I recently in my lab environment discovered a group policy error that was quite interesting, I only got the error for some of my Windows 10 machines, so I started to investigate. In the end this was a total unnecessary troubleshooting, but during the time I learned that there are several CSEs not documented, there will be a post of all the CSEs in Windows 10 soon.
When running GPUpdate, this message appears
So what is the {F312195E-3D9D-447A-A3F5-08DFFA24735E} ?
(Not in my case, but in other cases this may point to a Group Policy Object Guid, and these can be discovered by either Group Policy Management Tool or just browse the \\Domain\SysVol)
Anyway in this case {F312195E-3D9D-447A-A3F5-08DFFA24735E} is a GUID for a Group Policy Extension or full name CSE, Client Side Extension. So basically I do what everyone else do, starting to browse MSDN, TechNet and searching for more information about the CSE, but no luck. I really needed to know about this problem, so now the troubleshooting start
All group policy extensions are listed in the registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
And it looks something like this (Note! This may not be the same list you are seeing due to installed applications, features, tools etc)
So I found this information for my extension
ProcessVirtualizationBasedSecurityGroupPolicy, this bring your mind to Device Guard. So what GPOs are using this CSE? Open regedit and browse to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0
and search for the GUID: {F312195E-3D9D-447A-A3F5-08DFFA24735E}
I got two hits (The extension GUID is found in the Extensions value)
One hit was for the local group policy
One central GPO for Device Guard/Credential Guard, so I started looking at the central GPO.
I disabled the link, by right clicking the GPO and uncheck Link Enabled
I re-ran GPUpdate /force at the client to be sure that all group polices are refreshed.
Finally the result was successful!
Ok to sum this up
One of the requirements for Device Guard or Virtualization Based Security is the feature Hyper-V Hypervisor, and this is not possible to enable in VMs. (OK, yes, it is possible if you enable nested Hyper-V, but I haven’t done that, because it does not work together with Isolated User Mode/vTPM)
When you enable the Device Guard policy it will automatically try to enable required features, and this is not possible since it is not supported in VMs. So basically this is by design and the error message just tells you that VBS/VSM/Device Guard was not able to start and the CSE failed.
Make sure to only enable Virtualization Based Security/Virtual Based Security/Credential Guard/Device Guard on physical machines that have the correct hardware and software requirements, also remember to only enable the Secure Boot and DMA protection on hardware where this is supported else Credential Guard will not be enabled.
More about the requirements for Device Guard/Credential Guard may be found here
Some random resources about Client Side Extensions
Ciao,
I instead solved the issue in this way:
Navigate to C:\Windows\System32\GroupPolicy\Machine, rename registry.pol file to registry.bak and refresh the policy with gpupdate /force.
Ciao, Paolo
LikeLike
In my experience, you *can* indeed use VBS on VMs, BUT the following have to be true:
* Windows installed using (U)EFI firmware, *not* the legacy BIOS firmware
* Secure Boot enabled
* Hardware-assisted CPU virtualization feature of the CPU (Intel VT-x or AMD-V) must be exposed to the VM (“Expose hardware assisted virtualization to the guest OS” in VMware)
Note that the default (and “recommended”) firmware config in VMware is the legacy BIOS, which would preclude using VBS from the get-go, if Windows was installed using that firmware setting.
LikeLike
Thank you so much, was driving me crazy
LikeLiked by 1 person
Thanks, I was starting to be a bit crazy of this error, couldn’t find the root case.
LikeLiked by 1 person
Excellent write up. I just started seeing this with a DoD deployment of Win 10, and we’re a test group.
LikeLike