Windows 10 Core isolation Memory integrity

How to get a Windows 10 „Memory integrity“ Debug Log (Core isolation)

So you want to enable Windows 10’s security feature „Memory integrity“ which is part of „Core isolation“? But when you move the switch to „On“, you always get the error message „Memory integrity can’t be started. There may be an incompatibility on your device“?

Windows 10 Core isolation Memory integrity
Windows 10 Device security Memory integrity can't be started. There may be an incompatibility on your device

Here is how to figure out what is incompatible on your device

  1. Download Microsoft’s official „Device Guard and Credential Guard hardware readiness tool“, which is basically a PowerShell script. Extract the downloaded zip file to a folder of your choice.
  2. Open PowerShell with „Run as administrator“ (admin privileges) and navigate to the folder with the extracted files.
  3. First we have to allow executing the script using this command:
    Set-ExecutionPolicy Unrestricted
  4. Execute the script using the „Capable“ parameter:
    .\DG_Readiness_Tool_v3.6.ps1 -Capable
  5. Now the script will install a special driver used to verify your hardware and installed drivers, but you have to restart the PC and come back to the script afterwards. So restart the PC now!
  6. Again, open PowerShell with „Run as administrator“.
  7. Again, execute Microsoft’s tool using the „Capable“ parameter:
    .\DG_Readiness_Tool_v3.6.ps1 -Capable
    Now the script should execute the scan using the special driver, thus checking your hardware and drivers for compatibility.
    You will get a colored log directly in PowerShell and also a log file stored on your disk, the location is:
    C:\DGLogs\DeviceGuardCheckLog.txt
    Check for yellow and red lines in the log and if your are especially interested in incompatible drivers, then look for a message
    Incompatible HVCI Kernel Driver Modules found
    Incompatible drivers should be listed below that message.
  8. So now that you have your log file, let’s clean up the system again (i.e. remove the special driver that was installed by the script).
    Execute Microsoft’s tool using the „Clear“ parameter:
    .\DG_Readiness_Tool_v3.6.ps1 -Clear
  9. Restart the PC to get the special driver uninstalled.
  10. Again, open PowerShell with „Run as administrator“.
  11. Now we also restore the default safe script execution policy using this command in PowerShell:
    Set-ExecutionPolicy Restricted
  12. Done!

Kommentare

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.