Windows-itpro-docs: Command line instructions are incorrect

Sorry, my bad. I deleted my previous comment because I realized there is a real difference between Windows Server versions of Windows and Desktop/Laptop versions of Windows.

The command mountvol looks like this (see below) on a Windows 2016 Server:

C:\Users\Administrator>mountvol /?
Creates, deletes, or lists a volume mount point.

MOUNTVOL [drive:]path VolumeName
MOUNTVOL [drive:]path /D
MOUNTVOL [drive:]path /L
MOUNTVOL [drive:]path /P
MOUNTVOL /R
MOUNTVOL /N
MOUNTVOL /E
MOUNTVOL drive: /S

    path        Specifies the existing NTFS directory where the mount
                point will reside.
    VolumeName  Specifies the volume name that is the target of the mount
                point.
    /D          Removes the volume mount point from the specified directory.
    /L          Lists the mounted volume name for the specified directory.
    /P          Removes the volume mount point from the specified directory,
                dismounts the volume, and makes the volume not mountable.
                You can make the volume mountable again by creating a volume
                mount point.
    /R          Removes volume mount point directories and registry settings
                for volumes that are no longer in the system.
    /N          Disables automatic mounting of new volumes.
    /E          Re-enables automatic mounting of new volumes.
    /S          Mount the EFI System Partition on the given drive.

Possible values for VolumeName along with current mount points are:

    \\?\Volume{cbb8e626-be0b-45de-b7c9-63e997ddf667}\
        C:\

    \\?\Volume{e9f09030-2bf1-4812-a09a-fc537d1e16a1}\
        E:\

    \\?\Volume{a317323c-5890-490c-8306-7dcc627050c7}\
        *** NO MOUNT POINTS ***

    \\?\Volume{99f58b42-ade6-11e7-965d-806e6f6e6963}\
        D:\


C:\Users\Administrator>_

@RichardRanft : Did you perhaps test the script on a Windows 10 computer instead of Windows Server ?

@illfated That would be exactly why.
So, complete and correct instructions for dealing with this on all platforms where such is relevant would be the ideal documentation outcome.
The operation succeeded (disabling of Device Guard) but I thought it would be good to point out that this is a "mistake" in the instructions since it doesn't address all platforms where this annoying bit of "helpful" software is deployed (silently and well-hidden, I might add).

Thank you for the feedback & reply. To me, it looks like there is a common issue with some users testing the script on non-UEFI computers (even if the OS could be the correct one), ending up with scenarios where it may not work as expected or intended. I will leave this question open to the Microsoft Docs team members to check & verify if the current documentation needs more clarification.

Looking at the Feedback section (https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#feedback) and seeing the 10 currently open issues, it is certainly plausible that multiple users have trouble finding out what the requirements are for this script to work properly.

BTW, the section in question is Disable Windows Defender Credential Guard

• https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard

and the contents of the script block:

mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
bcdedit /set hypervisorlaunchtype off
mountvol X: /d

To clarify - the desired outcome was achieved. I was able to disable the feature as intended. However, the version of mountvol on my computer (Win10 pro) did not have a /s switch. Since Windows Defender Credential Guard was installed either as part of the initial setup or as part of Windows Update on this platform _it would be nice to have_ instructions for each platform upon which this "feature" can be installed, notes for optional/alternative steps, or at least notes on possible errors and their causes/impact.

I agree, even if I don't have access to a scenario where implementing and removing this feature will be practical (I only have got 1 production server running at my workplace, and most of the other computers are unavailable for testing).

From my point of view, it would be practical with added clarification, although I would also like to hear from the MS Docs team members and other IT professionals, whether this documentation is intended for users who already are aware of the difference between Windows 10 and Windows Server versions of the mountvol command/program.

@officedocsbot assign @e0i

@RichardRanft, @illfated Thank you all for valuable feedback and discussion.

The issue is under investigation and you will be notified with any changes on the way.

@RichardRanft : You may want to revisit the page from time to time and see what changes are made to it.

The list of added changes can be found here:

• https://github.com/MicrosoftDocs/windows-itpro-docs/commits/master/windows/security/identity-protection/credential-guard/credential-guard-manage.md

@RichardRanft: This issue commonly occurs when you do not have a UEFI system or there is no UEFI partition for the mountvol to find. Could you please output your partition list.

@illfated @e0i: I was thinking of adding a Powershell script as well in addition to the one for cmd. Do you think this would help people in the future or make things more confusing?

Disk 5 is optical.

Disk ### Status Size Free Dyn Gpt

Disk 0 Online 931 GB 0 B * *
Disk 1 Online 931 GB 0 B
Disk 2 Online 3726 GB 2048 KB *
Disk 3 Online 931 GB 464 MB *
Disk 4 Online 3725 GB 0 B *
Disk 5 No Media 0 B 0 B

0
Partition ### Type Size Offset

Partition 1 Recovery 300 MB 1024 KB
Partition 2 Dynamic Reserved 1024 KB 400 MB
Partition 3 Reserved 127 MB 401 MB
Partition 4 Dynamic Data 930 GB 528 MB

1
Partition ### Type Size Offset

Partition 1 Primary 931 GB 1024 KB

2
Partition ### Type Size Offset

Partition 1 Reserved 128 MB 1024 KB
Partition 2 Primary 999 GB 129 MB
Partition 3 Primary 1047 GB 1000 GB
Partition 4 Primary 1678 GB 2048 GB

3
Partition ### Type Size Offset

Partition 1 Dynamic Data 992 KB 31 KB
Partition 2 Dynamic Data 931 GB 1024 KB
Partition 3 Dynamic Data 464 MB 931 GB

4
Partition ### Type Size Offset

Partition 1 Primary 3725 GB 1024 KB

On Fri, May 10, 2019 at 3:35 PM botmoto notifications@github.com wrote:

@RichardRanft https://github.com/RichardRanft: This issue commonly
occurs when you do not have a UEFI system or there is no UEFI partition for
the mountvol to find. Could you please output your partition list.

@illfated https://github.com/illfated @e0i https://github.com/e0i: I
was thinking of adding a Powershell script as well in addition to the one
for cmd. Do you think this would help people in the future or make things
more confusing?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3234#issuecomment-491448793,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAW2HR6LOSJZ4HYZYABCATTPUX2DVANCNFSM4HFBY7KA
.

@illfated @e0i: I was thinking of adding a PowerShell script as well in addition to the one for cmd. Do you think this would help people in the future or make things more confusing?

I would like to see a PowerShell script added to the documentation, because there seems to be some confusion floating out there already (like in issue #1924 "DOES NOTHING").

On a Windows 10 Pro 64-bit, I ran into issues with /s switch, which was apparently not supported. It turned out that this is because someone installed Windows without using UEFI boot so it did not have the UEFI partition. Reinstalling Windows with UEFI turned on fixed the issue for me.

Didnt work on my local German 1903 - Build 18362.239.
Had to change the strings:

-- Microsoft-Hyper-V-Online
++ Microsoft-Hyper-V

-- $OSArch = $(gwmi win32_operatingsystem).OSArchitecture
++ $OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()

Which got me a step further.

Then I also learned from https://www.ivobeerens.nl/2013/12/16/running-hyper-v-and-vmware-workstation-on-windows-8-x/
That it was necessary to also deactivate the Role.
bcdedit /set hypervisorlaunchtype off

patch.diff.txt

Now works like charm. Thanks to all previous Commenters.
-Thorsten

Good point. $OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower() has been corrected in a different page.

For the .tolower() part, see issue https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3869
and its resolving Pull Request https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3881

For the $OSAch typo correction to $OSArch , see PR https://github.com/MicrosoftDocs/windows-itpro-docs/pull/4436

OK. In short I do think the Script has the following general issues:
1) ErrorHandlingPrevention: EG Check for RegKeys / File Existance and Cope with Errors.
2) Check if the DISM /disable-Feature succesfuly removed the HyperVisor Role.
3) Mention Logfiles location. / Option for cleanup.
regards, Thorsten

Related issue: #4679