GPO error message applying settings for {F312195E-3D9D-447A-A3F5-08DFFA24735E}

When you have activated Credential Guard for Windows 10 (1607), you might note errors on your clients when they try to update group policies:

Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings.

You will also find thw below error in the DeviceGuard Operational event log:

Device Guard failed to process the Group Policy to enable Virtualization Based Security (Status = 0x80070057): Invalid parameter

The problem seems to be related to the incorrect registry value HypervisorEnforcedCodeIntegrity being written. It’s set to 3 on Windows 10 v1607, which seems to be a totally undocumented and invalid value. Verify under the key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard. This value is written as long as the setting “Virtualization Based Protection of Code Integrity” found in the GPO setting “Turn on Virtualization Based Security” is set to “Not configured”.

Solution

In the GPO setting Turn on Virtualization Based Security found in Computer Configuration\Administrative Templates\System\Device Guard edit the and set Virtualization Based Protection of Code Integrity to Disabled. This will make the HypervisorEnforcedCodeIntegrity turn to 0 and the GPO will apply without errors.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.