If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Core Isolatioin
Does anyone know of any negative effects of turning on the memory
integrity of the Core Isolation feature? -- Ken MacOS 10.14.6 Firefox 70.0.1 Thunderbird 60.9 "My brain is like lightning, a quick flash and it's gone!" |
Ads |
#2
|
|||
|
|||
Core Isolatioin
On 2020-02-21, Ken Springer wrote:
Does anyone know of any negative effects of turning on the memory integrity of the Core Isolation feature? The answer is as close as your favorite search engine, such as... https://www.howtogeek.com/357757/wha...in-windows-10/ -- ----------------------------------------------------------------------------- Roger Blake (Posts from Google Groups killfiled due to excess spam.) The US Census vs. privacy -- http://censusfacts.info Don't talk to cops! -- http://www.DontTalkToCops.com Badges don't grant extra rights -- http://www.CopBlock.org ----------------------------------------------------------------------------- |
#3
|
|||
|
|||
Core Isolatioin
On 2/20/20 10:13 PM, Roger Blake wrote:
On 2020-02-21, Ken Springer wrote: Does anyone know of any negative effects of turning on the memory integrity of the Core Isolation feature? The answer is as close as your favorite search engine, such as... https://www.howtogeek.com/357757/wha...in-windows-10/ Thanks, Roger. Sometimes I'm interest in whether people have actually had problems in addition to what "may" happen. :-) -- Ken MacOS 10.14.6 Firefox 70.0.1 Thunderbird 60.9 "My brain is like lightning, a quick flash and it's gone!" |
#4
|
|||
|
|||
Core Isolatioin
Ken Springer wrote:
Does anyone know of any negative effects of turning on the memory integrity of the Core Isolation feature? https://docs.microsoft.com/en-us/win...iences/oem-vbs Lots of prerequisites for using VBS (Virtualization-Based Security) in Windows 10. According to the HowToGeek article that Roger cited: Some Core Isolation features are enabled by default on Windows 10 PCs that meet certain hardware and firmware requirements, including having a 64-bit CPU and TPM 2.0 chip. Well, memory itegrity is not enabled in my Windows 10 setup despite I just got a new mobo back in February for a new build on which to use Windows 10. Also: It also requires your PC supports the Intel VT-x or AMD-V virtualization technology, and that it¢s enabled in your PC¢s UEFI settings. I'd have to go look again, but I'm pretty sure the VT-x option is enabled in the UEFI for my mobo's BIOS. Memory integrity is disabled, by default, for upgrade installs of Windows 10 (like you upgraded from Windows 7 or 8), but my build was fresh. I don't like dragging non-applicable or corrupted registry entries and files from an old OS into a new OS. I always do fresh installs, never upgrades. I've seen reports that once enabled that the memory integrity option of Core Isolation cannot thereafter get disabled. That is, once you turn it on, it's on forever thereafter. So, if there are problems, you're stuck with having to do a full fresh install of Windows 10, or hope you backup images are retained for long enough to restore to a prior state (and, of course, lose all other changes made since the backup). The GUI won't let you disable after enable, but you can edit the registry to disable the option: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\DeviceGuard\Scenarios\HypervisorEnforcedCodeInte grity\Enabled Set to disabled (zero). Peculiarly, this key is not hidden in a crypto-protected portion of the registry (that you can't get at using regedit.exe or other user-mode registry editor), nor is it hashed, nor is a paired hash key assigned to it to prevent unauthorized/malicious modification. Hypervisor is required. Another name for memory integrity, a subset feature of Core Isolation, is Hypervisor Protected Code Integrity (HVCI). However, enabling that VMM (Virtual Machine Manager) means you cannot use another, like VMware Player or Virtualbox. Conversely, if you already have a VMM installed, trying to enable Microsoft's memory itegrity function in Core Isolation results in a "This setting is managed by your administrator" which is misleading because it's another VMM on your host. Only one VMM can use the VM functions in hardware (BIOS on your mobo). If you use Microsoft's HyperVisor, you can't use another VMM, and visa versa. https://langa.com/index.php/2018/08/...ther-software/ Besides not knowing your software suite (after all, we're not inventorying what you installed), you never bothered to mention which edition of Windows 10 that you use. Not all come with Hypervisor, a requirement for VBS. https://docs.microsoft.com/en-us/vir...enable-hyper-v So, do you have the Pro, Enterprise, or Eductation editions of Win10? Also, although all drivers since Windows 10 1607 have been, ahem, "required" to be hypervisor-protected code itegrity complaint, not all are yet. Enabling the HV memory itegrity options means some software or hardware may malfunction. Memory integrity is supposed to get automatically disabled on boot if there is detected an incompatibility for a boot-critical driver. Maybe that works, but maybe not. Plus, it doesn't affect how memory integrity affects non-OS software. One requirement is a TPM chip. Usually that would be hardware. Some desktop mobos that don't include a TPM chip do have a header to plug one in. However, some UEFI configs have an option to emulate TPM in their firmware (BIOS code); however, that requires Intel's ME (Management Engine), a micro-controller inside of Intel's micro-processors, to run Intel's Platform Trust Technology (PTT). https://en.wikipedia.org/wiki/Intel_Management_Engine And it can be and has been hacked: https://hackaday.com/tag/intel-management-engine/ https://securityaffairs.co/wordpress...jtag-flaw.html I deliberately disabled ME in the UEFI config because I didn't want to allow remote access to my computer or provide yet another hack vector to make my computer vulnerable, even when it is powered off (but still network connected since I'm obviously not going to yank every cord out of my PC when I power it off). Unless this is a text box where you like to experiment with various OS tweaks, I would suggest not changing this option. If this is your personal PC, do you have the time, initiative, and expertise to debug a problem in the OS or an application while putzing around with the OS? Remember all this "protection" is adding overhead, so everything runs slower. Maybe on a really super-fast computer you won't notice, but that doesn't obviate the overhead which still slows everything down, just like running anything inside a virtual machine means it is slower despite using firmware functions from hardware. In Windows 10's settings app, go under "Update & Security", choose the "Windows Security" group, click on "Device Security". There you find the Core Isolation setting(s). Before going into the Core Isolation settings (to find memory integrity), is there a message saying "Standard hardware security not supported"? If so, the Learn More link goes to: https://support.microsoft.com/en-us/...#hardwarescore Under there, it says Secure Boot must be enabled. I tried it. What a disaster. Was damn hard to get rid of it. I either get the above "Standard hardware security not supported" message because I eventually got rid of Secure Boot in UEFI (and the matching support in Windows), or killed off support for Intel's ME inside their CPU (but that doesn't get rid of, just block its use, plus I did *not* install any of the Intel ME software in Windows). |
#5
|
|||
|
|||
Core Isolatioin
On 2/21/20 9:29 AM, VanguardLH wrote:
Ken Springer wrote: Does anyone know of any negative effects of turning on the memory integrity of the Core Isolation feature? https://docs.microsoft.com/en-us/win...iences/oem-vbs Lots of prerequisites for using VBS (Virtualization-Based Security) in Windows 10. According to the HowToGeek article that Roger cited: One of the issues I have with W10 info you find on the web is, a lot of it's outdated. Roger's provided article (I'm noting he did not write it) is a year and a half old, and the info is almost 2 years old. I've learned not to trust info on W10 that is that old. Some Core Isolation features are enabled by default on Windows 10 PCs that meet certain hardware and firmware requirements, including having a 64-bit CPU and TPM 2.0 chip. Well, memory itegrity is not enabled in my Windows 10 setup despite I just got a new mobo back in February for a new build on which to use Windows 10. My main W10 system is a unit I built when W8 first came out. I'm no tech, just wanted to see if I could assemble the parts I had help buying, successfully, of course. At that time, I put W7 on the unit. Decided to upgrade to w10, did a fresh install saving nothing. That was 1903. 1909 now. I didn't know about the Core until a few weeks ago, so curious if there were any horror stories. It wasn't turned on when I checked, so I've turned it on. I've no intentions of ever running a virtual machine on this unit, so that's a non-player. Also: It also requires your PC supports the Intel VT-x or AMD-V virtualization technology, and that it’s enabled in your PC’s UEFI settings. I'd have to go look again, but I'm pretty sure the VT-x option is enabled in the UEFI for my mobo's BIOS. Memory integrity is disabled, by default, for upgrade installs of Windows 10 (like you upgraded from Windows 7 or 8), but my build was fresh. I don't like dragging non-applicable or corrupted registry entries and files from an old OS into a new OS. I always do fresh installs, never upgrades. As a general rule, I don't touch UEFI/BIOS settings, other than Date/Time , boot order, and legacy support when I need to boot from an external optical drive. Possible corrupted stuff is why I did a fresh install of W10. I've seen reports that once enabled that the memory integrity option of Core Isolation cannot thereafter get disabled. That is, once you turn it on, it's on forever thereafter. So, if there are problems, you're stuck with having to do a full fresh install of Windows 10, or hope you backup images are retained for long enough to restore to a prior state (and, of course, lose all other changes made since the backup). The GUI won't let you disable after enable, but you can edit the registry to disable the option: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\DeviceGuard\Scenarios\HypervisorEnforcedCodeInte grity\Enabled Set to disabled (zero). I can't turn mine off from the GUI, but like you I found web articles on how to do it. I'm not terribly worried about the need to ever turn it off, and system images are created once a month, IIRC. Peculiarly, this key is not hidden in a crypto-protected portion of the registry (that you can't get at using regedit.exe or other user-mode registry editor), nor is it hashed, nor is a paired hash key assigned to it to prevent unauthorized/malicious modification. Hypervisor is required. Another name for memory integrity, a subset feature of Core Isolation, is Hypervisor Protected Code Integrity (HVCI). However, enabling that VMM (Virtual Machine Manager) means you cannot use another, like VMware Player or Virtualbox. Conversely, if you already have a VMM installed, trying to enable Microsoft's memory itegrity function in Core Isolation results in a "This setting is managed by your administrator" which is misleading because it's another VMM on your host. Only one VMM can use the VM functions in hardware (BIOS on your mobo). If you use Microsoft's HyperVisor, you can't use another VMM, and visa versa. https://langa.com/index.php/2018/08/...ther-software/ What might turn into something interesting is, I've got W10 installed on my Mac Mini using Bootcamp. Boy, does W10 run slick there!! I'll look in the Apple Bootcamp community first before turning it on. I haven't looked yet, so it could already be turned on. Besides not knowing your software suite (after all, we're not inventorying what you installed), you never bothered to mention which edition of Windows 10 that you use. Not all come with Hypervisor, a requirement for VBS. https://docs.microsoft.com/en-us/vir...enable-hyper-v So, do you have the Pro, Enterprise, or Eductation editions of Win10? "Eductation"???? That's a new one on me! ROFL!! 1909, as noted earlier, Pro, always updated. Minimal software installation at the moment, the biggie being Softmaker Office 2016. Does everything I need, and was certainly cheaper than MS Office at the time. Speaking of updates, I've discovered that MS Store apps are not always updated. No idea why. Also, although all drivers since Windows 10 1607 have been, ahem, "required" to be hypervisor-protected code itegrity complaint, not all are yet. Enabling the HV memory itegrity options means some software or hardware may malfunction. Memory integrity is supposed to get automatically disabled on boot if there is detected an incompatibility for a boot-critical driver. Maybe that works, but maybe not. Plus, it doesn't affect how memory integrity affects non-OS software. One requirement is a TPM chip. Usually that would be hardware. Some desktop mobos that don't include a TPM chip do have a header to plug one in. However, some UEFI configs have an option to emulate TPM in their firmware (BIOS code); however, that requires Intel's ME (Management Engine), a micro-controller inside of Intel's micro-processors, to run Intel's Platform Trust Technology (PTT). https://en.wikipedia.org/wiki/Intel_Management_Engine And it can be and has been hacked: https://hackaday.com/tag/intel-management-engine/ https://securityaffairs.co/wordpress...jtag-flaw.html I deliberately disabled ME in the UEFI config because I didn't want to allow remote access to my computer or provide yet another hack vector to make my computer vulnerable, even when it is powered off (but still network connected since I'm obviously not going to yank every cord out of my PC when I power it off). Unless this is a text box where you like to experiment with various OS tweaks, I would suggest not changing this option. If this is your personal PC, do you have the time, initiative, and expertise to debug a problem in the OS or an application while putzing around with the OS? Remember all this "protection" is adding overhead, so everything runs slower. Maybe on a really super-fast computer you won't notice, but that doesn't obviate the overhead which still slows everything down, just like running anything inside a virtual machine means it is slower despite using firmware functions from hardware. In Windows 10's settings app, go under "Update & Security", choose the "Windows Security" group, click on "Device Security". There you find the Core Isolation setting(s). Before going into the Core Isolation settings (to find memory integrity), is there a message saying "Standard hardware security not supported"? If so, the Learn More link goes to: https://support.microsoft.com/en-us/...#hardwarescore Under there, it says Secure Boot must be enabled. I tried it. What a disaster. Was damn hard to get rid of it. I either get the above "Standard hardware security not supported" message because I eventually got rid of Secure Boot in UEFI (and the matching support in Windows), or killed off support for Intel's ME inside their CPU (but that doesn't get rid of, just block its use, plus I did *not* install any of the Intel ME software in Windows). My reason for asking is likely different than most. I do part time computer tutoring, primarily with seniors. Most of them are woefully computer ignorant. When I help them set up a computer, I try to make it as "safe" for them to use as I can. I create a standard user account, tell them to always use that account most of the time. I don't install a lot of 3rd party stuff, it tends to overload and confuse them. If possible, when we are working together, I change screen settings so it's easier for them to read. These days, Windows Defender for AV. I usually install Malwarebytes and SuperAntiSpyware, and show them how to run it. But, I don't think most of them do. And, Teamviewer, so I have the possibility of answering questions without a road trip. I always encourage backups, but almost no one listens. So, in the vein of making the system "safer", I'm considering turning the Core protection on as an additional step, since none of them will even have a clue what I'm talking about if I were to mention a virtual machine. -- Ken MacOS 10.14.6 Firefox 70.0.1 Thunderbird 60.9 "My brain is like lightning, a quick flash and it's gone!" |
#6
|
|||
|
|||
Core Isolatioin
Ken Springer wrote:
VanguardLH wrote: Ken Springer wrote: Does anyone know of any negative effects of turning on the memory integrity of the Core Isolation feature? https://docs.microsoft.com/en-us/win...iences/oem-vbs Lots of prerequisites for using VBS (Virtualization-Based Security) in Windows 10. According to the HowToGeek article that Roger cited: One of the issues I have with W10 info you find on the web is, a lot of it's outdated. Roger's provided article (I'm noting he did not write it) is a year and a half old, and the info is almost 2 years old. I've learned not to trust info on W10 that is that old. Not sure how you're doing the calendar math. Roger's cited article was dated Sept 28, 2018. That's under 1.5 years ago. The Core Isolation was a feature migrated from the Enterprise edition of Windows 10 to the other editions, and that happened back in April 2018, so the articles about Core Isolation couldn't have appeared earlier, and I don't see any mention that there was some massive change to Core Isolation since then. [Core Isolation] wasn't turned on when I checked, so I've turned it on. I've no intentions of ever running a virtual machine on this unit, so that's a non-player. But you are. It's Microsoft's Hypervisor instead of some other VMM. I can't turn mine off from the GUI, but like you I found web articles on how to do it. I'm not terribly worried about the need to ever turn it off, and system images are created once a month, IIRC. So, to answer your own question, and since you enabled the option, have YOU run into any problems with Core Isolation? How would you know? My reason for asking is likely different than most. I do part time computer tutoring, primarily with seniors. Most of them are woefully computer ignorant. Alas, the same regarding the OS for young'uns. Being proficient in using an OS doesn't make one proficient in maintaining it, debugging it, or resolving misbehaviors. Most users just want to use the OS. They aren't interested into digging into it, even when there are problems. So, in the vein of making the system "safer", I'm considering turning the Core protection on as an additional step, since none of them will even have a clue what I'm talking about if I were to mention a virtual machine. I guess I'd first look at making the setup as stable as possible, even if security had to be reduced. Secure Boot interferes with some of my programs, primarily the video stream capture program. I can see the Hypervisor virtualization of system process could interfere with some security programs, like 0patch that doesn't modify the files but instead alters the memory copy of a process to fix vulnerabilities or apply fixes. One test would be to enable memory integrity and then reboot the computer. Check if the option is still enabled. One of the tests during boot is to check if Core Isolation is compatible with the hardware drivers currently installed. As for on-the-fly loaded drivers, that's something that would need to get checked regarding program behavior that did such. The boot test only checks against what are considered critical drivers for boot, not for hardware compatibility or feature sets. As for Core Isolation regarding "security", it's already been hacked right along with Intel's ME. It's like a lot of other security measures: the bar gets raised, but some hackers are willing to jump higher, and eventually they create toolkits to let the script kiddies do the same. Since you decided to just stick with Defender, you've already decided going extreme with security and protection is not appropriate. Security and ease-of-use are often the anti-thesis of each other. If only using Defender, why bother with Core Isolation? |
#7
|
|||
|
|||
Core Isolatioin
On 2/21/20 4:02 PM, VanguardLH wrote:
Ken Springer wrote: VanguardLH wrote: Ken Springer wrote: Does anyone know of any negative effects of turning on the memory integrity of the Core Isolation feature? https://docs.microsoft.com/en-us/win...iences/oem-vbs Lots of prerequisites for using VBS (Virtualization-Based Security) in Windows 10. According to the HowToGeek article that Roger cited: One of the issues I have with W10 info you find on the web is, a lot of it's outdated. Roger's provided article (I'm noting he did not write it) is a year and a half old, and the info is almost 2 years old. I've learned not to trust info on W10 that is that old. Not sure how you're doing the calendar math. Roger's cited article was dated Sept 28, 2018. That's under 1.5 years ago. That's the date of the article, but the information is for the April 2018 update. So, the info is almost 2 years old. Not any different than me writing an article on the Battle of Gettysburg, where the article is current, but the information is over 150 years old. :-) The Core Isolation was a feature migrated from the Enterprise edition of Windows 10 to the other editions, and that happened back in April 2018, so the articles about Core Isolation couldn't have appeared earlier, and I don't see any mention that there was some massive change to Core Isolation since then. But, it was available in some releases, correct? [Core Isolation] wasn't turned on when I checked, so I've turned it on. I've no intentions of ever running a virtual machine on this unit, so that's a non-player. But you are. It's Microsoft's Hypervisor instead of some other VMM. I can't turn mine off from the GUI, but like you I found web articles on how to do it. I'm not terribly worried about the need to ever turn it off, and system images are created once a month, IIRC. So, to answer your own question, and since you enabled the option, have YOU run into any problems with Core Isolation? How would you know? I don't know! LOL One of the reasons I asked. That way I'd have an idea of what to look out for. My reason for asking is likely different than most. I do part time computer tutoring, primarily with seniors. Most of them are woefully computer ignorant. Alas, the same regarding the OS for young'uns. Being proficient in using an OS doesn't make one proficient in maintaining it, debugging it, or resolving misbehaviors. Most users just want to use the OS. They aren't interested into digging into it, even when there are problems. I don't mind them not wanting to dig into it, but they should at least know how to use it. And, eventually minimal maintenance. In automotive terms, you know what makes the car run, and you know to have the oil changed, but you don't have to know how to overhaul the engine. So, in the vein of making the system "safer", I'm considering turning the Core protection on as an additional step, since none of them will even have a clue what I'm talking about if I were to mention a virtual machine. I guess I'd first look at making the setup as stable as possible, even if security had to be reduced. Secure Boot interferes with some of my programs, primarily the video stream capture program. I can see the Hypervisor virtualization of system process could interfere with some security programs, like 0patch that doesn't modify the files but instead alters the memory copy of a process to fix vulnerabilities or apply fixes. That's far above what most seniors I come in contact with would be doing. I just helped one get her system up and running, and she's happy with WordPad over having an office suite. When I see her, she complains the colors on the screen are hard to read. But, she doesn't ask for help. IMO, in many cases, we try to start people at jr. high level, or that's where they want to start, but they don't have a good foundation to build on. One test would be to enable memory integrity and then reboot the computer. Check if the option is still enabled. One of the tests during boot is to check if Core Isolation is compatible with the hardware drivers currently installed. As for on-the-fly loaded drivers, that's something that would need to get checked regarding program behavior that did such. The boot test only checks against what are considered critical drivers for boot, not for hardware compatibility or feature sets. Thanks for this info. My system apparently is not, even though everything is up to date. However, I've not gone through the system to get the latest drivers from the manufacturer of the hardware. Not sure that it's even important enough to me to do that. And, given this possibility, I think I'll follow the KISS principle, and avoid the issue and not turn it on. It's highly unlikely, one of the seniors will discover it. As for Core Isolation regarding "security", it's already been hacked right along with Intel's ME. It's like a lot of other security measures: the bar gets raised, but some hackers are willing to jump higher, and eventually they create toolkits to let the script kiddies do the same. Since you decided to just stick with Defender, you've already decided going extreme with security and protection is not appropriate. Security and ease-of-use are often the anti-thesis of each other. If only using Defender, why bother with Core Isolation? It's finding the best way I can to do the best for someone, without causing them problems, and trying to teach them something they aren't ready to learn. You can't teach people algebra if they don't know basic math. -- Ken MacOS 10.14.6 Firefox 70.0.1 Thunderbird 60.9 "My brain is like lightning, a quick flash and it's gone!" |
#8
|
|||
|
|||
Core Isolatioin
On Fri, 21 Feb 2020 18:41:48 -0700, Ken Springer
wrote: That's far above what most seniors I come in contact with would be doing. I just helped one get her system up and running, and she's happy with WordPad over having an office suite. When I see her, she complains the colors on the screen are hard to read. But, she doesn't ask for help. Assuming she could read the colors, I wonder what they'd say. |
#9
|
|||
|
|||
Core Isolatioin
On 2/21/20 8:20 PM, Char Jackson wrote:
On Fri, 21 Feb 2020 18:41:48 -0700, Ken Springer wrote: That's far above what most seniors I come in contact with would be doing. I just helped one get her system up and running, and she's happy with WordPad over having an office suite. When I see her, she complains the colors on the screen are hard to read. But, she doesn't ask for help. Assuming she could read the colors, I wonder what they'd say. :P -- Ken MacOS 10.14.6 Firefox 70.0.1 Thunderbird 60.9 "My brain is like lightning, a quick flash and it's gone!" |
#10
|
|||
|
|||
Core Isolatioin
Ken Springer wrote:
That's the date of the article, but the information is for the April 2018 update. So, the info is almost 2 years old. Not any different than me writing an article on the Battle of Gettysburg, where the article is current, but the information is over 150 years old. :-) Time tends to corrupt information. Nope, it was not like the article was writing about Core Isolation many years after it got introduced (in other than Enterprise editions of Windows 10). The article was fresh as it was just a couple months afterward. Also, more information would get compiled on the feature over time, so likely later articles would provide more information. Regardless of age, you always have to take Internet-based information with a large grain of salt. But, it was available in some releases, correct? The may have been articles about it for the Enterprise edition. However, quite often that level of news is found in much smaller circles where that community can understand it. It made a big splash when Microsoft incorporated it into other editions. LOL One of the reasons I asked. That way I'd have an idea of what to look out for. But you found the same problem as others in turning off the feature. And, as mentioned, it runs afoul of other VMMs despite whether you chose to use them or not. One user reported he couldn't boot Windows until he did some convoluted diagnosis with BIOS settings. Another reported his printer no longer worked: the very basic print functions still worked but not all the extra features (probably due to the issue regarding using non-Hypervisor-qualified drivers). I suspect the number of Core Isolation using users will be very small here. Might get more responses in communities more focused on sysadmins managing Enterprise editions of Windows since the feature has been there for longer; however, their edition and environment isn't what you use. Probably online search researching on problems with it would turn up more information. That's far above what most seniors I come in contact with would be doing. You asked about problems with Core Isolation. Don't expect responses to limit themselves to your particular scenarios. After all, you probably cannot restrict your seniors from installing software, including security programs. Sometimes a setup remains static thereafter, so you don't run into further problems. Since hardware can change which also changes the drivers, and software is, well, /soft/ware and can be installed and uninstalled, more likely the setup is not static. Thanks for this info. My system apparently is not, even though everything is up to date. However, I've not gone through the system to get the latest drivers from the manufacturer of the hardware. Not sure that it's even important enough to me to do that. But you're enabling an option that gets disabled due to incompatible drivers. Why bother with the option at all if it gets auto-disabled in your setup, and perhaps for those of the seniors? You'd have to test their computers to see if the feature sticks or not. And, given this possibility, I think I'll follow the KISS principle, and avoid the issue and not turn it on. It's highly unlikely, one of the seniors will discover it. Perhaps even less likely if they logon with non-admin Windows accounts. It's finding the best way I can to do the best for someone, without causing them problems, and trying to teach them something they aren't ready to learn. You can't teach people algebra if they don't know basic math. There are lots of settings in the BIOS whether MBR or UEFI. Same for settings in software. No point in tweaking them or testing their effect if they won't be used or effect a miniscule increment in security. As yet, I don't see anyone pronouncing Core Isolation is an absolute must for anyone. Corporations running a business and using servers with qualified sysadmins are far more likely susceptible and sensitive to security vulnerabilities than home users. From what I see, and until some major flaw that doesn't require local access to hack, Core Isolation gives little bang for the buck. I could install many layers of security software on my computer at the expense of slowing it down, having to manage it all, troubleshooting when some part of it interferes with me using programs or the computer. Or I could go simple and take a greater risk. Being vulnerable doesn't guarantee you will be. I'm vulnerable every day when going outside to someone driving by and shooting me, but I don't wear full head-to-toe bullet-proof gear because such vulnerability exists because it would severely interfere with living my life. You have to decide what level of security you want for what level of risk you are willing to incur. Doesn't look like Core Isolation is anything your seniors need. I don't even care about it for myself. |
#11
|
|||
|
|||
Core Isolatioin
Char Jackson wrote:
On Fri, 21 Feb 2020 18:41:48 -0700, Ken Springer wrote: That's far above what most seniors I come in contact with would be doing. I just helped one get her system up and running, and she's happy with WordPad over having an office suite. When I see her, she complains the colors on the screen are hard to read. But, she doesn't ask for help. Assuming she could read the colors, I wonder what they'd say. :-) She is referring to the lack of contrast on the Metro desktop decorations, and not being able to tell where one window ends and the next begins. Maybe she would be happier with a screen like this. https://cdn.arstechnica.net/wp-conte...start-here.png I refer to the process as "doing a tuneup". When a person gets a new device with an OS they're not familiar with, you can work on stuff like the ClearType setting, whether they prefer a High Contrast theme versus the regular theme and so on. For example, a small percentage of people "really can't stand ClearType". If you read what they write about it, it really seems to provoke a reaction, a reaction they can't always put into words properly. If you sit with people like this, and go through the various controls, it's possible you can adjust things so they won't be nearly as "steamy" about it. https://wpxboximages-technospot2.net...Windows-10.png The white-on-black window there, seems to be easier to read. Paul |
#12
|
|||
|
|||
Core Isolatioin
On 2/22/20 12:27 AM, Paul wrote:
Char Jackson wrote: On Fri, 21 Feb 2020 18:41:48 -0700, Ken Springer wrote: That's far above what most seniors I come in contact with would be doing. I just helped one get her system up and running, and she's happy with WordPad over having an office suite. When I see her, she complains the colors on the screen are hard to read. But, she doesn't ask for help. Assuming she could read the colors, I wonder what they'd say. :-) She is referring to the lack of contrast on the Metro desktop decorations, and not being able to tell where one window ends and the next begins. Maybe she would be happier with a screen like this. https://cdn.arstechnica.net/wp-conte...start-here.png I refer to the process as "doing a tuneup". When a person gets a new device with an OS they're not familiar with, you can work on stuff like the ClearType setting, whether they prefer a High Contrast theme versus the regular theme and so on. For example, a small percentage of people "really can't stand ClearType". If you read what they write about it, it really seems to provoke a reaction, a reaction they can't always put into words properly. If you sit with people like this, and go through the various controls, it's possible you can adjust things so they won't be nearly as "steamy" about it. https://wpxboximages-technospot2.net...Windows-10.png The white-on-black window there, seems to be easier to read. You're 100% on the mark here, Paul. What she would like is black text on white, not the defualt light blue on white for her machine. But... Does she call? Nope. :-( Laptops are the worst, IMO. Most screens seem to have a poor quality of display, plus the small size. -- Ken MacOS 10.14.6 Firefox 70.0.1 Thunderbird 60.9 "My brain is like lightning, a quick flash and it's gone!" |
#13
|
|||
|
|||
Core Isolatioin
On 2/22/2020 6:20 AM, Ken Springer wrote:
On 2/22/20 12:27 AM, Paul wrote: Char Jackson wrote: On Fri, 21 Feb 2020 18:41:48 -0700, Ken Springer wrote: That's far above what most seniors I come in contact with would be doing. I just helped one get her system up and running, and she's happy with WordPad over having an office suite. When I see her, she complains the colors on the screen are hard to read. But, she doesn't ask for help. Assuming she could read the colors, I wonder what they'd say. :-) She is referring to the lack of contrast on the Metro desktop decorations, and not being able to tell where one window ends and the next begins. Maybe she would be happier with a screen like this. https://cdn.arstechnica.net/wp-conte...start-here.png I refer to the process as "doing a tuneup". When a person gets a new device with an OS they're not familiar with, you can work on stuff like the ClearType setting, whether they prefer a High Contrast theme versus the regular theme and so on. For example, a small percentage of people "really can't stand ClearType". If you read what they write about it, it really seems to provoke a reaction, a reaction they can't always put into words properly. If you sit with people like this, and go through the various controls, it's possible you can adjust things so they won't be nearly as "steamy" about it. https://wpxboximages-technospot2.net...Windows-10.png The white-on-black window there, seems to be easier to read. You're 100% on the mark here, Paul. What she would like is black text on white, not the defualt light blue on white for her machine. But... Does she call? Nope. :-( Laptops are the worst, IMO. Most screens seem to have a poor quality of display, plus the small size. One of the many reasons I'm against laptops, except for use when traveling. -- Ken |
#14
|
|||
|
|||
Core Isolatioin
On 2/21/20 11:25 PM, VanguardLH wrote:
Ken Springer wrote: That's the date of the article, but the information is for the April 2018 update. So, the info is almost 2 years old. Not any different than me writing an article on the Battle of Gettysburg, where the article is current, but the information is over 150 years old. :-) Time tends to corrupt information. Wouldn't "change" be a better word? The author mentions the Windows Defender Security Center would change to Windows Security. The screenshots no longer match either. Nope, it was not like the article was writing about Core Isolation many years after it got introduced (in other than Enterprise editions of Windows 10). The article was fresh as it was just a couple months afterward. Also, more information would get compiled on the feature over time, so likely later articles would provide more information. Regardless of age, you always have to take Internet-based information with a large grain of salt. Sad, but true, you can't depend on the accuracy. If you look at historic newspapers, you find out you couldn't trust them during their time. But, it was available in some releases, correct? The may have been articles about it for the Enterprise edition. However, quite often that level of news is found in much smaller circles where that community can understand it. It made a big splash when Microsoft incorporated it into other editions. LOL One of the reasons I asked. That way I'd have an idea of what to look out for. But you found the same problem as others in turning off the feature. And, as mentioned, it runs afoul of other VMMs despite whether you chose to use them or not. One user reported he couldn't boot Windows until he did some convoluted diagnosis with BIOS settings. Another reported his printer no longer worked: the very basic print functions still worked but not all the extra features (probably due to the issue regarding using non-Hypervisor-qualified drivers). I suspect the number of Core Isolation using users will be very small here. Might get more responses in communities more focused on sysadmins managing Enterprise editions of Windows since the feature has been there for longer; however, their edition and environment isn't what you use. Probably online search researching on problems with it would turn up more information. Knowing what I know now, thanks to your help, I won't be a user either, nor likely even mention it to the seniors I encounter. It would be like trying to explain algebra to a second grader. That's far above what most seniors I come in contact with would be doing. You asked about problems with Core Isolation. Don't expect responses to limit themselves to your particular scenarios. After all, you probably cannot restrict your seniors from installing software, including security programs. Sometimes a setup remains static thereafter, so you don't run into further problems. Since hardware can change which also changes the drivers, and software is, well, /soft/ware and can be installed and uninstalled, more likely the setup is not static. I don't want answers that just affect particular scenarios. I much prefer a general idea of the whole gamut of possibilities before I make a decision. Thanks for this info. My system apparently is not, even though everything is up to date. However, I've not gone through the system to get the latest drivers from the manufacturer of the hardware. Not sure that it's even important enough to me to do that. But you're enabling an option that gets disabled due to incompatible drivers. Why bother with the option at all if it gets auto-disabled in your setup, and perhaps for those of the seniors? You'd have to test their computers to see if the feature sticks or not. Which becomes a time factor for me. I'd like to sit here, today, and experiment, but I've got ice dams to deal with, should run the vacuum, and get acquainted with a new treasurer's position I've taken over. So, I'm not going to worry about core isolation. :-) And, given this possibility, I think I'll follow the KISS principle, and avoid the issue and not turn it on. It's highly unlikely, one of the seniors will discover it. Perhaps even less likely if they logon with non-admin Windows accounts. Hopefully, they pay attention and use the standard accounts. My brother-in-law did not on my sister's laptop, even though I wrote instructions to not do that. It's finding the best way I can to do the best for someone, without causing them problems, and trying to teach them something they aren't ready to learn. You can't teach people algebra if they don't know basic math. There are lots of settings in the BIOS whether MBR or UEFI. Same for settings in software. No point in tweaking them or testing their effect if they won't be used or effect a miniscule increment in security. Agreed. As yet, I don't see anyone pronouncing Core Isolation is an absolute must for anyone. Corporations running a business and using servers with qualified sysadmins are far more likely susceptible and sensitive to security vulnerabilities than home users. From what I see, and until some major flaw that doesn't require local access to hack, Core Isolation gives little bang for the buck. I could install many layers of security software on my computer at the expense of slowing it down, having to manage it all, troubleshooting when some part of it interferes with me using programs or the computer. Or I could go simple and take a greater risk. Being vulnerable doesn't guarantee you will be. I'm vulnerable every day when going outside to someone driving by and shooting me, but I don't wear full head-to-toe bullet-proof gear because such vulnerability exists because it would severely interfere with living my life. And, I'm going to be up on a ladder with the ice dams I just mentioned! You have to decide what level of security you want for what level of risk you are willing to incur. Doesn't look like Core Isolation is anything your seniors need. I don't even care about it for myself. -- Ken MacOS 10.14.6 Firefox 70.0.1 Thunderbird 60.9 "My brain is like lightning, a quick flash and it's gone!" |
#15
|
|||
|
|||
Core Isolatioin
In article , Ken Springer
wrote: Laptops are the worst, IMO. Most screens seem to have a poor quality of display, plus the small size. you obviously haven't used very many laptops, certainly not the better ones. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|