Forum Discussion

HotCakeX's avatar
HotCakeX
MVP
Dec 29, 2019

[SOLVED] Memory Integrity bounces back to "turned off" state after Windows restart - fast ring 19536

This is an old post and the issue is no longer relevant.   This has been happening since a couple of builds ago as well. I turn on the Memory Integrity in Core isolation section of Windows Defende...
19536
core isolation
fast ring
Feedback
memory integritiy
problem
Windows Defender
Keith_KeplerMS's avatar
Keith_KeplerMS
Icon for Microsoft rankMicrosoft
Oct 29, 2024

HotCakeX 

 

I was seeing this issue as well and here is how I resolved it. After 2 weeks, it's stayed enabled after reboots, hibernate, etc.  I do not have any incompatible drivers that would conflict with HVCI / Memory Integrity and turn this off, so it's not a driver causing this.

 

For me, the solution was to disable and then re-enable hibernate so a new hiber.sys file would be created with the necessary memory encryption for when "Memory Integrity" is ON.  I primarily use Hibernate to shutdown at night.

 

1. Open an Admin Command prompt and execute the below to delete the hiber.sys file and bcd  boot entries

 

powercfg /hibernate off

 

2. Turn on Memory Integrity and reboot.

3. Open an Admin Command prompt and enable hibernate.

 

powercfg /hibernate on

 

 

 

jimp335's avatar
jimp335
Copper Contributor
Oct 29, 2024

Keith_KeplerMS 

thanks. I’ll give it a try. Any ideas why a hibernate command causes the issue?

 

 Jim

  • Keith_KeplerMS's avatar
    Keith_KeplerMS
    Icon for Microsoft rankMicrosoft
    Oct 29, 2024

    jimp335 

    From what I understand, it has to do with the entire Dynamic Root of Trust Measurement (DRTM) boot process when hibernate is involved. (Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog)

     

    I thought, perhaps when my hiberfil.sys file was created, it (and the relevant BCD entries) were made without the necessary signatures to support Memory Integrity or it was made with a prior release of Windows where security feature X or Y did not exist yet.   So, I took a logical leap of faith and removed it and recreated it "after" having Memory Integrity on.  I was pleasantly surprised to find it resolved my issue.  

     

    FYI: My device is a corp Entra joined device with BitLocker/Secure Boot enabled. 

     

    • Deleted's avatar
      Deleted
      Oct 30, 2024

      Hi Keith_KeplerMS 

      How System Guard helps protect Windows | Microsoft Learn

      Windows Hibernation is an outdated tool, it saves data to the hard drive - in my opinion, it is not safe, so it does not exist by default in the settings.

      "As Windows boots, a series of integrity measurements are taken by System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch doesn't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, to name a few."

      Thank you 🙂

      Windows hardware security | Microsoft Learn

       

       

Resources