Hyper-V Problems in windows 24H2

[marcthin]

Finally after hours of trying mainly in the registry keys it worked that VBS and the Devicecard is disabled but also STAYS disabled after a warm reboot and after a cold reboot.
Below are the possibilities of keys.
Now quickly make an image of this installation
Keys:
Try Setting these keys all to 0 first, if a failure then delete the keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\EnableVirtualizationBasedSecurity
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RequireMicrosoftSignedBootChain
Delete the key DeviceGuard HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\CachedDrtmAuthIndex viceGuard\EnableVirtualizationBasedSecurity HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows\DeviceGuard\Locked HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequireMicrosoftSignedBootChain HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures HKEY_LOCAL_MACHINE\SOFT WARE\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired

Wishing everyone a nice and good day.
Thanks for reading and maybe attention can be given to adjust the howto or place links.

[Karlstens]

You need to disable virtualization based security.

...

DG_Readiness_Tool_v3.6.ps1 -Disable (correct the version number based on the file that you download)

Reboot

If your BIOS is not enabled with SecureBoot this is more than enough to address the current problems.

Thanks for sharing this. I didn't encounter this problem with Windows 11 23H2, and simply just disabled Core Isolation Memory Integrity.

However, I noticed the green turtle poke it's head out with my recent upgrade to Windows 11 24H2, and found that indeed executing DG_Readiness_Tool -Disable returned my VMs to normal operation.

I'm a little concerned at any step that requires the user to disable security, is there further reading to be had on this topic, or advice from Oracle as such?

[rajthampi]

Indeed. Microsoft is adding more security features enabled through Hyper-V and while compiling my blog post, I threw a casual question at Copilot & please see the attached image. It makes sense. Let us hope Oracle works with Microsoft and comes out with a solution that makes everyone happy

[marcthin]

The "redines tool" was not enough for my computers.
The registry keys as mentioned did the trick.
I agree with you that with the increased software development regarding security virtualbox will be in a danger zone if virtualbox and microsoft can somehow work together!

[Stickybit]

There are literally hundreds of posts regarding Virtualization Based Security /HyperV - and the impact on Virtualbox. This is a huge issue, and it's not always that easy to fix - especially if you are trying to disable Virtualization Based Security in an enterprise environment with modern management.

While turtle-mode may not be an issue for some users (running Win10 or Win11 VM's) - then for sure it's causing issues for users virtualizing olders OS´es like Win7 or WinXP.

Anyway - search the forums - there are MANY posts regarding this issue.

[Stickybit]

[snip]

Let us hope Oracle works with Microsoft and comes out with a solution that makes everyone happy

Oracle got some potential improvements in testing at the moment. We are all crossing our fingers for a positive outcome.

[Virtual Jerry]

I've killed the turtle!

I'd still recommend following all the other settings recommend such as bcdedit, group policy, etc.. etc.., but when all else fails, as it did for me, this gets rid of the turtle.

• Navigate to C:\Windows\System32\

• Find hvix64.exe (intel) -or- hva64.exe (AMD)

• Change permissions to give yourself full control (you'll need to take ownership of the file)

• Rename or move the file, I actually did both, but renaming it to hv?64.exe.old should do

• Reboot your computer

NO MORE TURTLE!!!!

[rajthampi]

[snip]

Let us hope Oracle works with Microsoft and comes out with a solution that makes everyone happy

Oracle got some potential improvements in testing at the moment. We are all crossing our fingers for a positive outcome.

Great to see that.

[Byroniac]

This has been an absolute pain in the neck. I believe I had a UEFI lock that auto-enabled Credential Guard and VBS to activate and stay activated despite disabling everything else. So I used Group Policy but I think all I needed to do was to modify the registry and do the bcdedit steps given at this Microsoft Learn site: https://learn.microsoft.com/en-us/windo ... tial-guard

I made a script file for my own use in an elevated command prompt on Windows 11 24H2 (Administrator mode), but I strictly warn that you use this at your own risk, and I am not responsible for any damages it may incur, as it is pretty ugly:

@echo off
rem ------------------------------------
rem https://learn.microsoft.com/en-us/windo ... y-settings
rem ------------------------------------
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LsaCfgFlags /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard /v LsaCfgFlags /t REG_DWORD /d 0 /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard /v EnableVirtualizationBasedSecurity /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard /v RequirePlatformSecurityFeatures /f
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
rem ------------------------------------
rem https://learn.microsoft.com/en-us/windo ... y-settings
rem ------------------------------------
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set vsmlaunchtype off
pause

[matthewchin]

I did exactly what is advised.
I only get errors in powershel that the file is not recognized.
What am I doing wrong????

I have admin rights.

Schermafbeelding 2024-10-11 151932.png

May i know how to enter DG_Readiness_Tool_v3.6.ps1?
Same error screen in powershell with admin right?

Sorry, i get that, one more command need as in readme.txt

[csmccarron]

See if this helps

viewtopic.php?p=553132#p553132