Windows 10: Difference between revisions

From Andreida
No edit summary
No edit summary
Line 66: Line 66:
* Do this for all tiles
* Do this for all tiles
* Close the start menu and open it again
* Close the start menu and open it again


= Virtual Machines =

== Problems with the Guard ==


You can always check the VM Safety via "Click Start, type msinfo32.exe, and then click System Information. >.


VMWare workstation and device/credential guard are not compatible. (short version)
When the VMWare image of QNX OS does not start but instead you get something like the following error dialog:

First thing to try: (from https://www.youtube.com/watch?v=CGpv2Dvzyeg)
Launch cmd as admin...
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set hypervisorlaunchtype off
Restart your system ...


If this is not enough, follow the link from the dialog box to the vmware site and from there to the Microsoft site where you have to scroll down a lot to see how to disable all the guard thingies.
AFTER you follow the MS guide, do the above again! Or follow the copy/paste in the "long version" (next sub chapter).


VMWare workstation and device/credential guard are not compatible (long version) or how to Disable Windows Defender Credential Guard
https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard
https://www.youtube.com/watch?v=CGpv2Dvzyeg
To open the Group policy settings editor: "Run" and type "gpedit.msc", right-click, select "run as admin".
* If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (Computer Configuration -> Administrative Templates -> System -> Device Guard -> Turn on Virtualization Based Security).
* Delete the following registry settings:
** HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LsaCfgFlags
** HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
* If you also wish to disable virtualization-based security delete the following registry settings:
** HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
** HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures
Important
If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
* Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
* mountvol X: /s
* copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
* bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
* bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
* bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
* bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
* bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
* mountvol X: /d
* Restart the PC.
* Accept the prompt to disable Windows Defender Credential Guard.
* Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.


Note
The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set vsmlaunchtype off


VMware Workstation and Device/Credential Guard are not compatible Problem Resolve.
Go to Control Panel - Uninstall a Program - Turn Windows features on or off - (uncheck/turn off) Hyper-V. Click
OK
Select Do not restart.
And then type the following cmds in cmd prompt..
to Delete the related EFI variables from the BCD file... Launch cmd as admin...

bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set hypervisorlaunchtype off

Restart your system ...

Revision as of 17:44, 4 March 2020

Activation

Is your Windows 10 using a "product key" or a "digital license"?

  • Right click the start button
  • Select "System"
  • Select "Home" (upper left)
  • Select "Update & Security"
  • Select "Activation"

Look for a text like

Windows is activated with a digital license

In case of a "digital license", you don't need to care about a "product key", you can just reinstall this pc and skip the dialog, where you are asked to enter a "product key".

Get product key from installed Windows 10

Get Windows 10 product key from the UEFI firmware

powershell
(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey

Get Windows 10 product key from the registry

Create productkey.vbs

Set WshShell = CreateObject("WScript.Shell")
MsgBox ConvertToKey(WshShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId"))

Function ConvertToKey(Key)
Const KeyOffset = 52
i = 28
Chars = "BCDFGHJKMPQRTVWXY2346789"
Do
Cur = 0
x = 14
Do
Cur = Cur * 256
Cur = Key(x + KeyOffset) + Cur
Key(x + KeyOffset) = (Cur \ 24) And 255
Cur = Cur Mod 24
x = x -1
Loop While x >= 0
i = i -1
KeyOutput = Mid(Chars, Cur + 1, 1) & KeyOutput
If (((29 - i) Mod 6) = 0) And (i <> -1) Then
i = i -1
KeyOutput = "-" & KeyOutput
End If
Loop While i >= 0
ConvertToKey = KeyOutput
End Function

Automatically login into Windows 10 with username and password

  • start netplwiz
  • uncheck "needs password"

Use a hard disk with more than 2TB with Windows 10

You have to set/format the hard disk to GPT. If your system/bios does not allow booting from a GPT or >2TB HD, you can boot from a small HD/SDD and then use the large GPT disk.


GPT has no "extended". Your disk will be "primary" and you don't have to care about it, because you can create a lot of partition on it, not just the normal "four partition on a primary disk".

Remove Tiles from Start Menu

  • Right click each tile and select "Unpin from Start Menu"
  • Do this for all tiles
  • Close the start menu and open it again


Virtual Machines

Problems with the Guard

You can always check the VM Safety via "Click Start, type msinfo32.exe, and then click System Information. >.


VMWare workstation and device/credential guard are not compatible. (short version) When the VMWare image of QNX OS does not start but instead you get something like the following error dialog:


First thing to try: (from https://www.youtube.com/watch?v=CGpv2Dvzyeg) Launch cmd as admin...

bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set hypervisorlaunchtype off

Restart your system ...


If this is not enough, follow the link from the dialog box to the vmware site and from there to the Microsoft site where you have to scroll down a lot to see how to disable all the guard thingies. AFTER you follow the MS guide, do the above again! Or follow the copy/paste in the "long version" (next sub chapter).


VMWare workstation and device/credential guard are not compatible (long version) or how to Disable Windows Defender Credential Guard https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard https://www.youtube.com/watch?v=CGpv2Dvzyeg To open the Group policy settings editor: "Run" and type "gpedit.msc", right-click, select "run as admin".

  • If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (Computer Configuration -> Administrative Templates -> System -> Device Guard -> Turn on Virtualization Based Security).
  • Delete the following registry settings:
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LsaCfgFlags
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
  • If you also wish to disable virtualization-based security delete the following registry settings:
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures

Important If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.

  • Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
  • mountvol X: /s
  • copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
  • bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
  • bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
  • bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
  • bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
  • bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
  • mountvol X: /d
  • Restart the PC.
  • Accept the prompt to disable Windows Defender Credential Guard.
  • Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.


Note The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS bcdedit /set vsmlaunchtype off


VMware Workstation and Device/Credential Guard are not compatible Problem Resolve. Go to Control Panel - Uninstall a Program - Turn Windows features on or off - (uncheck/turn off) Hyper-V. Click OK Select Do not restart. And then type the following cmds in cmd prompt.. to Delete the related EFI variables from the BCD file... Launch cmd as admin...

bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader 
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" 
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} 
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS 
bcdedit /set hypervisorlaunchtype off 

Restart your system ...