Credential Guard + VMware + Windows 10
Vmware Workstation 15.5.5 now has support for Credential Guard enabled on the latest Windows 10 (Windows 10 20H1 build 19041.264 or newer)! This is big news for enterprises and individual users given the security controls we had to disable to be able to run virtual machines on our Windows 10 systems.
If you have “Check for product updates on startup” enabled in Edit – Preferences – Updates, you will be greeted with the below screen stating VMware Workstation Pro 15.5.5 update is available. Take a closer look and you will see the update will now support Hyper-V and “features like WSL and Device/Credential Guard”.
These are some of the most important security features that Windows 10 provides but users had to disable them to run virtual machines with VMware. I recommend updating VMware to 15.5.5. Once updated, read on to see how to enable Hyper-V and Credential Guard.
Once you install the update, ensure all your virtual machines are off and not suspended. This will avoid corrupting the state of the virtual machine after the upgrade.
The first step is to enable Hyper-V. Click Start menu and type “Windows Features” and select “Turn Windows features on or off”. In the pop up, expand Hyper-V and Hyper-V Platform and check “Hyper-V Hypervisor” and click OK.
Now go to the Local Security Policy going to Start and typing gpedit.msc Then navigate to Computer Configuration\Administrative Templates\System\Device Guard and double click “Turn On Virtualization Based Security”. In the new window select “Enabled” and in the Options Enable “Credential Guard Configuration”. You can enable the other options based on your hardware and preference. Click OK and reboot.
The other method is to enable with Device Guard and Credential Guard hardware readiness tool. Download the tool from Microsoft and extract it. Open an elevated PowerShell (start – type PowerShell – Right Click – Run as Administrator). Change directory to the extracted tool and run with .\DG_Readiness_Tool_v3.6.ps1 Read through and check if your hardware is supported first with -capable and enable with -enable.