When attempting to create a Hyper-V vSwitch on a Windows 10 machine, it fails. However, when the customer disables the following OfficeScan Agent self-protection features, the installation of Hyper-V vSwitch is successful:
- Protect OfficeScan agent registry keys
- Protect OfficeScan agent processes
The Hyper-V process vmms.exe is responsible in creating a virtual switch. The process needs to have persmission to read network adapter files. In such cases, the creation of a new vSwitch fails because vmms.exe does not have permission to read TmLwF registry entries.
It shows in the Process Monitor logs that there is an "ACCESS DENIED" error when svchost.exe calls RegDeleteKey.
16:35.2 svchost.exe 10420 RegDeleteKey
HKLM\System\CurrentControlSet\Services\TmLwf\Parameters\Adapters
{A259701F-827D-4BD8-9AE5-71566887FF9C}
{5CBF81BD-5055-47CD-9055-A76B2B4E3698}
-0000 ACCESS DENIED
To resolve the issue:
Refer customer to the following Microsoft KB Article: Recommended antivirus exclusions for Hyper-V hosts.
If scan exclusions are already set, but the issue persists, request OfficeScan 11.0 Hot Fix Build 6447 from Trend Micro Technical Support or apply the latest patch from Trend Micro Download Center.
Once the hot fix has been applied:
- Open the Ofcscan.ini file in the \PCCSRV\ folder on the OfficeScan server installation directory using a text editor.
- Under the Global Setting section, manually add the following key and set its value to "1".
[Global Setting]
SP_DisableTmLwfRegistryKeyProtection=1 - Save the change and close the file.
- Open the OfficeScan web console and go to the Agents > Global Agent Settings screen.
- Click Saveto deploy the setting to agents.
The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS
Key: SP_DisableTmLwfRegistryKeyProtection
Type: DWORD
Value: 1
Verify if the issue persists.