New
#150
Let's see how it's working or not for others.
Hello.
My adventures have finaly found a way to be able to enable or disable memory integrity via the slider.
I have tried the DGreadinesstool, it works but not really well. The script also contained an error where "64 bits" should have been "64 bit" , i had to correct that before it worked even.
What i had to do , installed hyper-v platform. Then i gave commands "bcdedit /set nx AlwaysOn" and "bcdedit /set hypervisoriommupolicy enable" > and reboot. (since my i7-3770 has both functions, the i7-3770K does not have hardware virtualization support.)
And after this i could enable memory integrity via the slider , and the slider stays available to disable it again.
The slider did not work at all before and i had to use the DGreadinesstool. So for me that problem is now fixed and working as it should. Though the credential guard part was still set enabled with the DGreadinesstool. For codeintegrity i just copied the DGreadinesstool included default_audit_sipolicy.p7b to the windows/system32/codeintegrity folder while renaming it sipolicy.p7b (This is because i can't run the NEW-Cipolicy command without getting an error saying my win 10 pro is not suited, reported this to MS). That's it , all functions work and especially the memory integrity without any need for DGreadinesstool anymore.
Hope this will work for some who get the ghosted slider and can't disable without regfixes.
Last edited by cplite; 03 Mar 2019 at 05:51.
EDIT: found the culprit for incompatibility, it's the Steeseries Engine.
About this, enabling MI via the slider in 1809 - it works on a fresh OS install. I had to perform a clean OS install a few weeks ago and it was one of the first things I have tested, and it enabled just fine. However, after installing the proper drivers for my Z370 platform, I did try once more to disable and reenable it, and this time it failed. The DGReadinesstool is unable to find any drivers that are incompatible, but to me, it clearly looked like they were, even though I would typically have very recent drivers for everything, most of them in DCHU format where available. I assume this is why it works on fresh VMs.
Since enabling MI killed a few of my games that depended on anti-cheat stuff and such, I decided to stop caring about it. It just looks like an Alpha-level feature that's nowhere near being ready for consumers that actually paid for a stable OS.
Might give it a shot with the suggestions above see how things change.
Last edited by t0yz; 21 Apr 2019 at 16:03.
Important facts about memory integrity.
If you activate the Windows security feature "Core Isolation/Memory Integrity"
(in system settings / Windows security / device security) you should also run
an elevated command prompt and enter the command:
bcdedit /set hypervisorschedulertype core
Before changing the hypervisor scheduler all was working fine, except maybe once
a day, the system just started freezing.
No BSOD, no error messages, everything just stopped working and the screen froze.
Had to do a hard reboot each time.
I searched through the event viewer, and looked for the records of the hard
reboots. Right before each one, there was a warning message (not marked as
an error, just a warning, Event ID 157) that reads:
"The hypervisor did not enable mitigations for CVE-2018-3646 for virtual
machines because HyperThreading is enabled and the hypervisor core scheduler
is not enabled. To enable mitigations for CVE-2018-3646 for virtual machines,
enable the core scheduler by running "bcdedit /set hypervisorschedulertype
core" from an elevated command prompt and reboot."
Since the Core Isolation/Memory Integrity feature is basically running a bunch
of high-level system processes in a virtual machine, it looks like you also have
to manually set the hypervisor scheduler to the more secure core scheduler.
IDK why Windows wouldn't do this automatically when you turn the feature on,
but if you're having the same problem that I was, it looks like that's the
problem. Hasn't come up again all day since I set it.
Credit for this solution goes to tatofarms on reddit alienware forums.
I had this same issue when I enabled memory integrity and asked for help
on Ten Forums. I did eventually get it sorted out from some Microsoft Docs
and Technet forum and I posted some of the answer here. So if you are having any
problems with Memory integrity once turned on you will need to edit the core
scheduler to stabilize your system and secure it.
My post here on this forum is under virtualization and I may have provided links to
the Docs on Microsoft site. Sorry can't remember if I did.
After upgrading to 1903 I had to set the core scheduler again to be protected from CVE-2018-3646
Memory integrity and core isolation were still on.
Last edited by humbird; 24 May 2019 at 21:49.
I have found an answer to the issue where when you try and turn on/off memory integrity the option is greyed out and the red text "this option is being managed by the system administrator" is shown
there is a missing registry key that no one seems to be paying attention too, and it is especially missing for those that use the DG readiness tool.
it is the following key: (taken from exported registry key on my system)
having this key not present will disable the option from being changed via windows security.Code:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity] "WasEnabledBy"=dword:00000002
BTW.... just chiming in, but my system has full working DG/CG and VBS/HVCI. no performance impact that I can tell. the only difference I can see, is the driver "Logitech Virtual Bus Enumerator" will not work with core isolation enabled. it normally will keep windows for even activating the feature, but if you use the dg readiness tool (plus my above registry key) you can activate HVCI and windows will just not be able to load the driver for the (virtual) device.
Last edited by Brink; 11 Apr 2020 at 08:43. Reason: code box
How can I check if Memory Integrity is actually enabled and functioning properly??
It is probably listed at the bottom of `msinfo32`.
just noticed there was an unintentional space in the registry key i mentioned in my post. here is the corrected key:
Code:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity] "WasEnabledBy"=dword:00000002
Once again, if you are having issue with memory integrity reporting that the setting is managed by the administrator and the on/off toggle is grayed out, adding this key will re-enable the option the on/off toggle. you will need to close and re-open windows security before any changes will be reflected in windows. and of course you will need to restart windows after toggling the now enabled setting on/off before and changes will take effect.
|NOTE to MODS|
apparently the forum is forcing a space into the word 'HypervisorEnforcedCodeIntegrity'. it does not exist in the text i enter into the words I write, but shows up in the posting. I don't know whether this is a bug or on purpose. maybe a short response from one of the forum mods will shine light on this issue. it does not force the space into the word when it is used alone, only when I type the word as part of a registry key.
to anyone reading this posting, there should not be any spaces in 'HypervisorEnforcedCodeIntegrity'.
Last edited by Brink; 11 Apr 2020 at 08:42. Reason: code box
@Cybot many thanks for the heads-up about the missing key.
My problem was an older Logitech webcam would keep core isolation from turning on, when I switched to windows own generic driver for it, I could force core isolation on in the registry, but like you mention above "the option is greyed out and the red text "this option is being managed by the system administrator" is shown".
Now I have a newer Logitech BRIO and use the Logitech drivers and core isolation still works, but the switch was still grayed out. I created the key you posted, and now everything is as it should be.