VM does not start after being imported to new host

Discussions related to using VirtualBox on Windows hosts.
Squark
Posts: 11
Joined: 18. May 2023, 05:58

Re: VM does not start after being imported to new host

Post by Squark »

fth0 wrote:
Squark wrote:I'm not sure what you mean by exporting the registry
Right-click on "DeviceGuard" in the left pane, choose export and give the export file the name "DeviceGuard.reg". This will create a small file with the whole registry subtree starting with "DeviceGuard" as its root. Do the same for "Lsa" and "CI", put the .reg files in a zip file and attach that to a post. The registry settings will give further details than the msinfo32 output you already provided.
Ah, I see. The zip file is attached.
Attachments
reg_files.zip
(3.32 KiB) Downloaded 5 times
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: VM does not start after being imported to new host

Post by fth0 »

Thanks for the Windows registry excerpts! The combination of settings should not activate VBS.

As a test, you could disable the remaining settings nonetheless by setting the following registry keys to 0, reboot the host and try if the issue persists:

Code: Select all

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable
Note that editing the Windows registry is a potentially dangerous operation that can render your host OS unbootable. So the general rule applies: No backup - no mercy!
Squark
Posts: 11
Joined: 18. May 2023, 05:58

Re: VM does not start after being imported to new host

Post by Squark »

fth0 wrote:Thanks for the Windows registry excerpts! The combination of settings should not activate VBS.

As a test, you could disable the remaining settings nonetheless by setting the following registry keys to 0, reboot the host and try if the issue persists:

Code: Select all

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable
Note that editing the Windows registry is a potentially dangerous operation that can render your host OS unbootable. So the general rule applies: No backup - no mercy!
This did the trick! The blue V icon now shows up in the status bar instead of the turtle and everything looks like it runs fine. Thanks so much for the help!
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: VM does not start after being imported to new host

Post by fth0 »

Thanks for reporting back! :)

It would have been of interest which of the two settings was necessary ... ;)
Squark
Posts: 11
Joined: 18. May 2023, 05:58

Re: VM does not start after being imported to new host

Post by Squark »

fth0 wrote:Thanks for reporting back! :)

It would have been of interest which of the two settings was necessary ... ;)
I tested this now by setting the VulnerableDriverBlocklistEnable key back to 1 and rebooted, and I can confirm the VM still works, so I assume it was whatever under SystemGuard that was causing the issue.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: VM does not start after being imported to new host

Post by scottgus1 »

Squark wrote:whatever under SystemGuard that was causing the issue
The "SystemGuard" registry key is discussed in the tutorial, post #2.
scottgus1 wrote:There's a link about DeviceGuard in the tutorial.
Squark wrote:Okay, so I went through all the steps for disabling Hyper-V
Look's like you missed a step...
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: VM does not start after being imported to new host

Post by fth0 »

Squark wrote:I tested this now by setting the VulnerableDriverBlocklistEnable key back to 1 and rebooted, and I can confirm the VM still works, so I assume it was whatever under SystemGuard that was causing the issue.
Thanks again for testing and confirming what I suspected! :)

scottgus1 wrote:Look's like you missed a step...
FWIW, it was a slightly unfair situation:

In the registry (and group policy) settings, VBS (Device Guard) was "not configured" and the depending System Guard was "enabled", therefore implicitly enabling VBS (Device Guard). The Windows Settings didn't show the "Firmware protection" setting, which is the display name of System Guard, so the only chance was to understand the combination of registry (and group policy) settings and change them.

I'm slowly beginning to comprehend the differences between "not configured" and "disabled". ;)
Squark
Posts: 11
Joined: 18. May 2023, 05:58

Re: VM does not start after being imported to new host

Post by Squark »

Yes, it was my mistake. I didn't realize the names refered to several separate services and I had assumed step 4 turning off Hyper-V would have turned off everything at once.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: VM does not start after being imported to new host

Post by scottgus1 »

fth0 wrote:FWIW, it was a slightly unfair situation:
I'm always willing to see if I misunderstood something. :D

fth0, Does the Hyper-V tutorial need more info? Does it need mention of the "CI\Config\VulnerableDriverBlocklistEnable" key too?
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: VM does not start after being imported to new host

Post by fth0 »

scottgus1 wrote:fth0, Does the Hyper-V tutorial need more info?
Looks like I was wrong, too: The tutorial already has the necessary information in the part you copied from user "InfoSecDr", and my previous post here only explained when this step is necessary. Sorry for any confusion!

Regarding the general question, there's no easy answer: I collected my knowledge from 10+ Microsoft documents (and some other sources), and those are incomplete, too. One could write several posts describing the current knowledge, but that would mostly duplicate Microsofts documents, which are changed every few months, and that's why I'm reluctant to do so.
scottgus1 wrote:Does it need mention of the "CI\Config\VulnerableDriverBlocklistEnable" key too?
AFAIU, the Vulnerable Block List works without VBS, so it wouldn't implicitly enable Hyper-V, and the OP confirmed that.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: VM does not start after being imported to new host

Post by scottgus1 »

Thanks, fth0, for the clarification!
fth0 wrote:my previous post here only explained when this step is necessary.
Would it be correct to disable DeviceGuard in the registry key before running the bcdedit command?
fth0 wrote:I'm slowly beginning to comprehend the differences between "not configured" and "disabled".
FWIW I always thought that "not configured" was Microsoft's default choice (whether enabled or disabled), then "enabled" and "disabled" were the manual setting the user had picked.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: VM does not start after being imported to new host

Post by fth0 »

scottgus1 wrote:Would it be correct to disable DeviceGuard in the registry key before running the bcdedit command?
It shouldn't matter. Both settings do not have any immediate effect, and after the next reboot they are each interpreted at different times.
scottgus1 wrote:FWIW I always thought that "not configured" was Microsoft's default choice (whether enabled or disabled), then "enabled" and "disabled" were the manual setting the user had picked.
Microsoft's default choice can depend on other settings. Here we have a hierarchy of settings:

Code: Select all

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
|
+-EnableVirtualizationBasedSecurity  <- VBS
+-Scenarios
  |
  +-HypervisorEnforcedCodeIntegrity    <- HVCI/KMCI/UMCI
  | |
  | +-Enabled
  | +-Locked
  |
  +-CredentialGuard                    <- Credential Guard
  | |
  | +-Enabled
  |
  +-SystemGuard                        <- System Guard
    |
    +-Enabled
If VBS is "not configured" and SystemGuard\Enabled is set, VBS/Hyper-V is implicitly enabled. Without SystemGuard\Enabled set, VBS/Hyper-V is implicitly disabled.
Post Reply