Skip to content

Troubleshooting — Hyper-V (Windows 11)

If the appliance is deployed but isn't behaving as expected, work through the issues below. If it boots but never connects — or the tunnel drops right after it establishes — the cause is usually firewall L7/TLS inspection or NAC, not this platform: see Connectivity Troubleshooting.

The VM shows a black screen or the firmware error "The unsigned image's hash is not allowed (DB)"

Secure Boot is enabled. The appliance bootloader is unsigned; Hyper-V Gen2 defaults Secure Boot On with the "Microsoft Windows" template, which rejects it at the firmware level before anything can render. Open Hyper-V Manager → VM Settings → Security and set Secure Boot to Off, then restart the VM. The package ships with Secure Boot already disabled, but a re-import or a Windows update can re-enable it. This is the single most common failure on Windows 11 Hyper-V.

The appliance can't reach targets on the LAN (no L2 adjacency)

The VM is on the wrong switch type. The Default Switch (and any Internal or Private switch) is a NAT network — the appliance gets internet but cannot see the physical LAN at L2. You must use an External virtual switch bound to the host's physical NIC. The PowerShell script creates one automatically; the GUI guide shows which switch to select during the import wizard.

L2 tooling (bettercap, Responder, ARP poisoning) fails or drops packets

Two things to check. First, MAC address spoofing must be On for the VM's network adapter: VM Settings → Network Adapter → Advanced Features → MAC address spoofing → Enabled. Hyper-V drops frames whose source MAC does not match the adapter's assigned MAC, which breaks any tool that forges source MACs; the package ships with spoofing On, but a re-import or settings change can disable it. Second, the external switch must be bound to a wired Ethernet NIC — Wi-Fi cannot carry true Layer-2 traffic.

The script exits: "must be run as Administrator" or "Hyper-V is not enabled"

Import-RTA.ps1 requires elevation and the Hyper-V Windows feature. Reopen PowerShell with Run as Administrator. To enable Hyper-V, open Turn Windows features on or off → tick Hyper-V (all sub-items) → OK → restart. On Windows 11 Home Hyper-V is unavailable — you need Pro or Enterprise.

Import fails ("cannot be imported" or Compare-VM throws an error)

This usually means the extracted path contains spaces or non-ASCII characters, or the zip wasn't fully extracted before import. Extract to a plain ASCII path with no spaces (e.g. C:\RTA\), confirm the Sophos-RTA\ folder is intact (both Virtual Machines\ and Virtual Hard Disks\ subdirectories present), and retry. The package uses config version 8.0, compatible with Windows 10 1607, Windows 11, and Windows Server 2016 and newer.

The Import wizard doesn't list the Sophos-RTA folder

The wizard requires you to select the Sophos-RTA\ subfolder — not the parent extraction folder. Browse into C:\RTA\Sophos-RTA (the folder that directly contains Virtual Machines\ and Virtual Hard Disks\).

There is no External switch in the network adapter drop-down

You haven't created one yet. In Hyper-V Manager → Virtual Switch Manager, create an External switch bound to your wired Ethernet NIC, then re-run the import. The Default Switch is a NAT network and will not provide L2 adjacency to targets.