows Hypervisor. At the same time, new Developer features like Windows Server Containers and the WSL 2 both utilize the Windows Hypervisor.

This has made it challenging for our customers who need to use VMware Workstation. Historically, it has not be possible to run VMware Workstation when Hyper-V was enabled.

In the future – users will be able to run all of these applications together. This means that users of VMware workstation will be able to take advantage of all the security enhancements and developer features that are available in Windows 10.

You have to migrate your VMs to Hyper-V or disable the feature.

If you want to stay at VMware, unselect the Hyper-V and Isolated user mode/Sandbox/Device Guard features in Control Panel->Program & Features->turn features on or off and reboot the device:

---

There is a much better way to handle this issue. Rather than removing Hyper-V altogether, you just make alternate boot to temporarily disable it when you need to use VMWare. As shown here...

http://www.hanselman.com/blog/SwitchEasilyBetweenVirtualBoxAndHyperVWithABCDEditBootEntryInWindows81.aspx

C:\>bcdedit /copy {current} /d "No Hyper-V" 
The entry was successfully copied to {ff-23-113-824e-5c5144ea}. 

C:\>bcdedit /set {ff-23-113-824e-5c5144ea} hypervisorlaunchtype off 
The operation completed successfully.

note: The ID generated from the first command is what you use in the second one. Don't just run it verbatim.

When you restart, you'll then just see a menu with two options...

• Windows 10
• No Hyper-V

So using VMWare is then just a matter of rebooting and choosing the No Hyper-V option.

If you want to remove a boot entry again. You can use the /delete option for bcdedit.

First, get a list of the current boot entries...

C:\>bcdedit /v

This lists all of the entries with their ID's. Copy the relevant ID, and then remove it like so...

C:\>bcdedit /delete {ff-23-113-824e-5c5144ea}

As mentioned in the comments, you need to do this from an elevated command prompt, not powershell. In powershell the command will error.

---

I'm still not convinced that Hyper-V is The Thing for me, even with last year's Docker trials and tribulations and I guess you won't want to switch very frequently, so rather than creating a new boot and confirming the boot default or waiting out the timeout with every boot I switch on demand in the console in admin mode by

bcdedit /set hypervisorlaunchtype off

Another reason for this post -- to save you some headache: You thought you switch Hyper-V on with the "on" argument again? Nope. Too simple for MiRKoS..t. It's auto!

Have fun!
G.

---

To make it super easy:

1. Just download this script directly from Microsoft.

2. Run your Powershell as an admin and then execute following commands:

   • To Verify if DG/CG is enabled DG_Readiness.ps1 -Ready
   • To Disable DG/CG. DG_Readiness.ps1 -Disable

---

I also struggled a lot with this issue. The answers in this thread were helpful but were not enough to resolve my error. You will need to disable Hyper-V and Device guard like the other answers have suggested. More info on that can be found in here.

I am including the changes needed to be done in addition to the answers provided above. The link that finally helped me was this.

My answer is going to summarize only the difference between the rest of the answers (i.e. Disabling Hyper-V and Device guard) and the following steps :

1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (Computer Configuration -> Administrative Templates -> System -> Device Guard -> Turn on Virtualization Based Security).

2. Delete the following registry settings:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LsaCfgFlags HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures

   Important : If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.

3. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt(start in admin mode), type the following commands:

    mountvol X: /s
   
    copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
   
    bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
   
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
   
    bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
   
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
   
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
   
    mountvol X: /d
   

4. Restart the PC.

5. Accept the prompt to disable Windows Defender Credential Guard.

6. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.

---

If you are someone who maintains an open customized "Run as administrator" command prompt or powershell command line window at all the times you can optionally setup the following aliases / macros to simplify executing the commands mentioned by @gue22 for simply disabling hyper-v hypervisor when needing to use vmware player or workstation and then enabling it again when done.

doskey hpvEnb = choice /c:yn /cs /d n /t 30 /m "Are you running from elevated command prompt" ^& if not errorlevel 2 ( bcdedit /set hypervisorlaunchtype auto ^& echo.^&echo now reboot to enable hyper-v hypervisor )
doskey hpvDis = choice /c:yn /cs /d n /t 30 /m "Are you running from elevated command prompt" ^& if not errorlevel 2 ( bcdedit /set hypervisorlaunchtype off ^& echo.^&echo now reboot to disable hyper-v hypervisor )
doskey bcdL = bcdedit /enum ^& echo.^&echo now see boot configuration data store {current} boot loader settings

With the above in place you just type "hpvenb" [ hypervisor enabled at boot ], "hpvdis" [ hypervisor disabled at boot ] and "bcdl" [ boot configuration devices list ] commands to execute the on, off, list commands.

---

Well Boys and Girls after reading through the release notes for build 17093 in the wee small hours of the night, I have found the change point that affects my VMware Workstation VM's causing them not to work, it is the Core Isolation settings under Device Security under windows security (new name for windows defender page) in settings.

By default it is turned on, however when I turned it off and restarted my pc all my VMware VM's resumed working correctly. Perhaps a by device option could be incorporated in the next build to allow us to test individual devices / Apps responses to allow the core isolation to be on or off per device or App as required .

참고URL : https://stackoverflow.com/questions/39858200/vmware-workstation-and-device-credential-guard-are-not-compatible