Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, March 31, 2017 7:58 AM
All our clients having issues applying a GPO with Device Guard settings since some days.
<Data Name="ErrorCode">2147942402</Data>
><Data Name="CSEExtensionName">{F312195E-3D9D-447A-A3F5-08DFFA24735E}</Data>
The Problem is that the registry value "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity"
is missing.
From Process Monitor:
08:54:33,2109386 svchost.exe 9820 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity NAME NOT FOUND Length: 144
When I manually create a DWORD value "HypervisorEnforcedCodeIntegrity" with value 0 the error goes away and the policy applies fine again.
Windows 10 Enterprise 1607
Build 14393.970
All replies (11)
Monday, April 3, 2017 6:33 AM
Hi ,
Your discovery is valuable, we appreciate your study and feedback. I would like to introduce your solution to other community members who have similar issues. I also did some research, I found it could be related to the Microsoft-Windows-DeviceGuard-Unattend component. The below is a reference link for you. Hope it will be helpful.
Microsoft-Windows-DeviceGuard-Unattend
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, April 3, 2017 8:09 AM
Now the value got lost again. Looks like the CSE has a bug...
Tuesday, April 4, 2017 8:41 AM
Hi ,
I think we could recreate the value, then set up Registry Auditing to monitor this value. If it is lost again, then we should be able to find who delete it.
Monitoring when registry keys are modified
https://blogs.msdn.microsoft.com/cobold/2011/11/29/monitoring-when-registry-keys-are-modified/
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, April 4, 2017 9:19 AM
It disappears on gpupdate /force
11:15:32,4210036 svchost.exe 8852 RegOpenKey HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard SUCCESS Desired Access: Write
11:15:32,4210326 svchost.exe 8852 RegCloseKey HKLM SUCCESS
11:15:32,4210544 svchost.exe 8852 RegDeleteValue HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity SUCCESS
11:15:32,4211427 svchost.exe 1016 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: All Access
11:15:32,4211500 svchost.exe 520 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
11:15:32,4211845 svchost.exe 8852 RegCloseKey HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard SUCCESS
Thursday, September 14, 2017 9:47 PM | 1 vote
Did you ever resolve this? we're seeing an identical error, but our HypervisorEnforcedCodeIntegrity is present and set to 2. changing it to 0 does not stick, it stays 2 without any gpupdate.
We do have a GPO in place to force it to 0 as we have some devices that don't support deviceguard/hvci yet, but it doesn't seem to take effect even though it's highest precedence over any other policies touching that key. even after running the DGCG tool to disable it entirely the key is still set to 2 and a gpupdate returns the F312195E-3D9D-447A-A3F5-08DFFA24735E failed to apply error
Friday, March 9, 2018 4:22 PM
Did you ever happen to find a solution to this? I've been battling this thing for about a week now and have made little headway. I am seeing the exact same issue you have described, tried running DGCG and everything. Anything you may have for me to help would be appreciated.
Friday, June 15, 2018 11:32 AM
Hey there! I am running into this issue as well. A guy wrote up an article on how he located and resolved this issue. Hope this helps.
https://deploywindows.com/2016/02/08/failed-to-apply-group-policy/
V/r,
~ Rhiannon
Friday, June 15, 2018 11:38 AM
Here is another article on it. Seems to be a regular occurance.
Thursday, June 21, 2018 3:49 PM
I have this issue with 1607 as well. I set the Group Policy to set HypervisorEnforcedCodeIntegrity to 0 and confirmed the registry is set to 0 but the error continues to occur.
Any updates?
lforbes
Wednesday, January 30, 2019 9:18 PM | 1 vote
The error we ran into in the GPResult log was:
{F312195E-3D9D-447A-A3F5-08DFFA24735E} failed due to the error listed below.
Secure Boot is not enabled on this machine.
Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 2019-01-29 10:32:55 AM and 2019-01-29 10:32:55 AM.
And in the event log:
1085
2019-01-29 11:10:10 AM
Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings. {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings might have its own log file. Please click on the "More information" link.
There following were being set by local policy (from Computer Configuration\Administrative Templates\System\Device Guard - Turn On Virtualization Based Security):
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard]
"EnableVirtualizationBasedSecurity"=dword:00000001 (Enable Virtualization Based)
"HypervisorEnforcedCodeIntegrity"=dword:00000001 (Code integrity for the hypervisor is enabled)
"LsaCfgFlags"=dword:00000001 (Enables Credential Guard)
"RequirePlatformSecurityFeatures"=dword:00000003 (Enable Virtualization Based Security with Secure Boot and DMA)
-And Secure boot was not enabled on the machine
Thursday, May 16, 2019 8:17 AM
The error we ran into in the GPResult log was:
{F312195E-3D9D-447A-A3F5-08DFFA24735E} failed due to the error listed below.
Secure Boot is not enabled on this machine.
Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 2019-01-29 10:32:55 AM and 2019-01-29 10:32:55 AM.
And in the event log:
1085
2019-01-29 11:10:10 AM
Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings. {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings might have its own log file. Please click on the "More information" link.There following were being set by local policy (from Computer Configuration\Administrative Templates\System\Device Guard - Turn On Virtualization Based Security):
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard]
"EnableVirtualizationBasedSecurity"=dword:00000001 (Enable Virtualization Based)
"HypervisorEnforcedCodeIntegrity"=dword:00000001 (Code integrity for the hypervisor is enabled)
"LsaCfgFlags"=dword:00000001 (Enables Credential Guard)
"RequirePlatformSecurityFeatures"=dword:00000003 (Enable Virtualization Based Security with Secure Boot and DMA)-And Secure boot was not enabled on the machine
Thank you for this post LijuV. It saves my head after trying to look for a solution for about 1 month to get rid of this error from a Bartec machine.