Analyzers
Talk to fellow users of Intel Analyzer tools (Intel VTune™ Profiler, Intel Advisor)
4994 Discussions

Win Defender Device Guard: VTSS driver not loadable on Win 10 1703 and BSOD on Win 10 1709

dirk_s
Beginner
‎01-23-2018 03:30 PM
842 Views

Dear forum,

we recently ran into a problem with Intel VTune™ Amplifier 2018 update 1:

  • Win 10 1703: Failing to start VTSS driver: error 0xfffffffa on "net start vtss"
  • Win 10 1709: BSOD when starting the VTSS driver

After quite a lot of troubleshooting we narrowed the problem down to the following:

  • Together with rolling out Win 10 in the company, our IT department decided to increase security by activating Windows Defender Device Guard
  • If I take away the respective registry keys, everything runs as expected again.

Now our questions:

  • Is there already a version of VTSS (maybe also beta) that is compatible with device guard
  • When will there be an officially released version of VTune / VTSS fully compatible with Defender Device Guard
  • Are there known workarounds for the problem other than deactivation of Device Guard?

Thanks a lot for your help in advance and best wishes,
Brainlab Team

 

0 Kudos

Link Copied

2 Replies
dirk_s
Beginner
‎01-24-2018 01:31 AM
842 Views

Just a quick additional note from our IT team regarding what parts of Device Guard we activated - explicitely actually a very small part of it:

We only configure and use the "Credential Guard" but as I just learned that also means that "Isolated LSA", "Virtualization Based Security" and "Hyper-V Hypervisor" + "User Isolation Mode" are e.g. implicitly activated as a result.

Here what we do NOT intend to use:

  • HVCI: Hypervisor Based Code Integrity

  • KMCI: Kernel Mode Code Integrity

  • CCI: Configurable Code Integrity

 

0 Kudos
Copy link
Elena_F_Intel
Employee
‎01-24-2018 01:42 AM
842 Views

Hello,

At the moment, this is what we recommend to our customers working on Windows 10 RS3 operating system (version 1709) or later:

The Hyper-V has optional security features: Device Guard and Credential Guard. When either or both of them are enabled, accessing non-architectural PMU MSRs triggers (required for the driver-based hardware event sampling analysis) a general protection fault. For example, offcore response MSRs and uncore related MSRs are non-architectural MSRs. To collect these events, you must disable the security features as follows:

  1. Make sure the security features are running on your system:

    1. Run the msinfo32 command to open the System Information dialog.

    2. In the System Summary, check whether the Virtualization-based Security Services Running item includes Hypervisor enforced Code Integrity and/or Credential Guard values.

  2. Disable these security features by running the Microsoft* DG-CG-Readiness-Tool, available at https://www.microsoft.com/en-us/download/details.aspx?id=53337:

    1. Open Powershell as an administrator and go to the tool installation directory.

    2. Run the tool as follows:

      .\DG_Readiness_Tool_v2.1.ps1 -Disable -CG -DG

    3. Reboot the system.

    4. Make sure the device guard is turned off. The output from msinfo32 should NOT include either Hypervisor enforced Code Integrity or Credential Guard.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.