Is there any way to disable Win32_DeviceGuard and Win32_TpmProvider?

BLaZiNgSPEED · 01 Dec 2021

Hello, since upgrading to Windows 10 20H2. The following start up after 5 minutes. These are...

Win32_TpmProvider provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3188; ProviderPath = C:\Windows\System32\wbem\Win32_TPM.dll

And Win32_DeviceGuard provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3188; ProviderPath = %SystemRoot%\System32\Win32_DeviceGuard.dll

Unfortunately they are triggering massive network activity even if it is for a few seconds..

What is the solution to stop them from triggering after few minutes at start up? Why are they chewing network activity? How can I turn them off so they don't start at start up.

This isn't normal. Also they are responsible for WMIPrvSE.exe NETWORK and SYSTEM being also triggered.

MaloK · 01 Dec 2021

Hi,

I don't know how DeviceGuard got enabled on your computer, but there is a lot of documentation on the subject.

Enable or Disable Device Guard in Windows 10

Some computer have also a way to enable deviceguard from bios. my Lenovos have it

BLaZiNgSPEED · 02 Dec 2021

I'm out of luck, it happened exactly as expected once again!

Despite Device guard showing Device Guard successfully processed the Group Policy: Virtualization Based Security = Disabled, Secure Boot = Off, DMA Protection = Off, Virtualization Based Code Integrity = Disabled, Credential Guard = Disabled, Reboot required = No, Status = 0x0.

WMI Activity Operations Log show this!!!!

Is there any way to disable Win32_DeviceGuard and Win32_TpmProvider?-win_32_deviceguard-provider-started.jpg

Win32_DeviceGuard provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3168; ProviderPath = %SystemRoot%\System32\Win32_DeviceGuard.dll

This is triggering this error... Id 5858 = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-XXXXX; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4912; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ID FROM Win32_ServerFeature; ResultCode = 0x80041010; PossibleCause = Unknown

It is bloody consuming network data. Major spikes.

I'm very disappointed because no one on this forum is able to tell me what is going on! All started since 20H2. I feel like reformatting windows and returning to 1903. But the problem is the official Microsoft website doesn't have 1903 available.

After restarting computer, indeed it goes away. But this is just like UPFC.exe. I think this is some sort of telemetry that Microsoft implemented every day to happen once at least.

It looks to me like absolutely every one has this at start up on 20H2. What a horrible operating system Windows 10 really is. It has given me depression this past 1 week troubleshooting!

TairikuOkami · 02 Dec 2021

Depending on, how you use your computer, you can disable services:
Windows Management Instrumentation or Network Store Interface Service.

Stopped NSIS service will make Windows think there is no internet and no WMI might result in some errors.
Windows update nor store will not work of course, nor telemetry, but internet and most apps should work.

BLaZiNgSPEED · 02 Dec 2021

Disabling Network Store Interface Service causes my network connection icon to disappear from task bar. So this doesn't seem to be a good idea. I have always had both Network Store Interface Service and Windows Management Instrumentation on. Also doing this triggered 3966 errors in event viewer....

But sadly since Windows 10 20H2 update, these new services have started out of no where: Win32_DeviceGuard and Win32_TpmProvider. They are responsible for the daily network data. Because after I restart the computer even several times, it no longer triggers them to start until the next day!

Do you know since which version of Windows 10 this started happening? I would be happy to go to Windows 1909. But I only have 1903 saved in my DVD and USB stick. I have no experience of using 1909. But on 1903 this never happened.

I have Windows.old still in my folder. Is there away to return back to the older version without reformating windows?

I would happily go back. But I'm afraid that Windows 10 will auto install 20H2 again unless I use Windows Update Blocker. But I'll need to update Windows for drivers.

I'm feeling really hopeless right now.

BLaZiNgSPEED · 09 Dec 2021

I disabled Windows Defender Antivirus Service, Windows Defender Antivirus Network Inspection Service and Windows Defender Advanced Threat Protection Service. I thought it solved the issue, but I was fooled.

This is the error I am getting every day once in Event Viewer WMI-Activity section fresh install. 1903, 1909 or 20H2, it doesn't matter. Didn't have this before reformat or upgrade....

ProviderName Win32_DeviceGuardCode 0x0HostProcess wmiprvse.exeProcessID 2288ProviderPath %SystemRoot%\System32\Win32_DeviceGuard.dll

ProviderName Win32_TpmProviderCode 0x0HostProcess wmiprvse.exeProcessID 2288ProviderPath C:\Windows\System32\wbem\Win32_TPM.dll

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">- <System>

<Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}" />

<EventID>5858</EventID>

<Version>0</Version>

<Level>2</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x4000000000000000</Keywords>

<TimeCreated SystemTime="2021-12-09T14:00:34.476453700Z" />

<EventRecordID>4276</EventRecordID>

<Correlation />

<Execution ProcessID="3168" ThreadID="1484" />

<Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>

<Computer>DESKTOP-TJVRPR9</Computer>

<Security UserID="S-1-5-18" />

</System>

- <UserData>

- <Operation_ClientFailure xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">

<Id>{00000000-0000-0000-0000-000000000000}</Id>

<ClientMachine>DESKTOP-TJVRPR9</ClientMachine>

<User>NT AUTHORITY\SYSTEM</User>

<ClientProcessId>4432</ClientProcessId>

<Component>Unknown</Component>

<Operation>Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ID FROM Win32_ServerFeature</Operation>

<ResultCode>0x80041010</ResultCode>

<PossibleCause>Unknown</PossibleCause>

</Operation_ClientFailure>

</UserData>

</Event>

If I restart the computer no more errors of such logged for the remainder of the day, until the following day this occurs once again.

BLaZiNgSPEED · 12 Dec 2021

I have finally solved this mysterious error!!!!

Turns out this has absolutely nothing to do with the actual Device Guard Virtualisation as some advised me. This stupid error is triggered due to Device Information Task Schedule that is exclusive to Windows 10 only! You will not find this task schedule in Windows 7 or 8.1.

Is there any way to disable Win32_DeviceGuard and Win32_TpmProvider?-device-information-error-fixed.jpg

What is devicecensus.exe on Windows 10 and why does it need Internet connectivity? - gHacks Tech News

This is basically another telemetry data collection that Microsoft uses to collect information about your system. This is why you get network spikes when this schedule runs.

The way I found out is that when the error occurred, it corresponded to the exact timing of the task schedule. I have observed this in my last error history that it matches the last task schedule run time. As soon as I disabled this task schedule, the error stopped occurring and you'll no longer get Win32_DeviceGuard and Win32_TpmProvider logged.

I have to say I am really disappointed that of the 600+ viewers of my thread, no one was able to tell me that this was the issue triggering the error! Even Microsoft Support failed to give me the right answer. They were giving me the Device Guard advice. I know that had nothing to do with it.

Somehow when I upgraded initially from 1903 to 20H2 the task schedule was reset back to default. But I had no idea that Device Information task schedule was responsible for triggering this error! Now I know and hopefully this should be helpful to others as well!