Joined
Aug 21, 2013
Messages
66
#1
I have installed windows 1809 update and i have a setting under core isolation that i can't seem to find how to turn it on nor I can find any information about it.
Google wasn't my friend for this one so if anyone can help much appreciated.
Annotation.png
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,180
#2
I have installed windows 1809 update and i have a setting under core isolation that i can't seem to find how to turn it on nor I can find any information about it.
Google wasn't my friend for this one so if anyone can help much appreciated.
View attachment 199228
Just because the setting is in Windows 10 Home GUI does not automatically mean you can use it.

Microsoft is no one's friend and never explains anything clearly - most of all to Home users.

There are hardware (and probably other) requirements that your system must meet for System Guard functionality to work. I am not spending the time to research what Microsoft should be explaining to Home users, but here are the hardware requirements:

Virtualization-based Security (VBS)

Just a FYI for those that don't know... going forward this will be the scam that Microsoft runs... in order to have the latest and greatest MIcrosoft security, you will have to have the latest and greatest hardware. Another example of Microsoft holding the world hostage.
 

shmu26

Level 70
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,947
OS
Windows 10
#5
I have installed windows 1809 update and i have a setting under core isolation that i can't seem to find how to turn it on nor I can find any information about it.
Google wasn't my friend for this one so if anyone can help much appreciated.
View attachment 199228
I have 1809 pro with updates, and I don't see that option at all. I have only Memory integrity, and that's it.
Maybe it is hardware-dependent.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,180
#6
i am running windows enterprise. device guard is running
View attachment 199234
I mistakenly assumed you were running consumer. My bad.

Then look it up in the Microsoft documentation. Except for, like three people on the forums, no one runs Enterprise. I looked at my 10 Pro 1809 for it, and was like "Wut ?" But knowing how Microsoft is, didn't think anything of it. Now that I see you are running it makes perfect sense why it isn't showing on others' non-E1809 systems.
 
Joined
Aug 21, 2013
Messages
66
#7
maybe they need to update the info. the setting wasn't there in 1803. i've searched a lot and didn't find anything about that specific setting. i will try to turn on windows defender later to see if there is any change. And i don't know how i can disable the setting by mistake in group policy because i can't find it anywhere
 

Eddie Morra

Level 8
Content Creator
Joined
Aug 28, 2018
Messages
374
#8
maybe they need to update the info
Yeah people have been saying that since Windows XP. LOL

It'll never change while people are handing over their credit cards and keeping Microsoft rich with their market share. They won't bother to change until they absolutely must... as they have proven time and time over again. Good luck contacting them and having them address the fact that the documentation is outdated/needs to be updated!

Lack of documentation pretty much ruins their work from being used to its full potential by a majority - and it is no one else's choice except theirs to withhold or not dedicate resources to releasing good documentation. Microsoft aren't kidding anyone - they know how to write documentation when it suits them, they just do not want to for unknown reasons.
 
Joined
Sep 26, 2017
Messages
453
Antivirus
Microsoft
#9
Yeah people have been saying that since Windows XP. LOL

It'll never change while people are handing over their credit cards and keeping Microsoft rich with their market share. They won't bother to change until they absolutely must... as they have proven time and time over again.

Lack of documentation pretty much ruins their work from being used to its full potential by a majority - and it is no one else's choice except theirs to withhold or not dedicate resources to releasing good documentation. Microsoft aren't kidding anyone - they know how to write documentation when it suits them, they just do not want to for unknown reasons.
They'll take care of the Documentation when Core Isolation is ready for prime time, like they do with all the other features. Core Isolation is pretty much in BETA.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,180
#10
Yeah people have been saying that since Windows XP. LOL

It'll never change while people are handing over their credit cards and keeping Microsoft rich with their market share. They won't bother to change until they absolutely must... as they have proven time and time over again. Good luck contacting them and having them address the fact that the documentation is outdated/needs to be updated!

Lack of documentation pretty much ruins their work from being used to its full potential by a majority - and it is no one else's choice except theirs to withhold or not dedicate resources to releasing good documentation. Microsoft aren't kidding anyone - they know how to write documentation when it suits them, they just do not want to for unknown reasons.
Smack-down bro ! Open-palm smack-down ! Proper !

Krammbo OS

I will buy it.
 

Eddie Morra

Level 8
Content Creator
Joined
Aug 28, 2018
Messages
374
#11
If anyone is on Windows 10 1809 update and would like to give me a hand, then let me know in a PM and I will ask you to send me some files from SystemDrive:\Windows\System32\. I will then check them and may be able to let you know how to enable this firmware feature afterwards.

Note that there is no guarantee and even if I can find out for you how to enable the setting, absolutely all responsibility is yours. There is no official documentation and the feature is likely to be untested... so anything can happen. I do not recommend enabling the feature, even if I can provide undocumented information to it.
 

RejZoR

Level 9
Verified
Joined
Nov 26, 2016
Messages
444
OS
Windows 10
Antivirus
Avast
#12
Just because the setting is in Windows 10 Home GUI does not automatically mean you can use it.

Microsoft is no one's friend and never explains anything clearly - most of all to Home users.

There are hardware (and probably other) requirements that your system must meet for System Guard functionality to work. I am not spending the time to research what Microsoft should be explaining to Home users, but here are the hardware requirements:

Virtualization-based Security (VBS)

Just a FYI for those that don't know... going forward this will be the scam that Microsoft runs... in order to have the latest and greatest MIcrosoft security, you will have to have the latest and greatest hardware. Another example of Microsoft holding the world hostage.
Dude, what? That's like saying OMG, if you don't have DX12 capable graphic card, Microsoft is holding the technology back because reasons.

Hardware and software are always connected, saying it's Microsoft's fault because you have old hardware that doesn't have certain features or capabilities, that's not how it works. If system doesn't support specific HW feature, then it doesn't have one. I have Haswell-E class CPU that doesn't support certain security features. Should I blame MS ? Of course not. The other system with newer Atom however does. Or the AMD APU. That's just how it is. Always was and always will be.
 

shmu26

Level 70
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,947
OS
Windows 10
#13
I have installed windows 1809 update and i have a setting under core isolation that i can't seem to find how to turn it on nor I can find any information about it.
Google wasn't my friend for this one so if anyone can help much appreciated.
View attachment 199228
Try opening Group Policy and see if you can activate the feature that way.
It is probably over here: Computer Configuration > Administrative Templates > System > Device Guard.
 

Eddie Morra

Level 8
Content Creator
Joined
Aug 28, 2018
Messages
374
#14
Try opening Group Policy and see if you can activate the feature that way.
It is probably over here: Computer Configuration > Administrative Templates > System > Device Guard.
Apparently there was no option there for it. Do you have one?

If there's an option for the firmware protection then I don't know what I was supposed to try and do later... I thought the issue was that no one knew how to enable it?
 

Eddie Morra

Level 8
Content Creator
Joined
Aug 28, 2018
Messages
374
#16
Thanks to @shmu26 and @overdivine for sharing some files with me which belong to their Windows 10 1809 environment... it is really appreciated and saved me some time.

I've taken a look and I've found a lead which may be the solution. Remember though, anything that happens by enabling this silently-snuck in feature which is still undocumented by Microsoft is the fault of anyone but me, and there is no guarantee that the feature even works yet, nor that my "solution" will work (it is untested and I do not plan on testing it anytime soon - do it at your own free will if you understand the risks).

There's a Windows Service named "Windows Defender Security Center Service" on Windows 10 and this is for a Win32 process named "SecurityHealthService.exe" (located under the System32 directory). This process is going to check the configurations for features like Device Guard and will do X and X depending on the configuration.

When I took a look at the SecurityHealthService.exe on my Windows 10 1803 environment, I could not find any evidence of the Windows Defender System Guard feature being referenced. However, when I did some investigation into the version of SecurityHealthService.exe from the environment of 1809 users, I did find evidence of the feature being referenced.

Below is a screenshot.

SystemGuard.png


If the key does not already exist, then create the following.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard -> Enabled (DWORD - set to the value of 1).

After creating/modifying the key, reboot your system and then re-check if the feature is enabled from the Windows Defender Settings area.

You should make sure you have a backup before doing this, just in case my solution works and the feature is buggy... the last thing you want is to toast your environment and not have a recovery route because you enabled an undocumented Windows Defender feature.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,180
#20
Dude, what? That's like saying OMG, if you don't have DX12 capable graphic card, Microsoft is holding the technology back because reasons.

Hardware and software are always connected, saying it's Microsoft's fault because you have old hardware that doesn't have certain features or capabilities, that's not how it works. If system doesn't support specific HW feature, then it doesn't have one. I have Haswell-E class CPU that doesn't support certain security features. Should I blame MS ? Of course not. The other system with newer Atom however does. Or the AMD APU. That's just how it is. Always was and always will be.
You are absolutely correct. However, it is Microsoft that establishes its certification scams. It isn't as if there is some independent, unbiased 3rd-party involved in or overseeing that whole process with the goal being to establish minimum, cost effective and fair standards. No, the "standard" is what Microsoft says it is. In this way Microsoft can lead parties around by the nose and milk them for even more money.