Closed JuliusBairaktaris closed 1 year ago
Harvester57
commented
1 year ago Did you by any chance enable the policy with the UEFI lock ?
If yes, you need to perform additional steps to entirely disable the memory integrity security function, as described here: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disabling-windows-defender-credential-guard-with-uefi-lock
JuliusBairaktaris
commented
1 year ago Thank you for your response, @Harvester57. I acknowledge that the script indeed enables memory integrity with UEFI lock. I followed the steps you provided to disable the memory integrity security function.
To provide more clarity, I made modifications to the following:
Under Computer Configuration > Administrative Templates > System > Device Guard, I set the 'Turn on Virtualization Based Security' to off.
Additionally, I changed the registry value HKLM > SYSTEM > CurrentControlSet > Control > DeviceGuard > Scenarios > CredentialGuard to 0.However, I'm facing an issue. Despite making these changes and restarting the system, Memory Integrity seems to be reactivating itself. Interestingly, I did not find the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags on my system.
I am implementing the script on a fresh Windows installation. I would appreciate any further insight you might have into why Memory Integrity is still reactivating itself despite these steps.
Your assistance is greatly appreciated. Thank you
HotCakeX
commented
1 year ago Thank you @Harvester57 for helping ^^
@starraiderx Sorry for the delay, please refer to this official doc:
Select Enabled and under Virtualization Based Protection of Code Integrity, select Enabled without UEFI lock. Only select Enabled with UEFI lock if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
TL;TR : You need to go to UEFI settings and turn off Secure Boot.
P.S the entire point of using UEFI Lock is to prevent this exact situation, to prevent security features such as Memory Integrity from turning off by Registry or Group Policy manipulation, but since you have physical access to your device, know the UEFI password and you're the device owner, you can turn it off. 🙂
Btw, if you're using Bitlocker encryption with the same security settings that this script uses, you will need your 48-digit recovery password after turning off Secure Boot.
If you've deployed WDAC policies using my module, specially signed ones, you need to turn them off first too.
JuliusBairaktaris
commented
1 year ago Solved! Than you so much!
HotCakeX
commented
1 year ago Solved! Thank you so much!
You're welcome ^^
Firstly, I'd like to express my appreciation for the effort put into the Harden Windows Security repository.
However, I have encountered a problem while trying to use the script provided in the repository.
The issue pertains to the Memory Integrity feature. After going into the Group Policies and Registry Editor, I successfully disabled the corresponding entries for Memory Integrity, effectively removing its management by the administrator.
However, the problem arises when I attempt to switch off Memory Integrity. Despite successfully disabling it and restarting the system, Memory Integrity seems to reactivate itself.
I am unsure as to why this is happening and would appreciate any assistance in resolving this issue.
Thank you for your time and support.