Virtualization Technology (VT) and Windows 11 Core Isolation Feature Issue

Ken Rogers Jr 0 Reputation points
2023-03-23T22:07:31.86+00:00

Dear Community,
I'm currently experiencing a conundrum with my system. I cannot have virtualization enabled on my system after a Windows update was pushed to my system. Let me explain why. The Core Isolation feature, Memory Integrity, is causing the Program Compatibility subsystem to block many of my standard and sole drivers for many programs, some of which are also hypervisors that, obviously, require virtualization to be enabled. No driver replacements exist. No amount of Google-Fu has net me any tangible results. All of the below fix actions are reverted or ignored after restarting the system. I have cleared my TPM keys multiple times from Windows and the BIOS. I even re-joined the Windows Insider Program and subscribed to the Beta Channel to see if a newer feature update would resolve the issue (spoiler: it did not). I do not have a restore point to go back to. Reinstalling Windows is a last resort.

I have only found one solution that isn't ideal, which is to disable Virtualization Technology in my UEFI BIOS. This completely disables those features that I cannot turn off and also disables my ability to operate my hypervisors. I realized this after forgetting to enable it after updating the BIOS.

I could use your assistance in resolving my problem. What fix do you all want me to try (besides the ones that I have listed in this post, of course)?

Here are my system details:

OS: Windows 11 Pro
Version: 10.0.22623 Build 22624
Motherboard: ASUS RoG Maximus XIII Extreme
Processor: Intel Core i9-10900K
BIOS: 1701 (from 1402)
Intel ME Update: 15.XX.XX (it meets or exceeds ASUS requirements for BIOS update)
RAM: 64 GB
Page File: 9.5 GB
TPM: 2.0

Here are the promised fix actions that seem to resolve everyone else's Core Isolation feature issues, but my own:

Registry:

** For all items related to the registry below, 1 = ENABLE, 0 = DISABLE **

Delete Core Isolation Policies - Validate that no entries are underneath this registry path:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager

Enable/Disable Hypervisor-Protected Code Integrity (HVCI)

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\State

Key: HVCIEnabled (REG_DWORD)

Enable/Disable Device Guard features (various):

Virtualization Based Security

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
Key: EnableVirtualizationBasedSecurity (REG_DWORD)
Key: Locked (REG_DWORD)

CredentialGuard

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard
Key: Enabled (REG_DWORD)

HypervisorEnforcedCodeIntegrity

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
Key: Locked (REG_DWORD)
Key: HVCIMATRequired (REG_DWORD)
Key: Locked (REG_DWORD)

KernelShadowStacks

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks
Key: Enabled (REG_DWORD)

SystemGuard

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard
Key: Enabled (REG_DWORD)
Key: Managed (REG_DWORD)

PowerShell (administrator):

Repair the Windows Security App

Get-AppxPackage *Microsoft.Windows.SecHealthUI* | Reset-AppxPackage

Alternate Method via Command Prompt (administrator)

PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage *Microsoft.Windows.SecHealthUI*).InstallLocation + '\AppxManifest.xml' ; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"

Repair System/Image Files

DISM.exe /Online /Cleanup-image /Restorehealth

Scan integrity of protected system files and replace with known good

sfc /scannow

Review SFC logs for actioned items

findstr /c:"[SR]" %windir%\logs\cbs\cbs.log > C:\sfcdetails.txt

Windows Security:

Turn off Core Isolation features via GUI

Start Menu -> type "Core Isolation" -> Open Core Isolation

Drag each slider to the left to turn off/disable for the following:

  • Memory Integrity
  • Firmware Protection
  • Local Security Authority Protection
  • Microsoft Vulnerable Driver Blocklist

Group Policy:

Configure Device Guard via group policy editor (gpedit.msc)

Start Menu -> type "gpedit.msc" -> Open gpedit.msc

Navigate to:

  • Local Computer Policy
    • Computer Configuration
      • Administrative Templates
        • System
          • Device Guard
            • Open Turn On Virtualization Based Security

Two Options Exist to configure the policy:

  • Change the policy to Enabled and configure as desired (disable all in my case with exception to Secure Boot configuration)
  • Change the policy to Disabled
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,776 Reputation points
    2023-03-24T11:49:11.6133333+00:00

    Hello there,

    As you have made an update, I would suggest uninstalling the update and seeing if everything is normal as before. If this is due to an update we might need to wait for a workaround or Hotfix and you can avoid installing this update until then.

    You can collect the Event logs and share them with the Microsoft team to get this sorted or get an appropriate workaround for this.

    -Download the process monitor tool.

    • Get a dump from the crashing process and share it through the feedback hub.

    Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. You can get the tool from here https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

    You can raise feedback to the Microsoft team. The Feedback Hub app lets you tell Microsoft about any problems you run into https://support.microsoft.com/en-us/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.