What are these VMWare instructions actually doing? (Disabling device guard and removing EFI variables)
mountvol X: /s
Mounts the EFI system partition on to Drive X:
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
Copies the C:\Windows\System32\SecConfig.efi
to X:\EFI\Microsoft\Boot\SecConfig.efi
overwriting the file if it exists. This file is the boot image for windows' security configuration tool.
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
Creates a new option in the boot menu called "DebugTool" with the ID {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
Sets the boot option you created to boot to \EFI\Microsoft\Boot\SecConfig.efi
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
Tells the boot manager to make the new entry the default for the next reboot, after that reboot it should go back to normal boot.
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
Tells the bootloader to pass the options DISABLE-LSA-ISO,DISABLE-VBS
to the efi file when it launches the file.
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
Sets the partition for the booted drive to the X: drive.
mountvol X: /d
Unmounts the X Drive.
Now when you next reboot your computer it should restart with the "Debug Tool" option, every reboot after that should boot back in to normal windows.
Related videos on Youtube
Douglas Gaskell
Updated on September 18, 2022Comments
-
Douglas Gaskell almost 2 years
I'm trying to run a VMWare VM on my windows 10 device, but am getting an error that it is not compatible with Device Guard. I was directed to this page: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361
What are the instructions there actually doing?
mountvol X: /s copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: mountvol X: /d
Note: Ensure X is an unused drive, otherwise change to another drive.
-
Douglas Gaskell almost 8 yearsThanks! So if I want, I can boot to a configuration that still had the Device Guard enabled(I would still need to enable it in GPEDIT)? Additionally, when they say that I should use an unused drive, does this mean a blank drive or a drive not used by windows?
-
Scott Chamberlain almost 8 yearsyou would turn it off and on by going in to "DebugTool" in the boot menu. When it says a unused drive it just means a letter that is not currently mapped by windows.
-
Tatiana Racheva over 6 yearsThis helps to figure out how to set it all back. Thanks.
-
Scott Chamberlain over 6 years@TatianaRacheva if you want to remove it all you need to do is
bcdedit /delete {0cb3b571-2f2e-4343-a879-d86a476d7215}
-
Tatiana Racheva over 6 yearsI don't remember if I figured out to delete that or not, but my system is back to normal :D