Dear Community,
I'm currently experiencing a conundrum with my system. I cannot have virtualization enabled on my system after a Windows update was pushed to my system. Let me explain why. The Core Isolation feature, Memory Integrity, is causing the Program Compatibility subsystem to block many of my standard and sole drivers for many programs, some of which are also hypervisors that, obviously, require virtualization to be enabled. No driver replacements exist. No amount of Google-Fu has net me any tangible results. All of the below fix actions are reverted or ignored after restarting the system. I have cleared my TPM keys multiple times from Windows and the BIOS. I even re-joined the Windows Insider Program and subscribed to the Beta Channel to see if a newer feature update would resolve the issue (spoiler: it did not). I do not have a restore point to go back to. Reinstalling Windows is a last resort.
I have only found one solution that isn't ideal, which is to disable Virtualization Technology in my UEFI BIOS. This completely disables those features that I cannot turn off and also disables my ability to operate my hypervisors. I realized this after forgetting to enable it after updating the BIOS.
I could use your assistance in resolving my problem. What fix do you all want me to try (besides the ones that I have listed in this post, of course)?
Here are my system details:
OS: Windows 11 Pro
Version: 10.0.22623 Build 22624
Motherboard: ASUS RoG Maximus XIII Extreme
Processor: Intel Core i9-10900K
BIOS: 1701 (from 1402)
Intel ME Update: 15.XX.XX (it meets or exceeds ASUS requirements for BIOS update)
RAM: 64 GB
Page File: 9.5 GB
TPM: 2.0
Here are the promised fix actions that seem to resolve everyone else's Core Isolation feature issues, but my own:
Registry:
** For all items related to the registry below, 1 = ENABLE, 0 = DISABLE **
Delete Core Isolation Policies - Validate that no entries are underneath this registry path:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
Enable/Disable Hypervisor-Protected Code Integrity (HVCI)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\State
Key: HVCIEnabled (REG_DWORD)
Enable/Disable Device Guard features (various):
Virtualization Based Security
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
Key: EnableVirtualizationBasedSecurity (REG_DWORD)
Key: Locked (REG_DWORD)
CredentialGuard
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard
Key: Enabled (REG_DWORD)
HypervisorEnforcedCodeIntegrity
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
Key: Locked (REG_DWORD)
Key: HVCIMATRequired (REG_DWORD)
Key: Locked (REG_DWORD)
KernelShadowStacks
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks
Key: Enabled (REG_DWORD)
SystemGuard
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard
Key: Enabled (REG_DWORD)
Key: Managed (REG_DWORD)
PowerShell (administrator):
Repair the Windows Security App
Get-AppxPackage *Microsoft.Windows.SecHealthUI* | Reset-AppxPackage
Alternate Method via Command Prompt (administrator)
PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage *Microsoft.Windows.SecHealthUI*).InstallLocation + '\AppxManifest.xml' ; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
Repair System/Image Files
DISM.exe /Online /Cleanup-image /Restorehealth
Scan integrity of protected system files and replace with known good
sfc /scannow
Review SFC logs for actioned items
findstr /c:"[SR]" %windir%\logs\cbs\cbs.log > C:\sfcdetails.txt
Windows Security:
Turn off Core Isolation features via GUI
Start Menu -> type "Core Isolation" -> Open Core Isolation
Drag each slider to the left to turn off/disable for the following:
- Memory Integrity
- Firmware Protection
- Local Security Authority Protection
- Microsoft Vulnerable Driver Blocklist
Group Policy:
Configure Device Guard via group policy editor (gpedit.msc)
Start Menu -> type "gpedit.msc" -> Open gpedit.msc
Navigate to:
- Local Computer Policy
- Computer Configuration
- Administrative Templates
- System
- Device Guard
- Open Turn On Virtualization Based Security
Two Options Exist to configure the policy:
- Change the policy to Enabled and configure as desired (disable all in my case with exception to Secure Boot configuration)
- Change the policy to Disabled