none
Windows 10 Education / Device Guard RRS feed

  • Question

  • Hello everyone,

    I am currently trying to deploy the Device Guard on my Notebook.

    Guide: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide

    After I install the "Isolated User Mode" and reboot - i get the BSOD calling, "ATTEMPTED_TO_EXECUTE_OF_NO_EXECUTE_MEMORY". Each and every time. No error when installing the Feature, it just asks - reboot now or later....

    The Event Log says the following:

    General:

    The Virtualization Based Security enablement policy check at phase 0 failed with status: {File Not Found}
    The file %hs does not exist.

    Detail:

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-Kernel-Boot" Guid="{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}" /> 
      <EventID>124</EventID> 
      <Version>0</Version> 
      <Level>2</Level> 
      <Task>0</Task> 
      <Opcode>0</Opcode> 
      <Keywords>0x8000400000000000</Keywords> 
      <TimeCreated SystemTime="2016-07-21T15:59:51.648221000Z" /> 
      <EventRecordID>373550</EventRecordID> 
      <Correlation /> 
      <Execution ProcessID="4" ThreadID="8" /> 
      <Channel>System</Channel> 
      <Computer>ARTEMIS</Computer> 
      <Security UserID="S-1-5-18" /> 
      </System>
    - <EventData>
      <Data Name="Phase">0</Data> 
      <Data Name="Status">3221225487</Data> 
      </EventData>
      </Event>

    Systeminfo

    Host Name:                 ARTEMIS
    OS Name:                   Microsoft Windows 10 Education
    OS Version:                10.0.10586 N/A Build 10586
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Standalone Workstation

    Notebook Manual (it should meet all the HW requirements): http://h10032.www1.hp.com/ctg/Manual/c04490401.pdf

    Anything i can try to solve the error?




    Thursday, July 21, 2016 4:14 PM

Answers

  • Hi Tom MacGovery,

    According to the analysis result, the issue is related to " eamonm.sys". It is part of ESet NOD32 antivirus. Please turn off ESet NOD32 antivirus or uninstall it completely to have a troubleshoot.
    Here is the analysis result for reference:
    ****************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck FC, {ffffe000a76315b0, 80000001008009e3, ffffd0014f3ee2d0, 4}

    *** WARNING: Unable to verify timestamp for eamonm.sys
    *** ERROR: Module load completed but symbols could not be loaded for eamonm.sys
    Probably caused by : eamonm.sys ( eamonm+197a5 )

    Followup:     MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
    An attempt was made to execute non-executable memory.  The guilty driver
    is on the stack trace (and is typically the current instruction pointer).
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: ffffe000a76315b0, Virtual address for the attempted execute.
    Arg2: 80000001008009e3, PTE contents.
    Arg3: ffffd0014f3ee2d0, (reserved)
    Arg4: 0000000000000004, (reserved)

    Debugging Details:
    ------------------


    DUMP_CLASS: 1

    DUMP_QUALIFIER: 400

    BUILD_VERSION_STRING:  10586.494.amd64fre.th2_release_sec.160630-1736

    TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b


    DUMP_TYPE:  2

    DUMP_FILE_ATTRIBUTES: 0x8
      Kernel Generated Triage Dump

    BUGCHECK_P1: ffffe000a76315b0

    BUGCHECK_P2: 80000001008009e3

    BUGCHECK_P3: ffffd0014f3ee2d0

    BUGCHECK_P4: 4

    CPU_COUNT: 8

    CPU_MHZ: 9be

    CPU_VENDOR:  GenuineIntel

    CPU_FAMILY: 6

    CPU_MODEL: 3c

    CPU_STEPPING: 3

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

    BUGCHECK_STR:  0xFC

    PROCESS_NAME:  System

    CURRENT_IRQL:  0

    ANALYSIS_SESSION_HOST:  VDI-V-MEIPXU

    ANALYSIS_SESSION_TIME:  07-25-2016 14:08:36.0780

    ANALYSIS_VERSION: 10.0.10586.567 amd64fre

    TRAP_FRAME:  ffffd0014f3ee2d0 -- (.trap 0xffffd0014f3ee2d0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=ffffe000a76315b0 rbx=0000000000000000 rcx=0000000000000000
    rdx=ffffe000a7623448 rsi=0000000000000000 rdi=0000000000000000
    rip=ffffe000a76315b0 rsp=ffffd0014f3ee468 rbp=0000000000000000
     r8=0000000000000000  r9=0000000000000000 r10=ffffe000a4dda900
    r11=ffffe000a4cdf740 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl zr na po nc
    ffffe000`a76315b0 4053            push    rbx
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff80067de49d4 to fffff80067dc2940

    STACK_TEXT: 
    ffffd001`4f3ee038 fffff800`67de49d4 : 00000000`000000fc ffffe000`a76315b0 80000001`008009e3 ffffd001`4f3ee2d0 : nt!KeBugCheckEx
    ffffd001`4f3ee040 fffff800`67e078ce : ffffffff`80000214 00000000`00000000 ffffe000`a7645008 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x136d4
    ffffd001`4f3ee080 fffff800`67d1d621 : 00000000`00000011 ffffe000`a76233c0 ffffd001`4f3ee2d0 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x365ce
    ffffd001`4f3ee170 fffff800`67dcbbbc : 00340036`00300031 00300032`00280020 00330030`00360031 00000029`00340032 : nt!MmAccessFault+0x5f1
    ffffd001`4f3ee2d0 ffffe000`a76315b0 : fffff801`2bcf97a5 ffffe000`a76233c0 ffffe000`a73f14e0 ffffe000`a7623708 : nt!KiPageFault+0x13c
    ffffd001`4f3ee468 fffff801`2bcf97a5 : ffffe000`a76233c0 ffffe000`a73f14e0 ffffe000`a7623708 fffff801`2bcfbef0 : 0xffffe000`a76315b0
    ffffd001`4f3ee470 ffffe000`a76233c0 : ffffe000`a73f14e0 ffffe000`a7623708 fffff801`2bcfbef0 fffff801`2bd0417c : eamonm+0x197a5
    ffffd001`4f3ee478 ffffe000`a73f14e0 : ffffe000`a7623708 fffff801`2bcfbef0 fffff801`2bd0417c ffffe000`00000200 : 0xffffe000`a76233c0
    ffffd001`4f3ee480 ffffe000`a7623708 : fffff801`2bcfbef0 fffff801`2bd0417c ffffe000`00000200 00000000`00000000 : 0xffffe000`a73f14e0
    ffffd001`4f3ee488 fffff801`2bcfbef0 : fffff801`2bd0417c ffffe000`00000200 00000000`00000000 ffffe000`636f6c4d : 0xffffe000`a7623708
    ffffd001`4f3ee490 fffff801`2bd0417c : ffffe000`00000200 00000000`00000000 ffffe000`636f6c4d 00300030`006d0065 : eamonm+0x1bef0
    ffffd001`4f3ee498 ffffe000`00000200 : 00000000`00000000 ffffe000`636f6c4d 00300030`006d0065 00340036`005f0030 : eamonm+0x2417c
    ffffd001`4f3ee4a0 00000000`00000000 : ffffe000`636f6c4d 00300030`006d0065 00340036`005f0030 00740061`0064002e : 0xffffe000`00000200


    STACK_COMMAND:  kb

    THREAD_SHA1_HASH_MOD_FUNC:  69ed20bc4d492be684767719d984f945a1ff1e48

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  fad2f43a8cdd6a4a48b132341a0eb34f100f142d

    THREAD_SHA1_HASH_MOD:  f88f312061b3f93d0e91af371e7763c43048d15b

    FOLLOWUP_IP:
    eamonm+197a5
    fffff801`2bcf97a5 ??              ???

    SYMBOL_STACK_INDEX:  6

    SYMBOL_NAME:  eamonm+197a5

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: eamonm

    IMAGE_NAME:  eamonm.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  559a91ae

    BUCKET_ID_FUNC_OFFSET:  197a5

    FAILURE_BUCKET_ID:  0xFC_eamonm!Unknown_Function

    BUCKET_ID:  0xFC_eamonm!Unknown_Function

    PRIMARY_PROBLEM_CLASS:  0xFC_eamonm!Unknown_Function

    TARGET_TIME:  2016-07-22T18:17:21.000Z

    OSBUILD:  10586

    OSSERVICEPACK:  0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK:  272

    PRODUCT_TYPE:  1

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 10

    OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

    OS_LOCALE: 

    USER_LCID:  0

    OSBUILD_TIMESTAMP:  2016-07-01 11:26:45

    BUILDDATESTAMP_STR:  160630-1736

    BUILDLAB_STR:  th2_release_sec

    BUILDOSVER_STR:  10.0.10586.494.amd64fre.th2_release_sec.160630-1736

    ANALYSIS_SESSION_ELAPSED_TIME: 6c6

    ANALYSIS_SOURCE:  KM

    FAILURE_ID_HASH_STRING:  km:0xfc_eamonm!unknown_function

    FAILURE_ID_HASH:  {4c69e5b7-93bd-da7e-2e7c-459b6cbeefed}

    Followup:     MachineOwner
    ---------

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, July 25, 2016 6:12 AM
    Moderator

All replies

  • Hi Tom MacGovery,

    First of all, please ensure the machine is up to date and up to the latest version 10586.494.  The latest BIOS update for your machine model is released on Jul 4, 2016.

    The hardware requirements for device guard are:
    1.UEFI running in Native Mode (not Compatibility/CSM/Legacy mode)
    2.Windows 64bit and it’s associated requirements
    3.Second Layer Address Translation (SLAT) and Virtualization Extensions (Eg, Intel VT or AMD V)
    4.A Trusted Platform Module (TPM) is recommended.

    We should enable the " Hyper-V Hypervisor " at the same time.
    "File Not Found"
    Please open an administrator command line and run "sfc /scannow" or "dism /online /cleanup-image /restorehealth" to check the health of system files.

    I noticed there is a BSOD issue.

    Please upload the dump file(C:\Windows\Minidump) to OneDrive and paste the link here.

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Friday, July 22, 2016 2:54 AM
    Moderator
  • Hi MeipoXu,


    thank you for your answer. UEFI is running in native mode, BIOS up to date, the other requirements are met as well. 
     "dism /online /cleanup-image /restorehealth" nor "scf /scannow" does find an error.

    sfc /scannow
    Beginning system scan.  This process will take some time.
    Beginning verification phase of system scan.
    Verification 100% complete.
    Windows Resource Protection did not find any integrity violations.

    I already enabled Hyper-V and I'm using it for weeks without any problems. Works like a charm. The Problem is the BSOD, which comes directly after i install the "Isolated User Mode" from Programs and Features... 

    Link to the Minidump: https://1drv.ms/u/s!AmY4g1w6BYXscBxqhpWpD30WSaA



    Friday, July 22, 2016 8:33 AM
  • Hi Tom MacGovery,

    According to the analysis result, the issue is related to " eamonm.sys". It is part of ESet NOD32 antivirus. Please turn off ESet NOD32 antivirus or uninstall it completely to have a troubleshoot.
    Here is the analysis result for reference:
    ****************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck FC, {ffffe000a76315b0, 80000001008009e3, ffffd0014f3ee2d0, 4}

    *** WARNING: Unable to verify timestamp for eamonm.sys
    *** ERROR: Module load completed but symbols could not be loaded for eamonm.sys
    Probably caused by : eamonm.sys ( eamonm+197a5 )

    Followup:     MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
    An attempt was made to execute non-executable memory.  The guilty driver
    is on the stack trace (and is typically the current instruction pointer).
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: ffffe000a76315b0, Virtual address for the attempted execute.
    Arg2: 80000001008009e3, PTE contents.
    Arg3: ffffd0014f3ee2d0, (reserved)
    Arg4: 0000000000000004, (reserved)

    Debugging Details:
    ------------------


    DUMP_CLASS: 1

    DUMP_QUALIFIER: 400

    BUILD_VERSION_STRING:  10586.494.amd64fre.th2_release_sec.160630-1736

    TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b


    DUMP_TYPE:  2

    DUMP_FILE_ATTRIBUTES: 0x8
      Kernel Generated Triage Dump

    BUGCHECK_P1: ffffe000a76315b0

    BUGCHECK_P2: 80000001008009e3

    BUGCHECK_P3: ffffd0014f3ee2d0

    BUGCHECK_P4: 4

    CPU_COUNT: 8

    CPU_MHZ: 9be

    CPU_VENDOR:  GenuineIntel

    CPU_FAMILY: 6

    CPU_MODEL: 3c

    CPU_STEPPING: 3

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

    BUGCHECK_STR:  0xFC

    PROCESS_NAME:  System

    CURRENT_IRQL:  0

    ANALYSIS_SESSION_HOST:  VDI-V-MEIPXU

    ANALYSIS_SESSION_TIME:  07-25-2016 14:08:36.0780

    ANALYSIS_VERSION: 10.0.10586.567 amd64fre

    TRAP_FRAME:  ffffd0014f3ee2d0 -- (.trap 0xffffd0014f3ee2d0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=ffffe000a76315b0 rbx=0000000000000000 rcx=0000000000000000
    rdx=ffffe000a7623448 rsi=0000000000000000 rdi=0000000000000000
    rip=ffffe000a76315b0 rsp=ffffd0014f3ee468 rbp=0000000000000000
     r8=0000000000000000  r9=0000000000000000 r10=ffffe000a4dda900
    r11=ffffe000a4cdf740 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl zr na po nc
    ffffe000`a76315b0 4053            push    rbx
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff80067de49d4 to fffff80067dc2940

    STACK_TEXT: 
    ffffd001`4f3ee038 fffff800`67de49d4 : 00000000`000000fc ffffe000`a76315b0 80000001`008009e3 ffffd001`4f3ee2d0 : nt!KeBugCheckEx
    ffffd001`4f3ee040 fffff800`67e078ce : ffffffff`80000214 00000000`00000000 ffffe000`a7645008 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x136d4
    ffffd001`4f3ee080 fffff800`67d1d621 : 00000000`00000011 ffffe000`a76233c0 ffffd001`4f3ee2d0 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x365ce
    ffffd001`4f3ee170 fffff800`67dcbbbc : 00340036`00300031 00300032`00280020 00330030`00360031 00000029`00340032 : nt!MmAccessFault+0x5f1
    ffffd001`4f3ee2d0 ffffe000`a76315b0 : fffff801`2bcf97a5 ffffe000`a76233c0 ffffe000`a73f14e0 ffffe000`a7623708 : nt!KiPageFault+0x13c
    ffffd001`4f3ee468 fffff801`2bcf97a5 : ffffe000`a76233c0 ffffe000`a73f14e0 ffffe000`a7623708 fffff801`2bcfbef0 : 0xffffe000`a76315b0
    ffffd001`4f3ee470 ffffe000`a76233c0 : ffffe000`a73f14e0 ffffe000`a7623708 fffff801`2bcfbef0 fffff801`2bd0417c : eamonm+0x197a5
    ffffd001`4f3ee478 ffffe000`a73f14e0 : ffffe000`a7623708 fffff801`2bcfbef0 fffff801`2bd0417c ffffe000`00000200 : 0xffffe000`a76233c0
    ffffd001`4f3ee480 ffffe000`a7623708 : fffff801`2bcfbef0 fffff801`2bd0417c ffffe000`00000200 00000000`00000000 : 0xffffe000`a73f14e0
    ffffd001`4f3ee488 fffff801`2bcfbef0 : fffff801`2bd0417c ffffe000`00000200 00000000`00000000 ffffe000`636f6c4d : 0xffffe000`a7623708
    ffffd001`4f3ee490 fffff801`2bd0417c : ffffe000`00000200 00000000`00000000 ffffe000`636f6c4d 00300030`006d0065 : eamonm+0x1bef0
    ffffd001`4f3ee498 ffffe000`00000200 : 00000000`00000000 ffffe000`636f6c4d 00300030`006d0065 00340036`005f0030 : eamonm+0x2417c
    ffffd001`4f3ee4a0 00000000`00000000 : ffffe000`636f6c4d 00300030`006d0065 00340036`005f0030 00740061`0064002e : 0xffffe000`00000200


    STACK_COMMAND:  kb

    THREAD_SHA1_HASH_MOD_FUNC:  69ed20bc4d492be684767719d984f945a1ff1e48

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  fad2f43a8cdd6a4a48b132341a0eb34f100f142d

    THREAD_SHA1_HASH_MOD:  f88f312061b3f93d0e91af371e7763c43048d15b

    FOLLOWUP_IP:
    eamonm+197a5
    fffff801`2bcf97a5 ??              ???

    SYMBOL_STACK_INDEX:  6

    SYMBOL_NAME:  eamonm+197a5

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: eamonm

    IMAGE_NAME:  eamonm.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  559a91ae

    BUCKET_ID_FUNC_OFFSET:  197a5

    FAILURE_BUCKET_ID:  0xFC_eamonm!Unknown_Function

    BUCKET_ID:  0xFC_eamonm!Unknown_Function

    PRIMARY_PROBLEM_CLASS:  0xFC_eamonm!Unknown_Function

    TARGET_TIME:  2016-07-22T18:17:21.000Z

    OSBUILD:  10586

    OSSERVICEPACK:  0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK:  272

    PRODUCT_TYPE:  1

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 10

    OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

    OS_LOCALE: 

    USER_LCID:  0

    OSBUILD_TIMESTAMP:  2016-07-01 11:26:45

    BUILDDATESTAMP_STR:  160630-1736

    BUILDLAB_STR:  th2_release_sec

    BUILDOSVER_STR:  10.0.10586.494.amd64fre.th2_release_sec.160630-1736

    ANALYSIS_SESSION_ELAPSED_TIME: 6c6

    ANALYSIS_SOURCE:  KM

    FAILURE_ID_HASH_STRING:  km:0xfc_eamonm!unknown_function

    FAILURE_ID_HASH:  {4c69e5b7-93bd-da7e-2e7c-459b6cbeefed}

    Followup:     MachineOwner
    ---------

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, July 25, 2016 6:12 AM
    Moderator