we recently ran into a problem with Intel VTune™ Amplifier 2018 update 1:
- Win 10 1703: Failing to start VTSS driver: error 0xfffffffa on "net start vtss"
- Win 10 1709: BSOD when starting the VTSS driver
After quite a lot of troubleshooting we narrowed the problem down to the following:
- Together with rolling out Win 10 in the company, our IT department decided to increase security by activating Windows Defender Device Guard
- If I take away the respective registry keys, everything runs as expected again.
Now our questions:
- Is there already a version of VTSS (maybe also beta) that is compatible with device guard
- When will there be an officially released version of VTune / VTSS fully compatible with Defender Device Guard
- Are there known workarounds for the problem other than deactivation of Device Guard?
Thanks a lot for your help in advance and best wishes,
Just a quick additional note from our IT team regarding what parts of Device Guard we activated - explicitely actually a very small part of it:
We only configure and use the "Credential Guard" but as I just learned that also means that "Isolated LSA", "Virtualization Based Security" and "Hyper-V Hypervisor" + "User Isolation Mode" are e.g. implicitly activated as a result.
Here what we do NOT intend to use:
HVCI: Hypervisor Based Code Integrity
KMCI: Kernel Mode Code Integrity
CCI: Configurable Code Integrity
At the moment, this is what we recommend to our customers working on Windows 10 RS3 operating system (version 1709) or later:
The Hyper-V has optional security features: Device Guard and Credential Guard. When either or both of them are enabled, accessing non-architectural PMU MSRs triggers (required for the driver-based hardware event sampling analysis) a general protection fault. For example, offcore response MSRs and uncore related MSRs are non-architectural MSRs. To collect these events, you must disable the security features as follows:
Make sure the security features are running on your system:
Run the msinfo32 command to open the System Information dialog.
In the System Summary, check whether the Virtualization-based Security Services Running item includes Hypervisor enforced Code Integrity and/or Credential Guard values.
Disable these security features by running the Microsoft* DG-CG-Readiness-Tool, available at https://www.microsoft.com/en-us/download/details.aspx?id=53337:
Open Powershell as an administrator and go to the tool installation directory.
Run the tool as follows:.\DG_Readiness_Tool_v2.1.ps1 -Disable -CG -DG
Reboot the system.
Make sure the device guard is turned off. The output from msinfo32 should NOT include either Hypervisor enforced Code Integrity or Credential Guard.