Memory Integrity blocking Windows OS update

Question

Hi all,

I need to resolve an issue where Memory Integrity check (MIC) is stopping the OS from upgrading (in this case from 1909 to 20H2).

I know how to check what applications are causing this (in my case it was two Microsoft ones regarding Print to PFD etc).

I can resolve this issue, but when updating again (using a TS) it fails at the MIC yet again. If I check the file within the Panther folder there are no drivers being complained about, but it still says there is a MIC issue.

I went back to look at this issue on a laptop that would not update, and for some reason it finally updated.

Question: Is there a registry key that gets set during the check process? I am wondering if that key is staying set and therefor W10 thinks the MIC is finding something where there is nothing to find.

I know that we can simply turn off Memory Integrity to update, but its not as simple as that when you have various Group Policies in place to enable it and other security features which we need.

Any help would be appreciated.

Answer 1

Hello @Fraser Burnett ,

In my case I looked into running services, and disabled anything not from Microsoft temporary until the upgrade was finished.

On the other hand your can temporary deploy the turn off by GPO just for the upgrade by adding the next registry key to the GPO

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity

Enabled DWORD

0 = Off
1 = On

I have heard a lot about the Core Integrity failure to upgrade/update and it seems that there is some security excess (at the end the purpose is to "lock" the core files to prevent malicious injection), but we can say that the problems of one time, might save us bigger issues on the long run.

Hope this helps in your case,
Best regards,