To make a USB Host Device optional on startup within KVM, edit the XML and add startupPolicy="optional" to the source node. This will ensure your usb stick, yubikey, or whatever, it won’t stop your VM from booting if it isn’t present.
Received a BSOD with error code 0xc0000225 on a Windows 10 (and 11) VM when enabling the Hyper-V role to do some testing with Microsoft Defender Application Guard. This VM runs on a Rocky Linux host and I typically use Virt-Manager to handle my VMs. Two changes were necessary to get nested Hyper-V working with virt-manager:
virt-xml <VM-NAME> –edit –cpu host-passthrough
sudo modprobe kvm_intel nested=1
kvm_amd for AMD processors
You can check the value here:
cat /sys/module/kvm_intel/parameters/nested
Once that was done, Hyper-V took great, and I could test Application Guard on the VM.
I was cleaning up a new directory and found the krbtgt account password hadn’t been reset for over two decades. When I tried resetting it, I could not due to complexity requirements.
It states: “If a custom password filter (for example, passfilt.dll) is installed on a domain controller, you may receive the following error when trying to change the password for the krbtgt account.”
“This occurs because there is special logic when changing the password for krbtgt. While the Active Directory Users and Computers (dsa.msc) snap-in allows you to enter a password, it won’t be used when changing the password. Instead, the Active Directory creates a long string of random bits to use as the password. Since this string contains random data and not Unicode characters, it fails the typical tests included in password filters. These tests typically include checking to see if the password contains a certain combination of upper and lower case letters, numbers, and punctuation.”
I checked. And sure enough, there was a password filter.
It’s a pretty common issue. Realtek devices are inexpensive an prolific but they’re flaky and not recommended by most. Coupled with pfsense, one can have a pretty solid lab if you can get them working reliably. I went down the path of building out a new lab with a gigabyte box as a pfsense one-arm-router. I paired it with a managed PoE switch running a few Ubiquiti APs so I could power and pull networks from some IoT devices I was researching.
Every time my nic was under load, my WAN interface would go down. Reloading the interface was a quick fix but it was one needing a more permanent fix.
I bought a silver ACEPC T11 for doing some lab work for $127 (link). It sports an Intel Cherry Trail Atom Z8350, quad-core CPU, 4GB of RAM, and 64GB emmc, and a dual-band 2.4ghz and 5ghz wireless card. I tried booting off the pfsense media and it kept hanging at ppc0: cannot reserve I/O port range. After poking around, I ran across this article: https://forum.netgate.com/topic/109447/zotac-ci323-installation-controller-failures/16
I rebooted and selected 3. [Esc]ape to loader prompt on the boot menu. At the OK prompt, I entered:
set hint.uart.0.disabled="1"
set hint.uart.1.disabled="1"
bootCode language:JavaScript(javascript)
It booted right up and pfsense installed without any issues.
Next, I’ll be ripping it open and installing external wireless adapters and an SSD for storing pcaps.