Ah, I see. The zip file is attached.fth0 wrote:Right-click on "DeviceGuard" in the left pane, choose export and give the export file the name "DeviceGuard.reg". This will create a small file with the whole registry subtree starting with "DeviceGuard" as its root. Do the same for "Lsa" and "CI", put the .reg files in a zip file and attach that to a post. The registry settings will give further details than the msinfo32 output you already provided.Squark wrote:I'm not sure what you mean by exporting the registry
VM does not start after being imported to new host
Re: VM does not start after being imported to new host
- Attachments
-
- reg_files.zip
- (3.32 KiB) Downloaded 5 times
-
- Volunteer
- Posts: 5668
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: VM does not start after being imported to new host
Thanks for the Windows registry excerpts! The combination of settings should not activate VBS.
As a test, you could disable the remaining settings nonetheless by setting the following registry keys to 0, reboot the host and try if the issue persists:
Note that editing the Windows registry is a potentially dangerous operation that can render your host OS unbootable. So the general rule applies: No backup - no mercy!
As a test, you could disable the remaining settings nonetheless by setting the following registry keys to 0, reboot the host and try if the issue persists:
Code: Select all
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable
Re: VM does not start after being imported to new host
This did the trick! The blue V icon now shows up in the status bar instead of the turtle and everything looks like it runs fine. Thanks so much for the help!fth0 wrote:Thanks for the Windows registry excerpts! The combination of settings should not activate VBS.
As a test, you could disable the remaining settings nonetheless by setting the following registry keys to 0, reboot the host and try if the issue persists:
Note that editing the Windows registry is a potentially dangerous operation that can render your host OS unbootable. So the general rule applies: No backup - no mercy!Code: Select all
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard\Enabled HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable
-
- Volunteer
- Posts: 5668
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: VM does not start after being imported to new host
Thanks for reporting back!
It would have been of interest which of the two settings was necessary ...
It would have been of interest which of the two settings was necessary ...
Re: VM does not start after being imported to new host
I tested this now by setting the VulnerableDriverBlocklistEnable key back to 1 and rebooted, and I can confirm the VM still works, so I assume it was whatever under SystemGuard that was causing the issue.fth0 wrote:Thanks for reporting back!
It would have been of interest which of the two settings was necessary ...
-
- Site Moderator
- Posts: 20965
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: VM does not start after being imported to new host
The "SystemGuard" registry key is discussed in the tutorial, post #2.Squark wrote:whatever under SystemGuard that was causing the issue
scottgus1 wrote:There's a link about DeviceGuard in the tutorial.
Look's like you missed a step...Squark wrote:Okay, so I went through all the steps for disabling Hyper-V
-
- Volunteer
- Posts: 5668
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: VM does not start after being imported to new host
Thanks again for testing and confirming what I suspected!Squark wrote:I tested this now by setting the VulnerableDriverBlocklistEnable key back to 1 and rebooted, and I can confirm the VM still works, so I assume it was whatever under SystemGuard that was causing the issue.
FWIW, it was a slightly unfair situation:scottgus1 wrote:Look's like you missed a step...
In the registry (and group policy) settings, VBS (Device Guard) was "not configured" and the depending System Guard was "enabled", therefore implicitly enabling VBS (Device Guard). The Windows Settings didn't show the "Firmware protection" setting, which is the display name of System Guard, so the only chance was to understand the combination of registry (and group policy) settings and change them.
I'm slowly beginning to comprehend the differences between "not configured" and "disabled".
Re: VM does not start after being imported to new host
Yes, it was my mistake. I didn't realize the names refered to several separate services and I had assumed step 4 turning off Hyper-V would have turned off everything at once.
-
- Site Moderator
- Posts: 20965
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: VM does not start after being imported to new host
I'm always willing to see if I misunderstood something.fth0 wrote:FWIW, it was a slightly unfair situation:
fth0, Does the Hyper-V tutorial need more info? Does it need mention of the "CI\Config\VulnerableDriverBlocklistEnable" key too?
-
- Volunteer
- Posts: 5668
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: VM does not start after being imported to new host
Looks like I was wrong, too: The tutorial already has the necessary information in the part you copied from user "InfoSecDr", and my previous post here only explained when this step is necessary. Sorry for any confusion!scottgus1 wrote:fth0, Does the Hyper-V tutorial need more info?
Regarding the general question, there's no easy answer: I collected my knowledge from 10+ Microsoft documents (and some other sources), and those are incomplete, too. One could write several posts describing the current knowledge, but that would mostly duplicate Microsofts documents, which are changed every few months, and that's why I'm reluctant to do so.
AFAIU, the Vulnerable Block List works without VBS, so it wouldn't implicitly enable Hyper-V, and the OP confirmed that.scottgus1 wrote:Does it need mention of the "CI\Config\VulnerableDriverBlocklistEnable" key too?
-
- Site Moderator
- Posts: 20965
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: VM does not start after being imported to new host
Thanks, fth0, for the clarification!
Would it be correct to disable DeviceGuard in the registry key before running the bcdedit command?fth0 wrote:my previous post here only explained when this step is necessary.
FWIW I always thought that "not configured" was Microsoft's default choice (whether enabled or disabled), then "enabled" and "disabled" were the manual setting the user had picked.fth0 wrote:I'm slowly beginning to comprehend the differences between "not configured" and "disabled".
-
- Volunteer
- Posts: 5668
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: VM does not start after being imported to new host
It shouldn't matter. Both settings do not have any immediate effect, and after the next reboot they are each interpreted at different times.scottgus1 wrote:Would it be correct to disable DeviceGuard in the registry key before running the bcdedit command?
Microsoft's default choice can depend on other settings. Here we have a hierarchy of settings:scottgus1 wrote:FWIW I always thought that "not configured" was Microsoft's default choice (whether enabled or disabled), then "enabled" and "disabled" were the manual setting the user had picked.
Code: Select all
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
|
+-EnableVirtualizationBasedSecurity <- VBS
+-Scenarios
|
+-HypervisorEnforcedCodeIntegrity <- HVCI/KMCI/UMCI
| |
| +-Enabled
| +-Locked
|
+-CredentialGuard <- Credential Guard
| |
| +-Enabled
|
+-SystemGuard <- System Guard
|
+-Enabled