With the release of Deep Freeze 9.0 support for Core Isolation and Memory Integrity Protection is now available in Deep Freeze Standard and Enterprise.
To successfully install Deep Freeze on Windows systems with the Memory Integrity enabled, it is necessary to manually disable the Memory Integrity before proceeding with the installation. Follow these steps to disable Memory Integrity:
- Open Windows Security settings.
- Navigate to Device Security -> Core Isolation.
- Toggle the "Memory Integrity" switch to the Off position.
- Restart the system for the changes to take effect.
Alternatively, the Memory Integrity option can be disabled by modifying the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled
Change the value of this key to 0 (DWORD) to disable the feature and perform a reboot.
In certain environments, Memory Integrity may have been enabled through Local Policy or Group Policy. In this case, in Windows Settings the Memory Integrity cannot be modified showing the message: “This setting is managed by your administrator”. To disable it, follow these steps:
- Open the Local Policy Editor (gpedit.msc).
- Navigate to Computer Configuration -> Administrative Templates -> System -> Device Guard.
- Open ”Turn On Virtualization Based Security” policy.
- Find the “Virtualization Based Protection Code Integrity” sub-policy and set it to "Disabled".
- Restart the system for the changes to take effect.
In a Domain environment, this policy could have been applied to the targeted systems through the Group Policy Management application on the Domain Controller (gpmc.msc), as such it must be disabled from the Domain Controller. Furthermore, in Domain environments where this specific policy hasn't been set, the Memory Integrity can be overridden and turned off using this policy, superseding the Memory Integrity configuration in Windows Settings.
Note, that Virtualization Based Security policy can remain enabled as long as Code Integrity stays disabled. Turning off the Virtualization Based Security policy will deactivate all security features within it. Though this will effectively turn off Memory Integrity, doing so might compromise the system's security and affect some system features reliant on it.
UEFI Lock
On certain systems, Memory Integrity may be enabled in the “Virtualization Based Protection Code Integrity” policy using the UEFI lock option ("Enabled with UEFI lock"). This setting restricts the operating system's ability to disable Memory Integrity using any of the described above methods. In such a scenario Windows will disregard any further changes in the “Virtualization Based Protection Code Integrity” policy settings, as well as the Memory Integrity settings in Windows Settings will keep reverting to 'Enabled' upon reboot. Another indicator of this situation is the continued display of the "Hypervisor enforced Code Integrity" feature in the running state by the MSInfo32 utility after attempting to disable Memory Integrity. Consequently, this will continue blocking Deep Freeze installation.
In such circumstances, the most effective method to disable Memory Integrity is by accessing the UEFI settings and disabling the Secure Boot option. Disabling Secure Boot will subsequently deactivate Memory Integrity during the next system startup, along with all other features dependent on Secure Boot.
Note, that after startup the Memory Integrity option still might be displaying “Enabled” in Windows Settings and Policies, however MSInfo32 utility will correctly indicate "Hypervisor enforced Code Integrity" as not running. In such a case, it is still necessary to set Memory Integrity to a disabled state as previously described. Following this, Deep Freeze can be successfully installed.
It is recommended that the Secure Boot and its associated features be further re-enabled, except for Memory Integrity.
Upgrading Deep Freeze to version 8.63 onwards from older versions
When performing a straight upgrade of Deep Freeze from older versions to version 8.63 onwards, there is no need to take any specific actions regarding Memory Integrity. This is because old versions of Deep Freeze automatically disable and enforce the Memory Integrity option.
The same applies when upgrading by uninstalling older versions of Deep Freeze and installing version 8.63 since after uninstallation the Memory Integrity option remains disabled.
Adam Zilliax
Comments