Windows 10 Security and VirtualBox

Discussions related to using VirtualBox on Windows hosts.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Windows 10 Security and VirtualBox

Post by scottgus1 »

I'll also add that the tutorials posted earlier in this topic point out that MS services that enable Hyper-V exist in Home too, so a good read of tutorials presented is a positive thing.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

mpack and Team,

Thank you for that heads up. After I did all the steps from this forum and the MS docs file (two registry adds/edits) and rebooted and then powered off the machine, Then the VB and VM worked without interference from Windows 10, even with all the new security fixes and .net updates.

That being said, I still get the green turtle/native API load in Ubuntu VM because, despite turning all the Windows 10 security down, the BIOS AMD-V being enabled is still being seen by Windows, and the virtualization system is still picking it up as a feature, and stopping VB from accessing the vitual device hardware. Short of disabling AMD-V in the BIOS, I don't see a better idea to stop ALL the virtualization security overkill in Windows.

I get the reasoning, but the implementation and control sets (registry edits) are really badly designed. I see if you have a Pro device (or Enterprise), you can use group policy console gui to see all the security settings in their environment, and get direct control to set them on or off as needed to run your preferred VM (and VB).

Just as a reply to your previous mpack: https://docs.microsoft.com/en-us/virtua ... le-hyper-v
But as I said, and you did also, it is still turning it "on" in Windows 10 Home, and hurting VB or other software, you can see it even after fixing the issues in msinfo32 (run as administrator).
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

Hi Team,

Just a quick note. Thank you both! I used the steps provided in this forum from scottgus1 and mpack to solve this issue, and as expected, it all worked as it should. Reading the tutorials is important, just as well as making sure your machine is up to date before you start (obviously).

Now as a closing point, I closed the MS community question after I found that MS had already answered this original question. (See above MS documents links). Now, it does not say that MS approved of these security adjustments to their OS, but they did provide safe instructions for the solution.

So we have to do something that in an ideal world would not be required, but we all know that any computer system comes with risks, and rewards. And, just when you think you have it all figured out, another system comes around and changes everything around!

I have only had one malware infection in a Windows Machine in 2005. It was an old 16-bit game my wife played on an online server, and it destroyed the data on the drive, and the OS. It took a couple of days to fix (after work), but we did get it back up and running, then I added a 3rd party AV and no more problems.

On that PC, Windows XP Pro was running with all the XP security running, but we had a fiber to the curb connection (800 Mbs down 500 Mbs up) so when a virus slipped through from the ISP, it spread quickly. It is the main reason to this day that I turn my machines off when I am not working in front of them!

Thanks to the whole team for your help! I will stay engaged here for a few weeks as we see what MS does to my non-eligible Win 11 (Win 10) computer between now and October. Health and Happiness to all the group! :D
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

mpack,

Did you get your new HP system to behave? Just wanted to see, and catch you up on things from here:

I had to run UEFI Diagnostics in the BIOS level. HP Diagnostics were out of date due to an AMD BIOS update (fTPM 1.2 to 2.0) so updated it. I had previously removed the HP Windows 10 Diagnostics in Add and Remove Programs, so when I updated the UEFI stuff, I checked and HP did not put it back in Windows.

Also, I checked the logs in VM for the Hyper-V messages, for Ubuntu Guest, "WHvCapabilityCodeHypervisorPresent is TRUE" and that was there, and the VM was trying to use it, but it was seeing some AMD level features from the CPU AMD-V (A9-9425) that it did not understand, so I think it aborted the load (Hardware Virt) and just loaded the native API and closed the Virt socket. (At least in Ubuntu). I am a green turtle!

And I did go back into VB Console and re-run setup on Ubuntu, and let the hard disk default format in setup, and the system behaved normally. Hope all is well where you are stay healthy!
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Windows 10 Security and VirtualBox

Post by mpack »

Oracleiscool wrote: Did you get your new HP system to behave? Just wanted to see, and catch you up on things from here:
Behave in what sense? I didn't have a problem.

Yes, I mention a minor irritation above: on my work PC I discovered HP ProtectTools had been installed despite it not being part of the corporate image. IT removed that, problem solved. Likewise my home PC had a lot of unasked for "assistance tools" to give crash reports to HP on request. I disabled that.

The FAQ explains how to get rid of the green turtle. It's really very simple and repeated in many places.
bcdedit /set hypervisorlaunchtype off
<followed by a reboot from full power off>
Once you start thrashing around (BIOS updates and the like) most of us will lose interest I suspect.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

OK Team,

All is well. Three days of VirtualBox on Windows 10 and no errors! Even after more updates to 21H1 and .net framework. Now Windows 10 Security, that is a different beast. Once a day, the notifier wakes up and sees all the Hyper-V Security Stuff is off, and starts posting stuff, but you can silence the system and then move on. At least the OS is still working and not locking up. And VirtualBox is happy, so win-win. Just think, all this started because of a firmware update and enhanced security. :wink:

I sent a MS Feedback (Suggest) to add a GUI for Windows Home and other lower than Professional Versions.... maybe they'll look at that as a future allow. I know they already have that feature in higher level OS versions, so we'll see. And I framed it in context to Type 2 Hypervisors.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

So now we can say we are NOT in control for real:

Checked the HP Laptop Tonight, for updates in guest OS (not run for 4 days). Windows 10 was getting normal updates via their channel. The only security setting that I had left alone was core isolation (left on as it was not affecting the VM console at the time I fixed the other security settings). All other added security was off or excluded as per this and other referenced forums.

So tonight, I went to start VM and it crashed with the same previously posted console error, a problem I had already corrected! I turned off core isolation, Windows demanded a reboot, then came back with standard security, and the proper "V" icon in the VB manger taskbar (No more turtle).

I guess Windows got my message in the feedback post about the addition of a GUI for security. Something was changed. So if you choose to run VB, you will lose enhanced security in Windows. Bottom line.

And now given this incident, I can't say that they (MS) won't continue to cause VB and VM to crash if any Windows Security catches it running (either/or).

I think they are making their position clear by their activity, since they certainly can't speak about it or answer simple requests.

I think they will eventually lock VB out of Windows. Especially if they invested in a TPM and UEFI Secure Boot on their own hardware.

Let this be a warning to Windows 11 users.... you are next! How much more control will they have over your machine (did you actually read the MS agreement when you setup your system?...maybe you should)? :twisted:
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Windows 10 Security and VirtualBox

Post by scottgus1 »

There's quite a story going on here! I might be able to provide a Cliff's Notes: :lol:

Microsoft has decided to increase security on Windows. Apparently, being the number one malware vector for a couple decades has turned out not too strong a marketing point, and they are doing something about it.

Since Windows Home customers may be far more likely to only browse the web, watch videos, and social network, but not run hypervisors, the Home environment is going to lean more towards enhanced security, which resets itself more often than not, so the old "#1 virus stream" moniker doesn't return.

Pro and higher, though, have means to force Windows security to the balance of security and usefulness for more esoteric programs like hypervisors. Group Policy Editor can bring Windows Update and other such security devices under more granular control. A person who wants the computer's security to not break Virtualbox does well to use Pro & GPE, not Home.

The back page summary: For Virtualbox, buy Pro, not Home.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

Scott and Team,

100% Correct!

As if by a miracle from a higher authority, the net is filled with stories today on Windows 11 back-peddling on working as a VM in VB. So now Oracle and VirtualBox will need to add a new TPM and Secure Boot Emulator to VB Console to make Windows 11 see an approved (by MS) system it can load on and run!

OK, so now all the problems I was having so close to the launch of Win 11 make sense. I am so glad that my new HP Laptop "Does NOT meet the minimum requirements for Windows 11".

My only learning curve will be to teach Linux to my family. Money is tight right now, and MS thinks I have a ton of money to go buy a new laptop? Who are these people? I told my wife and kids that if they need a new Windows 11 device, make your employer provides it and the software to you. You could easily make a case for that with a new OS and hardware.

So are we now going to move this forum subject (aka scott "cliff notes :) ) into the Windows 11 Security Forum? I know engineers must be P.O.'d right now with MS on this back-peddle on VB. I can't help with Windows 11 (I can't "officially" use it). I would really like to go back to DOS 6.22, and start over please? Is MS going to make the updates to Windows 11 back-channel to Windows 10 until 2025? If so, then Windows 10 will be Windows 11 without all the bells and whistles of 11. What a mess!
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Windows 10 Security and VirtualBox

Post by scottgus1 »

There are active topics in Windows Guests now re 11, TPM, and Virtualbox. Please feel free to investigate there on those subjects. Virtualbox is developing a virtual TPM as we type.

Per "One issue per thread", this topic should stay on "Windows 10 Security and VirtualBox".
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

OK Team,

This is all for the team and the user base, so everything is important right now. I will keep an eye on our home system and report anything that changes the operation of the console (VB) or the VM. I have intentionally not used the VM much as a real daily driver, and it may behave differently once the console is updated.

I know trying to setup a dual boot on the core machine (UEFI Secure Boot) with Ubuntu was a real PITA, and I could never get it to work right (My lack of training on TPM and Secure Boot Tools).
Also, Windows 10 does not like to share on a main hardware drive UNLESS that share was setup on a new install (using their format tool on initial setup).

If I run a manual drive partition in gparted before I setup Ubuntu in VirtualBox, and make it "look" like a Windows system setup (Inside the VM during a VM install)-see the post above-FAT32 as a boot table, then a C: drive, then some empty space at the end (or a swap), and then if I run any file tools in Host Windows 10 in the admin console for Powershell, the tools will see this virtual drive and report it as needing a SFC scan check as the Windows RE (Recovery Environment) is not properly setup! I didn't know windows was watching VM partitions, or at least not for their structure. Weird.

Although these are not security related, they effect the way these devices communicate, and will cause failures from Secure Boot, and possibly the TPM. Two things I have noticed in these areas as I tried them: (1)TPM is a zero-tolerant device, and the learning curve for adding other than MS products can be brutal. That, and (2) Secure Boot (UEFI) using the MOK-UTIL tools all work, but if a kernel update hits the Debian/Ubuntu OS, you may not be able to recover the OS if TPM or the Secure Boot sees it as a fake kernel. Windows automates this in their OS, so it is transparent to us.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

mpack and scottgus1;

Got a huge 21H1/.net update for Win 10, lots of security and cpu (AMD) code, even though MS said there were no major updates (so why did it take nearly 45 minutes to install and update?) Their number KB5006365 . Just adding this as a precaution after seeing lots of forum activity on 6.1.28. :wink:

So here we go again! viewtopic.php?f=6&t=104286
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

Just an update:
Because of the intrinsic security features being constantly updated in Windows 10, the Service and Security updates (including changes to the NTFS/Boot) being received that continually break the VirtualBox install(s), changing dynamically the drive size and partitions, or significantly slowing down both the Host and Guest, we decided to keep the single windows OS on our main machine.
Trying to constantly fight MS (Which has never addressed my original post referenced on this forum!) as they continue to isolate their core for security has made it nearly impossible to use Windows (any version) reliably on a dual-boot system.
Conclusion: If you are a normal user, and have family that EXPECTS a machine to be ready to use at a moments notice, or need a system for their work, then keep it simple!
VirtualBox is a great Virtual Machine, but is constantly being "attacked" by changes in the host (Windows), and that seems to be as much a marketing/sales thing as it is a security issue.
I think my next hardware purchase will be without an OS, just to have some control over the machine. Or an abacas!
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

Well now we have a real update from Windows:

I am "playing" with Docker Desktop and WSL2 in 22H2. Using full enhanced security and containerized Debian and Ubuntu with GUI apps from wget. Now I will say they are still greedy on the full desktop, and app support. And Virtualbox install still fails for header and security (MOKUTIL) if run from an install inside the containerized Debian or Ubuntu.

But we are moving forward now.

I know I can run a manual install, and run the security protocols to get a loadout of Virtualbox, but I do not want a virtual virtual virtual machine state on one hardware device. Too much smoke and mirrors... can someone get a .appx or tarball set for Virtualbox approved by Windows WSL2 team so we can run distros or OS devices that Windows has not yet officially wget wsl2 approved? And may never. They seem to have a preferred set of os's they like. That is fine, but it should not cause Virtualbox to change their mission.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Windows 10 Security and VirtualBox

Post by scottgus1 »

Oracleiscool wrote:can someone get a .appx or tarball set for Virtualbox approved by Windows WSL2 team
Are you asking to have Virtualbox released in the Microsoft Store? Or at least in a Store-compatible format?

If so, why would this do anything different from the normal downloadable exe?

Is your ultimate concern that you don't want to turn off Windows security features to get Virtualbox to run?

(in 100 words or less please :lol: )
Post Reply