What are these VMWare instructions actually doing? (Disabling device guard and removing EFI variables)

7

4

I'm trying to run a VMWare VM on my windows 10 device, but am getting an error that it is not compatible with Device Guard. I was directed to this page: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361

What are the instructions there actually doing?

mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d

Note: Ensure X is an unused drive, otherwise change to another drive.

Douglas Gaskell

Posted 2016-09-15T17:40:38.573

Reputation: 223

Answers

11

mountvol X: /s

Mounts the EFI system partition on to Drive X:

copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y

Copies the C:\Windows\System32\SecConfig.efi to X:\EFI\Microsoft\Boot\SecConfig.efi overwriting the file if it exists. This file is the boot image for windows' security configuration tool.

bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader

Creates a new option in the boot menu called "DebugTool" with the ID {0cb3b571-2f2e-4343-a879-d86a476d7215}

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"

Sets the boot option you created to boot to \EFI\Microsoft\Boot\SecConfig.efi

bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}

Tells the boot manager to make the new entry the default for the next reboot, after that reboot it should go back to normal boot.

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS

Tells the bootloader to pass the options DISABLE-LSA-ISO,DISABLE-VBS to the efi file when it launches the file.

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:

Sets the partition for the booted drive to the X: drive.

mountvol X: /d

Unmounts the X Drive.

Now when you next reboot your computer it should restart with the "Debug Tool" option, every reboot after that should boot back in to normal windows.

Scott Chamberlain

Posted 2016-09-15T17:40:38.573

Reputation: 28 923

Thanks! So if I want, I can boot to a configuration that still had the Device Guard enabled(I would still need to enable it in GPEDIT)? Additionally, when they say that I should use an unused drive, does this mean a blank drive or a drive not used by windows? – Douglas Gaskell – 2016-09-15T18:24:16.430

you would turn it off and on by going in to "DebugTool" in the boot menu. When it says a unused drive it just means a letter that is not currently mapped by windows. – Scott Chamberlain – 2016-09-15T21:44:00.057

This helps to figure out how to set it all back. Thanks. – Tatiana Racheva – 2017-10-15T16:52:04.530

@TatianaRacheva if you want to remove it all you need to do is bcdedit /delete {0cb3b571-2f2e-4343-a879-d86a476d7215} – Scott Chamberlain – 2017-10-16T13:30:05.990

I don't remember if I figured out to delete that or not, but my system is back to normal :D – Tatiana Racheva – 2017-12-07T21:15:36.683

Asked: 2016-09-15T17:40:38.573

Viewed: 6 607 times

Active: 2018-05-22T23:13:49.420