I recently in my lab environment discovered a group policy error that was quite interesting, I only got the error for some of my Windows 10 machines, so I started to investigate. In the end this was a total unnecessary troubleshooting, but during the time I learned that there are several CSEs not documented, there will be a post of all the CSEs in Windows 10 soon.

When running GPUpdate, this message appears

image

So what is the {F312195E-3D9D-447A-A3F5-08DFFA24735E} ?

(Not in my case, but in other cases this may point to a Group Policy Object Guid, and these can be discovered by either Group Policy Management Tool or just browse the \\Domain\SysVol)

Anyway in this case {F312195E-3D9D-447A-A3F5-08DFFA24735E} is a GUID for a Group Policy Extension or full name CSE, Client Side Extension. So basically I do what everyone else do, starting to browse MSDN, TechNet and searching for more information about the CSE, but no luck. I really needed to know about this problem, so now the troubleshooting start

All group policy extensions are listed in the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

And it looks something like this (Note! This may not be the same list you are seeing due to installed applications, features, tools etc)

image

So I found this information for my extension

image

ProcessVirtualizationBasedSecurityGroupPolicy, this bring your mind to Device Guard. So what GPOs are using this CSE? Open regedit and browse to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0

and search for the GUID: {F312195E-3D9D-447A-A3F5-08DFFA24735E}

crapI got two hits (The extension GUID is found in the Extensions value)

One hit was for the local group policy

One central GPO for Device Guard/Credential Guard, so I started looking at the central GPO.
crapI disabled the link, by right clicking the GPO and uncheck Link Enabled

I re-ran GPUpdate /force at the client to be sure that all group polices are refreshed.
Finally the result was successful!

image

Ok to sum this up

One of the requirements for Device Guard or Virtualization Based Security is the feature Hyper-V Hypervisor, and this is not possible to enable in VMs. (OK, yes, it is possible if you enable nested Hyper-V, but I haven’t done that, because it does not work together with Isolated User Mode/vTPM)

When you enable the Device Guard policy it will automatically try to enable required features, and this is not possible since it is not supported in VMs. So basically this is by design and the error message just tells you that VBS/VSM/Device Guard was not able to start and the CSE failed.

Make sure to only enable Virtualization Based Security/Virtual Based Security/Credential Guard/Device Guard on physical machines that have the correct hardware and software requirements, also remember to only enable the Secure Boot and DMA protection on hardware where this is supported else Credential Guard will not be enabled.

More about the requirements for Device Guard/Credential Guard may be found here

Some random resources about Client Side Extensions

Advertisements