cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

b26063 - Bug Bash - Windows Security > Device Security - Cannot enable VBS anymore - FIXED

Karl_Wester-Ebbinghaus
MVP

‎Mar 03 2024 05:12 AM - edited ‎Mar 04 2024 12:38 PM

‎Mar 03 2024 05:12 AM - edited ‎Mar 04 2024 12:38 PM

b26063 - Bug Bash - Windows Security > Device Security - Cannot enable VBS anymore - FIXED

I have updated my UEFI and redeployed Secure Boot settings.

now on all windows versions (multiboot) I cannot enable VBS and Core Isolation anymore. I could enable it without errors but it becomes disabled after reboot.

Potentially related error message: 
PCR7: Binding not possible

Problems:
cannot enable security features / will be disable after reboot or "blocked as if GPO controlled"
cannot start Hyper-V VMs anymore due missing VBS

Affected Builds:
Windows 11 23H2 02-2024 
Windows 11 24H2 02-2024 Dev
Windows Server 2022 02-2024
Windows Server 2025 (Azure Edition) b26063.

Could this be related to this action? Have not executed it yet.
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/...


Unlike to Windows Server, on Windows 11 all other security settings are disabled now, too (stated they are controlled by the admin)

Reinstallation of the OS didn't help. Anyone else seeing this?

Karl_WesterEbbinghaus_0-1709471340018.png

 

Karl_WesterEbbinghaus_1-1709471381577.png

Karl_WesterEbbinghaus_2-1709471429517.png

 

 

Labels:
293 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Karl_Wester-Ebbinghaus (MVP)
Karl_Wester-Ebbinghaus

‎Mar 03 2024 05:54 AM - edited ‎Mar 11 2024 11:13 PM

‎Mar 03 2024 05:54 AM - edited ‎Mar 11 2024 11:13 PM

Solution

Re: b26063 - Bug Bash - Windows Security > Device Security - Cannot enable VBS anymore - FIXED

Ok fixed it. There is a new (BETA) BIOS, released some days ago, which addresses the issue. It is not mentioned in the release notes though.

I have the strong feeling it is related to the UEFI secure boot changes described in the linked article.

Believe we could need an urgent advisory. A blogpost isn't enought if this is true.
If the February changes (not yet fully proven) are able to disable security with unpatched UEFI devices, this would be something very noteable.

Mind that admins / users don't regularly do BIOS / UEFI updates on Servers or Clients.

 

Solution in a summary

 

Hello Lien how are you doing?

No it has been solved for 22H2.

 

- update my UEFI from a 2023 to a 2024 beta version from Asrock

- redeploying Secure Boot keys and make sure it's enabled

- enabling Core Isolation on the Hyper-V Host (HCVI) which also enables VBS

- enable vTPM on the Azure Stack HCI nested virtualization VM (mslab)

0 Likes
Reply
Karl_Wester-Ebbinghaus

‎Mar 04 2024 02:26 AM

‎Mar 04 2024 02:26 AM

Re: b26063 - Bug Bash - Windows Security > Device Security - Cannot enable VBS anymore

Cannot reproduce this in my sphere as all managed devices around me already received UEFI updates in Feb.

For now, I can only interpret this as a local issue.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Karl_Wester-Ebbinghaus (MVP)
Karl_Wester-Ebbinghaus

‎Mar 03 2024 05:54 AM - edited ‎Mar 11 2024 11:13 PM

‎Mar 03 2024 05:54 AM - edited ‎Mar 11 2024 11:13 PM

Solution

Re: b26063 - Bug Bash - Windows Security > Device Security - Cannot enable VBS anymore - FIXED

Ok fixed it. There is a new (BETA) BIOS, released some days ago, which addresses the issue. It is not mentioned in the release notes though.

I have the strong feeling it is related to the UEFI secure boot changes described in the linked article.

Believe we could need an urgent advisory. A blogpost isn't enought if this is true.
If the February changes (not yet fully proven) are able to disable security with unpatched UEFI devices, this would be something very noteable.

Mind that admins / users don't regularly do BIOS / UEFI updates on Servers or Clients.

 

Solution in a summary

 

Hello Lien how are you doing?

No it has been solved for 22H2.

 

- update my UEFI from a 2023 to a 2024 beta version from Asrock

- redeploying Secure Boot keys and make sure it's enabled

- enabling Core Isolation on the Hyper-V Host (HCVI) which also enables VBS

- enable vTPM on the Azure Stack HCI nested virtualization VM (mslab)

View solution in original post

0 Likes
Reply