TurboActivate needs to run along with W11 core isolation (Hypervisor / Virtual machine)Answered

Hi

I'm Adrien Grosjean, CTO at DigitalEssence.
We use TurboActivate in our products for license activations.
As Windows 11 spreads, our users face more and more the virtual machine activation issue :
You probably already know that Windows has made the choice to activate the “Core isolation memory integrity” setting per default on W11. Since this creates a virtual machine, TurboActivate returns the VM error.

We, and probably a lot of other companies, do not want to allow for users to run our product on custom virtual machines (we don't want to set the flag in the licenses because we do not want to let the users potentially duplicate licenses).
Our users do not want to disable the “core isolation memory integrity” setting : Windows says it's unsafe, and we understand their choice.

We think that TurboActivate should allow software activation when running with “core isolation memory integrity” setting. In fact, it seems that is what other solutions do : video games anti-cheat systems for instance forbid virtual machines yet allow “core isolation memory integrity” setting.

This matter is starting to generate a lot of messages on our support system and is getting increasingly invasive. 

Is the dev team working on the subject already ? When can we expect it to be resolved ?
Wouldn't this method be sufficient ?
Microsoft doc on the subject : https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard

Regards

, edited
Answer

Hypervisor is just a VM. You're not actually running on “bare-metal” anymore when you're in a hypervisor.

Also, there's nothing wrong with being in a hypervisor / VM.

So, what are your options? Well, we cover this extensively in our documentation. And it's been covered ad-nauseum on this forum.

What are your options? Again, this isn't new. It's covered at least 2 dozen times in the last year alone:

  1. You can enable VM activations (as you already talked about) so customers can continue to use TA on VMs. It comes with the risks your mentioned and that we describe in our documentation (linked above).
  2. Use TurboFloat. It was designed for this exact purpose: i.e. to be used inside VMs.

Unfortunately, I am aware of both the documentation and the ad-nauseum forum answers.
My question is legitimate and the forum does not provide the precise answer I am looking for.

It seems odd to me that the VMs created by the core isolation setting can be duplicated as easily as would any VM. I would suspect one would need to dig deep into windows things not meant to be manipulated, at the risk of making the system unstable : it was not designed to be manipulated by the user as regular Hyper-V. It was designed to transparently increase the system security.
Hence the relevantness of the question, I am sorry you have to answer it.

Given the above statements, couldn't core isolation be treated as a valid form of VM ? 
In the case it still exposes the licensing party to theft, couldn't TurboActivate provide another flag to allow only such VMs ?

We do not want to use TurboFloat, it does not suit our needs.

Regards

A VM is a VM is a VM.

It doesn't matter if they call it something else (Hypervisor) or if they enable the VM based on certain settings. It's still a VM. And, yes, VMs can be transferred / cloned to separate machines (Azure / Amazon / etc. all show real-world examples of this happening in production right now).

So, yes, while it's only just a security setting, enabling the setting puts the Windows instance inside a VM.

There's no way to “poke holes" through the VM to get to the bare-metal and see a broad overview of what VMs are running on the bare-metal.

(Actually, that's only partially true. There are occasionally ways to “poke holes” and do that – but those are security vulnerabilities that the VM makers eventually fix).

We do not want to use TurboFloat, it does not suit our needs.

OK. Then use TA.