Core Isolatioin

Does anyone know of any negative effects of turning on the memory
integrity of the Core Isolation feature?


--
Ken
MacOS 10.14.6
Firefox 70.0.1
Thunderbird 60.9
"My brain is like lightning, a quick flash
and it's gone!"

On 2020-02-21, Ken Springer wrote:
Does anyone know of any negative effects of turning on the memory
integrity of the Core Isolation feature?

The answer is as close as your favorite search engine, such as...

https://www.howtogeek.com/357757/wha...in-windows-10/

--
-----------------------------------------------------------------------------
Roger Blake (Posts from Google Groups killfiled due to excess spam.)

The US Census vs. privacy -- http://censusfacts.info
Don't talk to cops! -- http://www.DontTalkToCops.com
Badges don't grant extra rights -- http://www.CopBlock.org
-----------------------------------------------------------------------------

On 2/20/20 10:13 PM, Roger Blake wrote:
On 2020-02-21, Ken Springer wrote:
Does anyone know of any negative effects of turning on the memory
integrity of the Core Isolation feature?

The answer is as close as your favorite search engine, such as...

https://www.howtogeek.com/357757/wha...in-windows-10/

Thanks, Roger.

Sometimes I'm interest in whether people have actually had problems in
addition to what "may" happen. :-)

--
Ken
MacOS 10.14.6
Firefox 70.0.1
Thunderbird 60.9
"My brain is like lightning, a quick flash
and it's gone!"

Ken Springer wrote:

Does anyone know of any negative effects of turning on the memory
integrity of the Core Isolation feature?

https://docs.microsoft.com/en-us/win...iences/oem-vbs

Lots of prerequisites for using VBS (Virtualization-Based Security) in
Windows 10.

According to the HowToGeek article that Roger cited:

Some Core Isolation features are enabled by default on Windows 10 PCs
that meet certain hardware and firmware requirements, including having
a 64-bit CPU and TPM 2.0 chip.

Well, memory itegrity is not enabled in my Windows 10 setup despite I
just got a new mobo back in February for a new build on which to use
Windows 10. Also:

It also requires your PC supports the Intel VT-x or AMD-V
virtualization technology, and that it¢s enabled in your PC¢s UEFI
settings.

I'd have to go look again, but I'm pretty sure the VT-x option is
enabled in the UEFI for my mobo's BIOS. Memory integrity is disabled,
by default, for upgrade installs of Windows 10 (like you upgraded from
Windows 7 or 8), but my build was fresh. I don't like dragging
non-applicable or corrupted registry entries and files from an old OS
into a new OS. I always do fresh installs, never upgrades.

I've seen reports that once enabled that the memory integrity option of
Core Isolation cannot thereafter get disabled. That is, once you turn
it on, it's on forever thereafter. So, if there are problems, you're
stuck with having to do a full fresh install of Windows 10, or hope you
backup images are retained for long enough to restore to a prior state
(and, of course, lose all other changes made since the backup). The GUI
won't let you disable after enable, but you can edit the registry to
disable the option:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\DeviceGuard\Scenarios\HypervisorEnforcedCodeInte grity\Enabled
Set to disabled (zero).

Peculiarly, this key is not hidden in a crypto-protected portion of the
registry (that you can't get at using regedit.exe or other user-mode
registry editor), nor is it hashed, nor is a paired hash key assigned to
it to prevent unauthorized/malicious modification.

Hypervisor is required. Another name for memory integrity, a subset
feature of Core Isolation, is Hypervisor Protected Code Integrity
(HVCI). However, enabling that VMM (Virtual Machine Manager) means you
cannot use another, like VMware Player or Virtualbox. Conversely, if
you already have a VMM installed, trying to enable Microsoft's memory
itegrity function in Core Isolation results in a "This setting is
managed by your administrator" which is misleading because it's another
VMM on your host. Only one VMM can use the VM functions in hardware
(BIOS on your mobo). If you use Microsoft's HyperVisor, you can't use
another VMM, and visa versa.

https://langa.com/index.php/2018/08/...ther-software/

Besides not knowing your software suite (after all, we're not
inventorying what you installed), you never bothered to mention which
edition of Windows 10 that you use. Not all come with Hypervisor, a
requirement for VBS.

https://docs.microsoft.com/en-us/vir...enable-hyper-v

So, do you have the Pro, Enterprise, or Eductation editions of Win10?
Also, although all drivers since Windows 10 1607 have been, ahem,
"required" to be hypervisor-protected code itegrity complaint, not all
are yet. Enabling the HV memory itegrity options means some software or
hardware may malfunction. Memory integrity is supposed to get
automatically disabled on boot if there is detected an incompatibility
for a boot-critical driver. Maybe that works, but maybe not. Plus, it
doesn't affect how memory integrity affects non-OS software.

One requirement is a TPM chip. Usually that would be hardware. Some
desktop mobos that don't include a TPM chip do have a header to plug one
in. However, some UEFI configs have an option to emulate TPM in their
firmware (BIOS code); however, that requires Intel's ME (Management
Engine), a micro-controller inside of Intel's micro-processors, to run
Intel's Platform Trust Technology (PTT).

https://en.wikipedia.org/wiki/Intel_Management_Engine

And it can be and has been hacked:

https://hackaday.com/tag/intel-management-engine/
https://securityaffairs.co/wordpress...jtag-flaw.html

I deliberately disabled ME in the UEFI config because I didn't want to
allow remote access to my computer or provide yet another hack vector to
make my computer vulnerable, even when it is powered off (but still
network connected since I'm obviously not going to yank every cord out
of my PC when I power it off).

Unless this is a text box where you like to experiment with various OS
tweaks, I would suggest not changing this option. If this is your
personal PC, do you have the time, initiative, and expertise to debug a
problem in the OS or an application while putzing around with the OS?

Remember all this "protection" is adding overhead, so everything runs
slower. Maybe on a really super-fast computer you won't notice, but
that doesn't obviate the overhead which still slows everything down,
just like running anything inside a virtual machine means it is slower
despite using firmware functions from hardware.

In Windows 10's settings app, go under "Update & Security", choose the
"Windows Security" group, click on "Device Security". There you find
the Core Isolation setting(s). Before going into the Core Isolation
settings (to find memory integrity), is there a message saying "Standard
hardware security not supported"? If so, the Learn More link goes to:

https://support.microsoft.com/en-us/...#hardwarescore

Under there, it says Secure Boot must be enabled. I tried it. What a
disaster. Was damn hard to get rid of it. I either get the above
"Standard hardware security not supported" message because I eventually
got rid of Secure Boot in UEFI (and the matching support in Windows), or
killed off support for Intel's ME inside their CPU (but that doesn't get
rid of, just block its use, plus I did *not* install any of the Intel ME
software in Windows).

On 2/21/20 9:29 AM, VanguardLH wrote:
Ken Springer wrote:

Does anyone know of any negative effects of turning on the memory
integrity of the Core Isolation feature?

https://docs.microsoft.com/en-us/win...iences/oem-vbs

Lots of prerequisites for using VBS (Virtualization-Based Security) in
Windows 10.

According to the HowToGeek article that Roger cited:

One of the issues I have with W10 info you find on the web is, a lot of
it's outdated. Roger's provided article (I'm noting he did not write
it) is a year and a half old, and the info is almost 2 years old. I've
learned not to trust info on W10 that is that old.


Some Core Isolation features are enabled by default on Windows 10 PCs
that meet certain hardware and firmware requirements, including having
a 64-bit CPU and TPM 2.0 chip.

Well, memory itegrity is not enabled in my Windows 10 setup despite I
just got a new mobo back in February for a new build on which to use
Windows 10.

My main W10 system is a unit I built when W8 first came out. I'm no
tech, just wanted to see if I could assemble the parts I had help
buying, successfully, of course. At that time, I put W7 on the unit.

Decided to upgrade to w10, did a fresh install saving nothing. That was
1903. 1909 now. I didn't know about the Core until a few weeks ago, so
curious if there were any horror stories.

It wasn't turned on when I checked, so I've turned it on. I've no
intentions of ever running a virtual machine on this unit, so that's a
non-player.

Also:

It also requires your PC supports the Intel VT-x or AMD-V
virtualization technology, and that it’s enabled in your PC’s UEFI
settings.

I'd have to go look again, but I'm pretty sure the VT-x option is
enabled in the UEFI for my mobo's BIOS. Memory integrity is disabled,
by default, for upgrade installs of Windows 10 (like you upgraded from
Windows 7 or 8), but my build was fresh. I don't like dragging
non-applicable or corrupted registry entries and files from an old OS
into a new OS. I always do fresh installs, never upgrades.

As a general rule, I don't touch UEFI/BIOS settings, other than
Date/Time , boot order, and legacy support when I need to boot from an
external optical drive.

Possible corrupted stuff is why I did a fresh install of W10.

I've seen reports that once enabled that the memory integrity option of
Core Isolation cannot thereafter get disabled. That is, once you turn
it on, it's on forever thereafter. So, if there are problems, you're
stuck with having to do a full fresh install of Windows 10, or hope you
backup images are retained for long enough to restore to a prior state
(and, of course, lose all other changes made since the backup). The GUI
won't let you disable after enable, but you can edit the registry to
disable the option:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\DeviceGuard\Scenarios\HypervisorEnforcedCodeInte grity\Enabled
Set to disabled (zero).

I can't turn mine off from the GUI, but like you I found web articles on
how to do it. I'm not terribly worried about the need to ever turn it
off, and system images are created once a month, IIRC.

Peculiarly, this key is not hidden in a crypto-protected portion of the
registry (that you can't get at using regedit.exe or other user-mode
registry editor), nor is it hashed, nor is a paired hash key assigned to
it to prevent unauthorized/malicious modification.

Hypervisor is required. Another name for memory integrity, a subset
feature of Core Isolation, is Hypervisor Protected Code Integrity
(HVCI). However, enabling that VMM (Virtual Machine Manager) means you
cannot use another, like VMware Player or Virtualbox. Conversely, if
you already have a VMM installed, trying to enable Microsoft's memory
itegrity function in Core Isolation results in a "This setting is
managed by your administrator" which is misleading because it's another
VMM on your host. Only one VMM can use the VM functions in hardware
(BIOS on your mobo). If you use Microsoft's HyperVisor, you can't use
another VMM, and visa versa.

https://langa.com/index.php/2018/08/...ther-software/

What might turn into something interesting is, I've got W10 installed on
my Mac Mini using Bootcamp. Boy, does W10 run slick there!! I'll look
in the Apple Bootcamp community first before turning it on. I haven't
looked yet, so it could already be turned on.

Besides not knowing your software suite (after all, we're not
inventorying what you installed), you never bothered to mention which
edition of Windows 10 that you use. Not all come with Hypervisor, a
requirement for VBS.

https://docs.microsoft.com/en-us/vir...enable-hyper-v

So, do you have the Pro, Enterprise, or Eductation editions of Win10?

"Eductation"???? That's a new one on me! ROFL!!

1909, as noted earlier, Pro, always updated. Minimal software
installation at the moment, the biggie being Softmaker Office 2016.
Does everything I need, and was certainly cheaper than MS Office at the
time.

Speaking of updates, I've discovered that MS Store apps are not always
updated. No idea why.

Also, although all drivers since Windows 10 1607 have been, ahem,
"required" to be hypervisor-protected code itegrity complaint, not all
are yet. Enabling the HV memory itegrity options means some software or
hardware may malfunction. Memory integrity is supposed to get
automatically disabled on boot if there is detected an incompatibility
for a boot-critical driver. Maybe that works, but maybe not. Plus, it
doesn't affect how memory integrity affects non-OS software.

One requirement is a TPM chip. Usually that would be hardware. Some
desktop mobos that don't include a TPM chip do have a header to plug one
in. However, some UEFI configs have an option to emulate TPM in their
firmware (BIOS code); however, that requires Intel's ME (Management
Engine), a micro-controller inside of Intel's micro-processors, to run
Intel's Platform Trust Technology (PTT).

https://en.wikipedia.org/wiki/Intel_Management_Engine

And it can be and has been hacked:

https://hackaday.com/tag/intel-management-engine/
https://securityaffairs.co/wordpress...jtag-flaw.html

I deliberately disabled ME in the UEFI config because I didn't want to
allow remote access to my computer or provide yet another hack vector to
make my computer vulnerable, even when it is powered off (but still
network connected since I'm obviously not going to yank every cord out
of my PC when I power it off).

Unless this is a text box where you like to experiment with various OS
tweaks, I would suggest not changing this option. If this is your
personal PC, do you have the time, initiative, and expertise to debug a
problem in the OS or an application while putzing around with the OS?

Remember all this "protection" is adding overhead, so everything runs
slower. Maybe on a really super-fast computer you won't notice, but
that doesn't obviate the overhead which still slows everything down,
just like running anything inside a virtual machine means it is slower
despite using firmware functions from hardware.

In Windows 10's settings app, go under "Update & Security", choose the
"Windows Security" group, click on "Device Security". There you find
the Core Isolation setting(s). Before going into the Core Isolation
settings (to find memory integrity), is there a message saying "Standard
hardware security not supported"? If so, the Learn More link goes to:

https://support.microsoft.com/en-us/...#hardwarescore

Under there, it says Secure Boot must be enabled. I tried it. What a
disaster. Was damn hard to get rid of it. I either get the above
"Standard hardware security not supported" message because I eventually
got rid of Secure Boot in UEFI (and the matching support in Windows), or
killed off support for Intel's ME inside their CPU (but that doesn't get
rid of, just block its use, plus I did *not* install any of the Intel ME
software in Windows).

My reason for asking is likely different than most. I do part time
computer tutoring, primarily with seniors. Most of them are woefully
computer ignorant.

When I help them set up a computer, I try to make it as "safe" for them
to use as I can. I create a standard user account, tell them to always
use that account most of the time. I don't install a lot of 3rd party
stuff, it tends to overload and confuse them. If possible, when we are
working together, I change screen settings so it's easier for them to read.

These days, Windows Defender for AV. I usually install Malwarebytes
and SuperAntiSpyware, and show them how to run it. But, I don't think
most of them do. And, Teamviewer, so I have the possibility of
answering questions without a road trip.

I always encourage backups, but almost no one listens.

So, in the vein of making the system "safer", I'm considering turning
the Core protection on as an additional step, since none of them will
even have a clue what I'm talking about if I were to mention a virtual
machine.



--
Ken
MacOS 10.14.6
Firefox 70.0.1
Thunderbird 60.9
"My brain is like lightning, a quick flash
and it's gone!"

Ken Springer wrote:

VanguardLH wrote:

Ken Springer wrote:

Does anyone know of any negative effects of turning on the memory
integrity of the Core Isolation feature?

https://docs.microsoft.com/en-us/win...iences/oem-vbs

Lots of prerequisites for using VBS (Virtualization-Based Security) in
Windows 10.

According to the HowToGeek article that Roger cited:

One of the issues I have with W10 info you find on the web is, a lot
of it's outdated. Roger's provided article (I'm noting he did not
write it) is a year and a half old, and the info is almost 2 years
old. I've learned not to trust info on W10 that is that old.

Not sure how you're doing the calendar math. Roger's cited article was
dated Sept 28, 2018. That's under 1.5 years ago.

The Core Isolation was a feature migrated from the Enterprise edition of
Windows 10 to the other editions, and that happened back in April 2018,
so the articles about Core Isolation couldn't have appeared earlier, and
I don't see any mention that there was some massive change to Core
Isolation since then.

[Core Isolation] wasn't turned on when I checked, so I've turned it on. I've no
intentions of ever running a virtual machine on this unit, so that's a
non-player.

But you are. It's Microsoft's Hypervisor instead of some other VMM.

I can't turn mine off from the GUI, but like you I found web articles on
how to do it. I'm not terribly worried about the need to ever turn it
off, and system images are created once a month, IIRC.

So, to answer your own question, and since you enabled the option, have
YOU run into any problems with Core Isolation? How would you know?

My reason for asking is likely different than most. I do part time
computer tutoring, primarily with seniors. Most of them are woefully
computer ignorant.

Alas, the same regarding the OS for young'uns. Being proficient in
using an OS doesn't make one proficient in maintaining it, debugging it,
or resolving misbehaviors. Most users just want to use the OS. They
aren't interested into digging into it, even when there are problems.

So, in the vein of making the system "safer", I'm considering turning
the Core protection on as an additional step, since none of them will
even have a clue what I'm talking about if I were to mention a virtual
machine.

I guess I'd first look at making the setup as stable as possible, even
if security had to be reduced. Secure Boot interferes with some of my
programs, primarily the video stream capture program. I can see the
Hypervisor virtualization of system process could interfere with some
security programs, like 0patch that doesn't modify the files but instead
alters the memory copy of a process to fix vulnerabilities or apply
fixes.

One test would be to enable memory integrity and then reboot the
computer. Check if the option is still enabled. One of the tests
during boot is to check if Core Isolation is compatible with the
hardware drivers currently installed. As for on-the-fly loaded drivers,
that's something that would need to get checked regarding program
behavior that did such. The boot test only checks against what are
considered critical drivers for boot, not for hardware compatibility or
feature sets.

As for Core Isolation regarding "security", it's already been hacked
right along with Intel's ME. It's like a lot of other security
measures: the bar gets raised, but some hackers are willing to jump
higher, and eventually they create toolkits to let the script kiddies do
the same.

Since you decided to just stick with Defender, you've already decided
going extreme with security and protection is not appropriate. Security
and ease-of-use are often the anti-thesis of each other. If only using
Defender, why bother with Core Isolation?

On 2/21/20 4:02 PM, VanguardLH wrote:
Ken Springer wrote:

VanguardLH wrote:

Ken Springer wrote:

Does anyone know of any negative effects of turning on the memory
integrity of the Core Isolation feature?

https://docs.microsoft.com/en-us/win...iences/oem-vbs

Lots of prerequisites for using VBS (Virtualization-Based Security) in
Windows 10.

According to the HowToGeek article that Roger cited:

One of the issues I have with W10 info you find on the web is, a lot
of it's outdated. Roger's provided article (I'm noting he did not
write it) is a year and a half old, and the info is almost 2 years
old. I've learned not to trust info on W10 that is that old.

Not sure how you're doing the calendar math. Roger's cited article was
dated Sept 28, 2018. That's under 1.5 years ago.

That's the date of the article, but the information is for the April
2018 update. So, the info is almost 2 years old. Not any different
than me writing an article on the Battle of Gettysburg, where the
article is current, but the information is over 150 years old. :-)

The Core Isolation was a feature migrated from the Enterprise edition of
Windows 10 to the other editions, and that happened back in April 2018,
so the articles about Core Isolation couldn't have appeared earlier, and
I don't see any mention that there was some massive change to Core
Isolation since then.

But, it was available in some releases, correct?

[Core Isolation] wasn't turned on when I checked, so I've turned it on. I've no
intentions of ever running a virtual machine on this unit, so that's a
non-player.

But you are. It's Microsoft's Hypervisor instead of some other VMM.

I can't turn mine off from the GUI, but like you I found web articles on
how to do it. I'm not terribly worried about the need to ever turn it
off, and system images are created once a month, IIRC.

So, to answer your own question, and since you enabled the option, have
YOU run into any problems with Core Isolation? How would you know?

I don't know! LOL One of the reasons I asked. That way I'd have an
idea of what to look out for.

My reason for asking is likely different than most. I do part time
computer tutoring, primarily with seniors. Most of them are woefully
computer ignorant.

Alas, the same regarding the OS for young'uns. Being proficient in
using an OS doesn't make one proficient in maintaining it, debugging it,
or resolving misbehaviors. Most users just want to use the OS. They
aren't interested into digging into it, even when there are problems.

I don't mind them not wanting to dig into it, but they should at least
know how to use it. And, eventually minimal maintenance. In automotive
terms, you know what makes the car run, and you know to have the oil
changed, but you don't have to know how to overhaul the engine.

So, in the vein of making the system "safer", I'm considering turning
the Core protection on as an additional step, since none of them will
even have a clue what I'm talking about if I were to mention a virtual
machine.

I guess I'd first look at making the setup as stable as possible, even
if security had to be reduced. Secure Boot interferes with some of my
programs, primarily the video stream capture program. I can see the
Hypervisor virtualization of system process could interfere with some
security programs, like 0patch that doesn't modify the files but instead
alters the memory copy of a process to fix vulnerabilities or apply
fixes.

That's far above what most seniors I come in contact with would be
doing. I just helped one get her system up and running, and she's happy
with WordPad over having an office suite.

When I see her, she complains the colors on the screen are hard to read.
But, she doesn't ask for help.

IMO, in many cases, we try to start people at jr. high level, or that's
where they want to start, but they don't have a good foundation to build on.

One test would be to enable memory integrity and then reboot the
computer. Check if the option is still enabled. One of the tests
during boot is to check if Core Isolation is compatible with the
hardware drivers currently installed. As for on-the-fly loaded drivers,
that's something that would need to get checked regarding program
behavior that did such. The boot test only checks against what are
considered critical drivers for boot, not for hardware compatibility or
feature sets.

Thanks for this info. My system apparently is not, even though
everything is up to date. However, I've not gone through the system to
get the latest drivers from the manufacturer of the hardware. Not sure
that it's even important enough to me to do that.

And, given this possibility, I think I'll follow the KISS principle, and
avoid the issue and not turn it on. It's highly unlikely, one of the
seniors will discover it.

As for Core Isolation regarding "security", it's already been hacked
right along with Intel's ME. It's like a lot of other security
measures: the bar gets raised, but some hackers are willing to jump
higher, and eventually they create toolkits to let the script kiddies do
the same.

Since you decided to just stick with Defender, you've already decided
going extreme with security and protection is not appropriate. Security
and ease-of-use are often the anti-thesis of each other. If only using
Defender, why bother with Core Isolation?

It's finding the best way I can to do the best for someone, without
causing them problems, and trying to teach them something they aren't
ready to learn. You can't teach people algebra if they don't know basic
math.


--
Ken
MacOS 10.14.6
Firefox 70.0.1
Thunderbird 60.9
"My brain is like lightning, a quick flash
and it's gone!"

On Fri, 21 Feb 2020 18:41:48 -0700, Ken Springer
wrote:

That's far above what most seniors I come in contact with would be
doing. I just helped one get her system up and running, and she's happy
with WordPad over having an office suite.

When I see her, she complains the colors on the screen are hard to read.
But, she doesn't ask for help.

Assuming she could read the colors, I wonder what they'd say.

On 2/21/20 8:20 PM, Char Jackson wrote:
On Fri, 21 Feb 2020 18:41:48 -0700, Ken Springer
wrote:

That's far above what most seniors I come in contact with would be
doing. I just helped one get her system up and running, and she's happy
with WordPad over having an office suite.

When I see her, she complains the colors on the screen are hard to read.
But, she doesn't ask for help.

Assuming she could read the colors, I wonder what they'd say.

:P

--
Ken
MacOS 10.14.6
Firefox 70.0.1
Thunderbird 60.9
"My brain is like lightning, a quick flash
and it's gone!"

Ken Springer wrote:

That's the date of the article, but the information is for the April
2018 update. So, the info is almost 2 years old. Not any different
than me writing an article on the Battle of Gettysburg, where the
article is current, but the information is over 150 years old. :-)

Time tends to corrupt information. Nope, it was not like the article
was writing about Core Isolation many years after it got introduced (in
other than Enterprise editions of Windows 10). The article was fresh as
it was just a couple months afterward. Also, more information would get
compiled on the feature over time, so likely later articles would
provide more information. Regardless of age, you always have to take
Internet-based information with a large grain of salt.

But, it was available in some releases, correct?

The may have been articles about it for the Enterprise edition.
However, quite often that level of news is found in much smaller circles
where that community can understand it. It made a big splash when
Microsoft incorporated it into other editions.

LOL One of the reasons I asked. That way I'd have an idea of what
to look out for.

But you found the same problem as others in turning off the feature.
And, as mentioned, it runs afoul of other VMMs despite whether you chose
to use them or not. One user reported he couldn't boot Windows until he
did some convoluted diagnosis with BIOS settings. Another reported his
printer no longer worked: the very basic print functions still worked
but not all the extra features (probably due to the issue regarding
using non-Hypervisor-qualified drivers).

I suspect the number of Core Isolation using users will be very small
here. Might get more responses in communities more focused on sysadmins
managing Enterprise editions of Windows since the feature has been there
for longer; however, their edition and environment isn't what you use.
Probably online search researching on problems with it would turn up
more information.

That's far above what most seniors I come in contact with would be
doing.

You asked about problems with Core Isolation. Don't expect responses to
limit themselves to your particular scenarios. After all, you probably
cannot restrict your seniors from installing software, including
security programs. Sometimes a setup remains static thereafter, so you
don't run into further problems. Since hardware can change which also
changes the drivers, and software is, well, /soft/ware and can be
installed and uninstalled, more likely the setup is not static.

Thanks for this info. My system apparently is not, even though
everything is up to date. However, I've not gone through the system to
get the latest drivers from the manufacturer of the hardware. Not sure
that it's even important enough to me to do that.

But you're enabling an option that gets disabled due to incompatible
drivers. Why bother with the option at all if it gets auto-disabled in
your setup, and perhaps for those of the seniors? You'd have to test
their computers to see if the feature sticks or not.

And, given this possibility, I think I'll follow the KISS principle, and
avoid the issue and not turn it on. It's highly unlikely, one of the
seniors will discover it.

Perhaps even less likely if they logon with non-admin Windows accounts.

It's finding the best way I can to do the best for someone, without
causing them problems, and trying to teach them something they aren't
ready to learn. You can't teach people algebra if they don't know basic
math.

There are lots of settings in the BIOS whether MBR or UEFI. Same for
settings in software. No point in tweaking them or testing their effect
if they won't be used or effect a miniscule increment in security. As
yet, I don't see anyone pronouncing Core Isolation is an absolute must
for anyone. Corporations running a business and using servers with
qualified sysadmins are far more likely susceptible and sensitive to
security vulnerabilities than home users. From what I see, and until
some major flaw that doesn't require local access to hack, Core
Isolation gives little bang for the buck. I could install many layers
of security software on my computer at the expense of slowing it down,
having to manage it all, troubleshooting when some part of it interferes
with me using programs or the computer. Or I could go simple and take a
greater risk. Being vulnerable doesn't guarantee you will be. I'm
vulnerable every day when going outside to someone driving by and
shooting me, but I don't wear full head-to-toe bullet-proof gear because
such vulnerability exists because it would severely interfere with
living my life.

You have to decide what level of security you want for what level of
risk you are willing to incur. Doesn't look like Core Isolation is
anything your seniors need. I don't even care about it for myself.

Char Jackson wrote:
On Fri, 21 Feb 2020 18:41:48 -0700, Ken Springer
wrote:

That's far above what most seniors I come in contact with would be
doing. I just helped one get her system up and running, and she's happy
with WordPad over having an office suite.

When I see her, she complains the colors on the screen are hard to read.
But, she doesn't ask for help.

Assuming she could read the colors, I wonder what they'd say.

:-)

She is referring to the lack of contrast on the Metro
desktop decorations, and not being able to tell where
one window ends and the next begins.

Maybe she would be happier with a screen like this.

https://cdn.arstechnica.net/wp-conte...start-here.png

I refer to the process as "doing a tuneup".

When a person gets a new device with an OS they're not
familiar with, you can work on stuff like the ClearType
setting, whether they prefer a High Contrast theme versus
the regular theme and so on. For example, a small percentage
of people "really can't stand ClearType". If you read
what they write about it, it really seems to provoke a
reaction, a reaction they can't always put into words
properly.

If you sit with people like this, and go through the various
controls, it's possible you can adjust things so they
won't be nearly as "steamy" about it.

https://wpxboximages-technospot2.net...Windows-10.png

The white-on-black window there, seems to be easier to read.

Paul

On 2/22/20 12:27 AM, Paul wrote:
Char Jackson wrote:
On Fri, 21 Feb 2020 18:41:48 -0700, Ken Springer
wrote:

That's far above what most seniors I come in contact with would be
doing. I just helped one get her system up and running, and she's happy
with WordPad over having an office suite.

When I see her, she complains the colors on the screen are hard to read.
But, she doesn't ask for help.

Assuming she could read the colors, I wonder what they'd say.

:-)

She is referring to the lack of contrast on the Metro
desktop decorations, and not being able to tell where
one window ends and the next begins.

Maybe she would be happier with a screen like this.

https://cdn.arstechnica.net/wp-conte...start-here.png

I refer to the process as "doing a tuneup".

When a person gets a new device with an OS they're not
familiar with, you can work on stuff like the ClearType
setting, whether they prefer a High Contrast theme versus
the regular theme and so on. For example, a small percentage
of people "really can't stand ClearType". If you read
what they write about it, it really seems to provoke a
reaction, a reaction they can't always put into words
properly.

If you sit with people like this, and go through the various
controls, it's possible you can adjust things so they
won't be nearly as "steamy" about it.

https://wpxboximages-technospot2.net...Windows-10.png

The white-on-black window there, seems to be easier to read.

You're 100% on the mark here, Paul.

What she would like is black text on white, not the defualt light blue
on white for her machine. But... Does she call? Nope. :-(

Laptops are the worst, IMO. Most screens seem to have a poor quality of
display, plus the small size.


--
Ken
MacOS 10.14.6
Firefox 70.0.1
Thunderbird 60.9
"My brain is like lightning, a quick flash
and it's gone!"

On 2/22/2020 6:20 AM, Ken Springer wrote:
On 2/22/20 12:27 AM, Paul wrote:
Char Jackson wrote:
On Fri, 21 Feb 2020 18:41:48 -0700, Ken Springer
wrote:

That's far above what most seniors I come in contact with would be
doing. I just helped one get her system up and running, and she's happy
with WordPad over having an office suite.

When I see her, she complains the colors on the screen are hard to read.
But, she doesn't ask for help.

Assuming she could read the colors, I wonder what they'd say.

:-)

She is referring to the lack of contrast on the Metro
desktop decorations, and not being able to tell where
one window ends and the next begins.

Maybe she would be happier with a screen like this.

https://cdn.arstechnica.net/wp-conte...start-here.png

I refer to the process as "doing a tuneup".

When a person gets a new device with an OS they're not
familiar with, you can work on stuff like the ClearType
setting, whether they prefer a High Contrast theme versus
the regular theme and so on. For example, a small percentage
of people "really can't stand ClearType". If you read
what they write about it, it really seems to provoke a
reaction, a reaction they can't always put into words
properly.

If you sit with people like this, and go through the various
controls, it's possible you can adjust things so they
won't be nearly as "steamy" about it.

https://wpxboximages-technospot2.net...Windows-10.png

The white-on-black window there, seems to be easier to read.

You're 100% on the mark here, Paul.

What she would like is black text on white, not the defualt light blue
on white for her machine. But... Does she call? Nope. :-(

Laptops are the worst, IMO. Most screens seem to have a poor quality of
display, plus the small size.



One of the many reasons I'm against laptops, except for use when traveling.


--
Ken

On 2/21/20 11:25 PM, VanguardLH wrote:
Ken Springer wrote:

That's the date of the article, but the information is for the April
2018 update. So, the info is almost 2 years old. Not any different
than me writing an article on the Battle of Gettysburg, where the
article is current, but the information is over 150 years old. :-)

Time tends to corrupt information.

Wouldn't "change" be a better word? The author mentions the Windows
Defender Security Center would change to Windows Security. The
screenshots no longer match either.

Nope, it was not like the article
was writing about Core Isolation many years after it got introduced (in
other than Enterprise editions of Windows 10). The article was fresh as
it was just a couple months afterward. Also, more information would get
compiled on the feature over time, so likely later articles would
provide more information. Regardless of age, you always have to take
Internet-based information with a large grain of salt.

Sad, but true, you can't depend on the accuracy. If you look at
historic newspapers, you find out you couldn't trust them during their time.

But, it was available in some releases, correct?

The may have been articles about it for the Enterprise edition.
However, quite often that level of news is found in much smaller circles
where that community can understand it. It made a big splash when
Microsoft incorporated it into other editions.

LOL One of the reasons I asked. That way I'd have an idea of what
to look out for.

But you found the same problem as others in turning off the feature.
And, as mentioned, it runs afoul of other VMMs despite whether you chose
to use them or not. One user reported he couldn't boot Windows until he
did some convoluted diagnosis with BIOS settings. Another reported his
printer no longer worked: the very basic print functions still worked
but not all the extra features (probably due to the issue regarding
using non-Hypervisor-qualified drivers).

I suspect the number of Core Isolation using users will be very small
here. Might get more responses in communities more focused on sysadmins
managing Enterprise editions of Windows since the feature has been there
for longer; however, their edition and environment isn't what you use.
Probably online search researching on problems with it would turn up
more information.

Knowing what I know now, thanks to your help, I won't be a user either,
nor likely even mention it to the seniors I encounter. It would be like
trying to explain algebra to a second grader.

That's far above what most seniors I come in contact with would be
doing.

You asked about problems with Core Isolation. Don't expect responses to
limit themselves to your particular scenarios. After all, you probably
cannot restrict your seniors from installing software, including
security programs. Sometimes a setup remains static thereafter, so you
don't run into further problems. Since hardware can change which also
changes the drivers, and software is, well, /soft/ware and can be
installed and uninstalled, more likely the setup is not static.

I don't want answers that just affect particular scenarios. I much
prefer a general idea of the whole gamut of possibilities before I make
a decision.

Thanks for this info. My system apparently is not, even though
everything is up to date. However, I've not gone through the system to
get the latest drivers from the manufacturer of the hardware. Not sure
that it's even important enough to me to do that.

But you're enabling an option that gets disabled due to incompatible
drivers. Why bother with the option at all if it gets auto-disabled in
your setup, and perhaps for those of the seniors? You'd have to test
their computers to see if the feature sticks or not.

Which becomes a time factor for me. I'd like to sit here, today, and
experiment, but I've got ice dams to deal with, should run the vacuum,
and get acquainted with a new treasurer's position I've taken over.

So, I'm not going to worry about core isolation. :-)

And, given this possibility, I think I'll follow the KISS principle, and
avoid the issue and not turn it on. It's highly unlikely, one of the
seniors will discover it.

Perhaps even less likely if they logon with non-admin Windows accounts.

Hopefully, they pay attention and use the standard accounts. My
brother-in-law did not on my sister's laptop, even though I wrote
instructions to not do that.

It's finding the best way I can to do the best for someone, without
causing them problems, and trying to teach them something they aren't
ready to learn. You can't teach people algebra if they don't know basic
math.

There are lots of settings in the BIOS whether MBR or UEFI. Same for
settings in software. No point in tweaking them or testing their effect
if they won't be used or effect a miniscule increment in security.

Agreed.

As
yet, I don't see anyone pronouncing Core Isolation is an absolute must
for anyone. Corporations running a business and using servers with
qualified sysadmins are far more likely susceptible and sensitive to
security vulnerabilities than home users. From what I see, and until
some major flaw that doesn't require local access to hack, Core
Isolation gives little bang for the buck. I could install many layers
of security software on my computer at the expense of slowing it down,
having to manage it all, troubleshooting when some part of it interferes
with me using programs or the computer. Or I could go simple and take a
greater risk. Being vulnerable doesn't guarantee you will be. I'm
vulnerable every day when going outside to someone driving by and
shooting me, but I don't wear full head-to-toe bullet-proof gear because
such vulnerability exists because it would severely interfere with
living my life.

And, I'm going to be up on a ladder with the ice dams I just mentioned!

You have to decide what level of security you want for what level of
risk you are willing to incur. Doesn't look like Core Isolation is
anything your seniors need. I don't even care about it for myself.



--
Ken
MacOS 10.14.6
Firefox 70.0.1
Thunderbird 60.9
"My brain is like lightning, a quick flash
and it's gone!"

In article , Ken Springer
wrote:


Laptops are the worst, IMO. Most screens seem to have a poor quality of
display, plus the small size.

you obviously haven't used very many laptops, certainly not the better
ones.