When VirtualBox won’t let you start 64bit VMs: Windows Defender Device Guard

Device Guard

Virtualbox refusing 64bit VMs is something that happens to a lot of people it would seem. A quick search reveals hundreds, thousands, even millions of cries for help on this one…

Usually, two culprits are quickly offered and quite often, they are indeed the offending party:

  1. Disable HyperV
    • Enabling HyperV will make HyperV “grab” the virtualization hardware and it won’t play nice and share it with anyone else. To be frank, this is not a HyperV only issue, most (if not all) virtualization tools will do this: choose one solution for all your VM needs.
  2. Enable hardware virtualization in BIOS/UEFI
    • Yup, usually this is enabled, but sometimes this gets disabled and effectively blocks access to hardware virtualization.

But I am not going to talk about these two because many, many other have done so already. This blog will tell you about a third bandit that might be stealing away your access to hardware virtualization.

But before we do that, let’s explain that last sentence: when you cannot start 64bit VMs, it means that your CPU either does not support 64bit applications (which is possible, but exceedingly rare these days), or that you do not have access to the virtualization hardware in your CPU. In this case, your computer will allow you to run 32bit virtual machines using software only virtualization. But since this is a software approach, it will be quite slow and mostly unusable because of that.

Device Guard

Windows Defender in Windows 10 has something called “Device Guard”, this is an enterprise-level feature that probably only is present in the “Pro” version of windows 10 but I have not tested this hypothesis.

Device Guard will lock down access to hardware devices to run only “trusted” applications. More information can be found here: https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide

I found a knowledge base article on the VMWare site that explained how VMWare workstation is “incompatible” with Device Guard here: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361

In the VMWare KB article, it details how Device Guard refuses access to the virtualization hardware (sometimes causing BSOD). This sounds like something that could definitely get in the way of VirtualBox too, right?

So I followed the steps to disable Device Guard and yes, it did immediately solve my problem. My VirtualBox is humming along nicely now. 🙂

Since things can and do dissapear from the Internet, I’ve copied the KB content below:

To disable Device Guard or Credential Guard:

  1. Disable the group policy setting that was used to enable Credential Guard.
    1. On the host operating system, click Start > Run, type gpedit.msc, and click Ok. The Local group Policy Editor opens.
    2. Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security.
    3. Select Disabled.
  2. Go to Control Panel > Uninstall a Program > Turn Windows features on or off to turn off Hyper-V.
  3. Select Do not restart.
  4. Delete the related EFI variables by launching a command prompt on the host machine using an Administrator account and run these commands:mountvol X: /s
    copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
    bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d “DebugTool” /application osloader
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path “\EFI\Microsoft\Boot\SecConfig.efi”
    bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
    mountvol X: /d

    Note: Ensure X is an unused drive, else change to another drive.
  5. Restart the host.
  6. Accept the prompt on the boot screen to disable Device Guard or Credential Guard.


Now, to be sure, this is not the ideal situation. Device Guard sounds like a good” thing and simply disabling it is a bit heavy handed. I would assume that both VMWare and Oracle should be able to make their products work with Device Guard, but today this is not the case.

11 thoughts on “When VirtualBox won’t let you start 64bit VMs: Windows Defender Device Guard”

  1. do you know which versions of VMWARE or VIRTUAL BOX are capable to fix this problem ?
    Thanks in advance.

    1. As far as I know, none so far. But I must admit I stopped trying a while ago.

      Considering Virtualbox is primarily used by consumers who typically do not have hardware with enterprise security features like Device Guard, I would not be surprised that this is something not many people encounter and therefore low on the “need to fix” list. But I can very well be wrong about that.

      Of course, the HyperV that comes with Windows 10 works fine with Device Guard so you could use that. But for Linux VMs, HyperV has limitations that make it impossible to use for me.

  2. Holy crap. Thank you SO much for this. I have been going insane for the past few months with this new laptop wondering why Hyper-V would work but VirtualBox wouldn’t. This totally solved my problem. Do you have a beer donation fund?

    1. Glad you found this helpful.

      “One is glad to be of service!” (Bonus points if you get the movie reference. 😉 )

      I don’t have a beer fund, but I always appreciate it when people “spread the news”. 😀

      1. I did find a small issue – and maybe this is known – the changes that are made in the script run don’t persist through a shutdown.

        Thoughts? Email me…

        1. That is strange. On my Surface pro 4, the changes do persist…
          I am assuming you mean the EFI settings? Maybe there is something in your computer’s bios that is resetting the device guard?

  3. Hi, Thank you for the guide, but can you explain what do you mean by change X to unused drive? I only have one drive. should I just change X to ‘C’?

    1. No, if you allready have a C drive you have to pick another letter. The letter you pick, let’s use V for example, will be used to mount a logical drive onto. Once you run the command, you;ll have a V drive in addition to your C drive. (But of course, yo can just use the letter X for your logical drive too.)

      Through this V drive you’re then able to access the EFI partition which is where your bios lives and make the changes to disable the guard.

      So use whatever letter you want to mount the EFI environment, except any drive letter that you already have in use. If you only have a C drive, use any letter except C. In your case, just leave the X as it is in the example commands and you should be fine.

  4. Thank you for leading me into what was the solution for my problems. I had “Windows Defender Application Guard” enabled in “Turn Windows features on or off” and just needed to disable it to get VirtualBox up and running again.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Copyright © 2016 · All Rights Reserved · Jhon's Blog