Turn On or Off Core Isolation Memory Integrity in Windows 10  

Page 16 of 20 FirstFirst ... 61415161718 ... LastLast

  1. Posts : 68,668
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #150

    Let's see how it's working or not for others.
      My Computers


  2. Posts : 1
    windows 10 pro
       #151

    Hello.

    My adventures have finaly found a way to be able to enable or disable memory integrity via the slider.

    I have tried the DGreadinesstool, it works but not really well. The script also contained an error where "64 bits" should have been "64 bit" , i had to correct that before it worked even.

    What i had to do , installed hyper-v platform. Then i gave commands "bcdedit /set nx AlwaysOn" and "bcdedit /set hypervisoriommupolicy enable" > and reboot. (since my i7-3770 has both functions, the i7-3770K does not have hardware virtualization support.)

    And after this i could enable memory integrity via the slider , and the slider stays available to disable it again.
    The slider did not work at all before and i had to use the DGreadinesstool. So for me that problem is now fixed and working as it should. Though the credential guard part was still set enabled with the DGreadinesstool. For codeintegrity i just copied the DGreadinesstool included default_audit_sipolicy.p7b to the windows/system32/codeintegrity folder while renaming it sipolicy.p7b (This is because i can't run the NEW-Cipolicy command without getting an error saying my win 10 pro is not suited, reported this to MS). That's it , all functions work and especially the memory integrity without any need for DGreadinesstool anymore.

    Hope this will work for some who get the ghosted slider and can't disable without regfixes.
    Last edited by cplite; 03 Mar 2019 at 05:51.
      My Computer


  3. Posts : 62
    Windows 10 Pro x64
       #152

    EDIT: found the culprit for incompatibility, it's the Steeseries Engine.

    About this, enabling MI via the slider in 1809 - it works on a fresh OS install. I had to perform a clean OS install a few weeks ago and it was one of the first things I have tested, and it enabled just fine. However, after installing the proper drivers for my Z370 platform, I did try once more to disable and reenable it, and this time it failed. The DGReadinesstool is unable to find any drivers that are incompatible, but to me, it clearly looked like they were, even though I would typically have very recent drivers for everything, most of them in DCHU format where available. I assume this is why it works on fresh VMs.

    Since enabling MI killed a few of my games that depended on anti-cheat stuff and such, I decided to stop caring about it. It just looks like an Alpha-level feature that's nowhere near being ready for consumers that actually paid for a stable OS.

    Might give it a shot with the suggestions above see how things change.
    Last edited by t0yz; 21 Apr 2019 at 16:03.
      My Computer


  4. Posts : 232
    Windows 10 Home
       #153

    Important facts about memory integrity.

    If you activate the Windows security feature "Core Isolation/Memory Integrity"
    (in system settings / Windows security / device security) you should also run
    an elevated command prompt and enter the command:
    bcdedit /set hypervisorschedulertype core
    Before changing the hypervisor scheduler all was working fine, except maybe once
    a day, the system just started freezing.
    No BSOD, no error messages, everything just stopped working and the screen froze.
    Had to do a hard reboot each time.

    I searched through the event viewer, and looked for the records of the hard
    reboots. Right before each one, there was a warning message (not marked as
    an error, just a warning, Event ID 157) that reads:
    "The hypervisor did not enable mitigations for CVE-2018-3646 for virtual
    machines because HyperThreading is enabled and the hypervisor core scheduler
    is not enabled. To enable mitigations for CVE-2018-3646 for virtual machines,
    enable the core scheduler by running "bcdedit /set hypervisorschedulertype
    core" from an elevated command prompt and reboot."

    Since the Core Isolation/Memory Integrity feature is basically running a bunch
    of high-level system processes in a virtual machine, it looks like you also have
    to manually set the hypervisor scheduler to the more secure core scheduler.
    IDK why Windows wouldn't do this automatically when you turn the feature on,
    but if you're having the same problem that I was, it looks like that's the
    problem. Hasn't come up again all day since I set it.

    Credit for this solution goes to tatofarms on reddit alienware forums.

    I had this same issue when I enabled memory integrity and asked for help
    on Ten Forums. I did eventually get it sorted out from some Microsoft Docs
    and Technet forum and I posted some of the answer here. So if you are having any
    problems with Memory integrity once turned on you will need to edit the core
    scheduler to stabilize your system and secure it.
    My post here on this forum is under virtualization and I may have provided links to
    the Docs on Microsoft site. Sorry can't remember if I did.
    After upgrading to 1903 I had to set the core scheduler again to be protected from CVE-2018-3646
    Memory integrity and core isolation were still on.
    Last edited by humbird; 24 May 2019 at 21:49.
      My Computer


  5. Posts : 9
    Windows 10 Pro x64 1909
       #154

    I have found an answer to the issue where when you try and turn on/off memory integrity the option is greyed out and the red text "this option is being managed by the system administrator" is shown

    there is a missing registry key that no one seems to be paying attention too, and it is especially missing for those that use the DG readiness tool.
    it is the following key: (taken from exported registry key on my system)

    Code:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity]
    "WasEnabledBy"=dword:00000002
    having this key not present will disable the option from being changed via windows security.

    BTW.... just chiming in, but my system has full working DG/CG and VBS/HVCI. no performance impact that I can tell. the only difference I can see, is the driver "Logitech Virtual Bus Enumerator" will not work with core isolation enabled. it normally will keep windows for even activating the feature, but if you use the dg readiness tool (plus my above registry key) you can activate HVCI and windows will just not be able to load the driver for the (virtual) device.
    Last edited by Brink; 11 Apr 2020 at 08:43. Reason: code box
      My Computers


  6. Posts : 10
    Windows 10
       #155

    How can I check if Memory Integrity is actually enabled and functioning properly??
      My Computer


  7. Posts : 26
    Windows 10 1803 & Win10 Insider
       #156

    It is probably listed at the bottom of `msinfo32`.
      My Computer


  8. Posts : 10
    Windows 10
       #157

    Henk Poley said:
    It is probably listed at the bottom of `msinfo32`.
    It sure is! Thanks
      My Computer


  9. Posts : 9
    Windows 10 Pro x64 1909
       #158

    just noticed there was an unintentional space in the registry key i mentioned in my post. here is the corrected key:

    Code:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity]
    "WasEnabledBy"=dword:00000002

    Once again, if you are having issue with memory integrity reporting that the setting is managed by the administrator and the on/off toggle is grayed out, adding this key will re-enable the option the on/off toggle. you will need to close and re-open windows security before any changes will be reflected in windows. and of course you will need to restart windows after toggling the now enabled setting on/off before and changes will take effect.


    |NOTE to MODS|

    apparently the forum is forcing a space into the word 'HypervisorEnforcedCodeIntegrity'. it does not exist in the text i enter into the words I write, but shows up in the posting. I don't know whether this is a bug or on purpose. maybe a short response from one of the forum mods will shine light on this issue. it does not force the space into the word when it is used alone, only when I type the word as part of a registry key.

    to anyone reading this posting, there should not be any spaces in 'HypervisorEnforcedCodeIntegrity'.
    Last edited by Brink; 11 Apr 2020 at 08:42. Reason: code box
      My Computers


  10. Posts : 27,164
    Win11 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
       #159

    @Cybot many thanks for the heads-up about the missing key.

    My problem was an older Logitech webcam would keep core isolation from turning on, when I switched to windows own generic driver for it, I could force core isolation on in the registry, but like you mention above "the option is greyed out and the red text "this option is being managed by the system administrator" is shown".

    Now I have a newer Logitech BRIO and use the Logitech drivers and core isolation still works, but the switch was still grayed out. I created the key you posted, and now everything is as it should be.
      My Computers


 

Tutorial Categories

Turn On or Off Core Isolation Memory Integrity in Windows 10 Tutorial Index Network & Sharing Instalation and Upgrade Browsers and Email General Tips Gaming Customization Apps and Features Virtualization BSOD System Security User Accounts Hardware and Drivers Updates and Activation Backup and Restore Performance and Maintenance Mixed Reality Phone


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 20:45.
Find Us




Windows 10 Forums