How to Restore Lost Mouse Function of XCP-NG UEFI Windows Guest Without Rebooting (Workaround)

While actively using a Windows Guest VM running on an XCP-NG Hypervisor in UEFI mode, you likely will not have any issues with the mouse, but the issue where mouse functionality is suddenly lost until the next reboot seems to occur at either the moment the screen “blanks” after inactivity for a set period, or at the moment of “wake”. Either way, the loss of mouse functionality for the UEFI Windows Guest Virtual Machine is annoying at best, or potentially catastrophic at worst, should you have open documents that you need to save first, or you have other configurations to the system you need to first touch before resetting / rebooting the Virtual Machine.

While unfortunately we don’t know of any known “permanent fixes” for this issues (yet?), we do have a viable work around.

For the first step in our troubleshooting, let’s identify the confusing symptoms and indicators that reveal a loss of control to the Windows OS Guest.

Scenario 1: RDP or VNC Connection is Made to the UEFI Windows Guest VM

You may be able to RDP or VNC into the Windows Guest VM properly, but once you are logged in and at the Windows Desktop, you quickly realize there is no mouse movement. But what happens when you press Ctrl+Alt+Del (or Ctrl+Alt+End with RDP)?

If the triple key press combo “wakes up” the Windows VM and provides the list of options associated with Ctrl+Alt+Del, then there is a way to regain mouse function without rebooting first, but it takes some tricky keyboard work first:

You can either use the keyboard arrow or Tab/Tab+Shift keys to “cycle” through the options showing after a Ctrl+Alt+Del. You can also use the Esc(ape) key to exit from the Ctrl+Alt+Del menu (or select the “Cancel” button, at the bottom and hit Enter).

To start the fix/workaround to get the mouse function back, try using the “WindowsKey” to open the Start Menu and then typing in ‘devmgmt.msc’ – which often results in Windows showing you the suggestion of “Device Manager”. When the “suggestion” for Device Manager appears, you can then press the “Enter” key, and from here to access Device Manager.

You might also use “WindowsKey+R” to open the Run… Prompt and typing in ‘devmgmt.msc’ there:

twin-r-run-prompt-devmgmt-msc-device-manager-windows-xcp-ng-lost-mouse-bug-workaround.png

Once you have the Device Manager window open and selected,

Try pressing the Tab key and you should then see the top-most option. which will be the “Hostname” or “Windows Computer Name” of the UEFI Windows Guest VM, in the Device Manager Window “highlighted in light blue” (Your systems default or custom color schemes may vary).

Now, use the “Down Arrow” key to highlight “Universal Serial Bus controllers” (Typically showing at the very bottom).

universal-serial-bus-controller-option-in-device-manager-windows-xcp-ng-lost-mouse-bug-workaround

Once the “Universal Serial Bus controller” option is selected, try using the “Right Arrow” key to display all of the options available under the heading. You will most likely see a “Yellow Bang” next to “Intel(R) 82371SB PCI to USB Universal Host Controller”.

yellow-bang-intel-82371sb-pci-to-universal-host-controller-device-manager-windows-xcp-ng-lost-mouse-bug-workaround

You will want to use the “down arrow” key to navigate onto the “Marked” item and use the “Menu Key” to mimic a “right-click”, which you will then see the option “Disable device” – use will again need to use the down arrow key to navigate to the “Disable device” option. Once it is selected, press Enter.

disable-menu-intel-82371sb-pci-to-universal-host-controller-device-manager-windows-xcp-ng-lost-mouse-bug-workaround

You should then see a prompt window with the heading/title bar as “Intel(R) 82371SB PCI to USB Universal Host Controller” and the Yellow Bang next to the text “Disabling this device will cause it to stop functioning. Do you really want to disable it?”, and be provided with the “Yes” or “No” Button options.

disable-universal-serial-bus-controller-in-device-manager-windows-xcp-ng-lost-mouse-bug-workaround

Notice that the “No” option is selected/highlighted by default (You can see the blue trace and/or dotted line around the selected Button) – you can press the “Left Arrow” Key to highlight the “Yes” button, and then press the Enter Key

At this point, you have disabled the non-functional USB Controller in the Windows Guest VM and the “Yellow Bang” is no longer showing. So now we can proceed with the workaround to enable the device in Device Manager and restore the mouse function.

disable-intel-82371sb-pci-to-universal-host-controller-device-manager-windows-xcp-ng-lost-mouse-bug-workaround

Use the “Menu” key on the keyboard again, with the “Intel(R) 82371SB PCI to USB Universal Host Controller” device selected/highlighted, but this time choose “Enable device”, and hit Enter.

reenable-intel-82371sb-pci-to-universal-host-controller-device-manager-windows-xcp-ng-lost-mouse-bug-workaround

You should now see that a “USB Root Hub” device has appeared in the Device Manager, and have restored mouse functionality

mouse-restored-usb-root-hub-device-manager-windows-xcp-ng-lost-mouse-bug-workaround

Scenario 2: XCP-ng Center / XenCenter Shows Only a “Black Blank Screen” Under Console Tab

If you are using XCP-ng Center / XenCenter and there is only a “black blank screen” in the console tab for a Running (green circle with an arrow/play button) Virtual Machine.

Click inside the blank/black area and try using the “WindowsKey” button on the keyboard to “wake up” the system. You may be prompted for a password, which you may not get any keyboard input for – so try using the Tab key in between other key presses until you see some kind of keyboard input into the password field and enter your password as needed.

Once logged in, follow the same steps as above from “Scenario 1” to get to Device Manager, and disable/re-enable the USB Universal Host Controller, until mouse functionality is restored.


Why This is a “Workaround” and Not Considered as a “Fix”

In our observations, we see that this “lost mouse” issue happens in XCP-NG when using XCP-ng Center or VNC remote access tools to a Windows Guest VM configured for UEFI boot. This occurs with both Windows 10 and Windows 11, and “somewhat frequently, but not always”. Since this issue re-occurs and this “workaround fix” will likely need to be repeated to regain mouse function in the Windows Guest, we consider this a “workaround”, rather than a “fix”.

Yes, we agree. This is very annoying..,

It is still unclear as to what the root causes of this problem are, but we are currently testing the removal and/or disabling of the “PS/2 Compatible Mouse” in Device Manager Under “Mice and other pointing devices” (Since the “HID-complaint mouse” is what XCP-NG is using as its mouse/pointer in the UEFI Windows Guest VM).

Should we come to a conclusion for a “permanent fix” for this issue, we will update this post and report back our findings.

We hope this helps others!

How to Enable DNSSEC for Ubiquity EdgeRouter EdgeOS Stock Firmware

If you own an Ubiquity EdgeRouter (ER-X, ERLite-3, ER-4, ERPoe-5, ERPro-8, etc) and are using the stock EdgeOS firmware, you may be missing opportunities to secure your DNS requests using DNSSEC. There are no GUI options in the EdgeOS browser-based user interface for enabling DNSSEC, as found in most modern router firmware UI configuration options since approximately 2017 and onward.

This guide will help you to enable this feature for Ubiquity EdgeRouter models that have NOT been updated or modified to use 3rd party firmware. As of 2024, the only other known compatible router firmware for Ubiquity EdgeRouter products is OpenWRT. While OpenWRT provides extensive enhancements and virtually unlimited potential feature and function add-on capabilities, the elegance and simply of the EdgeOS UI and the official firmware updates Ubiquity is seemingly committed to provide to its EdgeRouter line of products may be more favorable to many users than the moderate-to-steep learning curve that is required for switching to OpenWRT. It is perhaps also possibly you have reverted to EdgeOS after trying OpenWRT and its performance or feature set is not satisfactory. While OpenWRT is measurably better than EdgeOS, it is not for everyone. So if you seek to enable additional security with the EdgeOS stock firmware from Ubiquity for your EdgeRouter “EdgeMax” model, rather than switch to OpenWRT, then please read on.

Assumptions of Your EdgeRouter Configuration

If you have not deliberately changed the default subnet since purchase (or you have just performed a software “factory reset” or a “pinhole hardware 30-30-30 reset”) and are using stock defaults, then your EdgeRouter subnet/CIDR will be 192.168.1.0/24. This default configuration will use the IP and URL of https://192.168.1.1 to log in and access the ER configuration, which is what is assumed for this guide.

This guide is created with assumptions that your Ubiquity EdgeRouter is currently running EdgeOSv2.0.9-hotfix.7 or similar. Future versions of firmware may change the User Interface (UI) of EdgeOS in some way.

Locating the Floating CLI Prompt in the EdgeOS Web UI

Log in to the EdgeOS web UI and open the CLI prompt for your EdgeRouter (ER) product be using https://192.168.1.1 in the address bar of a supported web browser (or whichever IP Address you have assigned to your EdgeRouter). Input your username (ubnt) and password into the web form and click the Login button.

Once logged in, you will see in the “CLI” option in the top right corner of the EdgeOS UI menu options.

cli-edgeos-option-location-how-to-enable-dnssec-for-ubiquity-edgerouter-edgeos-stock-firmware

Upon click, wait for up to 15 seconds for the CLI prompt to finish opening and provide you with an opportunity to enter you login username, followed by your password. This will most likely be the same credentials you used to log into the web UI (unless you have added your own users in the EdgeOS “Users” tab option).

Logging in to EdgeOS CLI

This guide assumes ubnt as the username (the default admin user for EdgeOS), but any user with admin privileges that you have the password credentials for will work. Take note that in order to make configuration changes via the CLI prompt, you MUST log in as an admin user, even if you already logged into the web UI interface as an admin.

cli-edgeos-prompt-login-how-to-enable-dnssec-for-ubiquity-edgerouter-edgeos-stock-firmware

Once you have entered your admin-capable username and password credentials, you will be able to perform various actions and modifications that are unavailable via the EdgeOS Web UI interface. You will also notice that this CLI prompt windows in your web browser interface is a bit clunky and awkward, if you are used to using tools like Mac Terminal, Linux Terminal or PuTTY (on Windows). You may notice when you right-click on the CLI prompt that you are provided with a limited set of options, some which do not work as you might expect, such as Copy and Paste. For this reason, you will either need to manually type in the below commands “manually”, without copy/paste, or be very careful to ensure that you do not press the ENTER key until you have removed any special or “invisible” characters into the CLI prompt window while you enable DNSSEC on your Ubiquity EdgeRouter. This is particularly important for the commands with longer lines such as the Internet Assigned Numbers Authority (IANA) Trust Anchors used with the set commands.

Enabling DNSSEC on Ubiquity EdgeRouter Products through EdgeOS CLI

One line at a time, enter the following commands into the open and actively logged on CLI prompt window. Please review the #commented lines for details of what each line is doing, and do NOT try to copy and paste more than one line at a time or manually type in each command yourself (keep reading before you try this for yourself for more pointers):




# The 'configure' command sets EdgeOS in "config mode"
configure 

# The EdgeOS configuration command to enable the DNSSEC option
set service dns forwarding options dnssec

# The EdgeOS configuration command to enable DNSSEC functionality
set service dns forwarding options dnssec-check-unsigned

# The EdgeOS configuration command to avoid timesync issues 
set service dns forwarding options dnssec-no-timecheck

# The EdgeOS configuration command to set root trust anchors
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

# The EdgeOS configuration command to set root trust anchors
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

# The EdgeOS configuration command to enable config changes 
commit

# The EdgeOS configuration command to save config changes to persist after reboots
save

# The EdgeOS configuration command to exit 'configure mode'
exit

# The EdgeOS configuration command to immediately reboot (y to confirm)
reboot

## This ends of list of commands needed to enable DNSSEC on EdgeRouter models. 
## Remember to enter each line, one at a time.
## Read further below for tips and tricks with successful copy/paste and testing before using 'save' and 'reboot'

Future-Proofing this Guide

To prevent this guide from going “stale” and losing usefulness, or being confusing in future changes that may occur, it is important to note that these trust anchors may change in the future. At the time of this writing in Q1 of 2024, the trust anchors from IANA have NOT been updated since Q4 of 2018, but they may be updated in the future, so if you want to verify they are correct at the time you are reading this, then check this link: https://data.iana.org/root-anchors/root-anchors.xml

EdgeOS CLI Prompt Oddities

Notice in the screenshot below, that using the Copy text function (either right-click > Copy, CMD+C or Ctrl+C, etc) and then right-clicking in the CLI prompt window in EdgeOS web browser UI does NOT work as expected. But it is still possible to “Paste” into the CLI Prompt floating windows in EdgeOS with:

Shift+Ctrl+V

However, when doing the “Paste” in the floating CLI prompt window in the EdgeOS UI web interface, there may be “trailing invisible characters” included that will result in issues. To make matters even worse, the floating CLI prompt window with “text wrap” the longer lines of commands in such a way that makes the end of the text that you paste in appear in strange locations on the same command line (as you can see in the screenshot).

Also, if you copy the text, line by line (as you MUST do, since EdgeOS CLI does not allow for multiple commands entered at once, like PuTTY, Linux or Mac Terminal do) you will likely notice that there are “invisible characters” that suddenly appear when you press the ENTER key. You can simply backspace/delete these invisible trailing characters, but due to the strange line-wrapping behavior from the Shift+Ctrl+V pasting operation, it is sometimes difficult or impossible to have confidence that you have not unintentionally deleted some of the final characters in each line that you want to submit to the EdgeOS configuration.

PRO TIP:

To help you make this easier, you can simply add a SPACE after each Shift+Ctrl+V paste operation, and then press ENTER. This seems to avoid the “trailing invisible character” bug in the CLI prompt, despite the text-wrapping still being a remaining issue.

cli-edgeos-enable-dnssec-how-to-enable-dnssec-for-ubiquity-edgerouter-edgeos-stock-firmware

Notice that in the EdgeRouter used for the above screenshot, these commands already existed in the configuration for EdgeOS, so if these commands are already set in the EdgeRouter, you will receive to above message “The specified configuration node already exists”, but in the first initial effort using the commands above, you will not have that output message.

Testing Your Changes to EdgeOS Before Persisting After Reboot

If you want to first ensure that DNSSEC is a viable option for you and your networking needs, but do not yet want to “persist” and the configuration changes on reboots, you can simply skip the save command before exit and then also skip the reboot command. By skipping save and reboot, this will enable DNSSEC until you reboot or power cycle the EdgeRouter. This way, if you experience issues with DNSSEC on your niche network, you can simply “undo” the configuration changes you made with the CLI prompt in the EdgeOS web UI by either rebooting the router, or briefly unplugging it and plugging power back in. This may be a good idea as you will be required to add DNSSEC-capable Name Servers to your System name server list in the System tab menu (located in the bottom left corner of the EdgeOS web UI). If the Name Servers you have configured do not support DNSSEC, you may not have internet access until you change them to Name Servers that do, or you remove the DNSSEC configuration from EdgeOS.

Some known Public DNS Name Server IP addresses that support DNSSEC

  • 9.9.9.9 (Quad Nines)
  • 9.9.9.11 (Quad Nines)
  • 208.67.222.220 (OpenDNS)
  • 208.67.222.123 (OpenDNS)
  • 1.1.1.1 (Cloudflare)
  • 1.0.0.1 (Cloudflare)

For Those Who Run Locally Hosted DNS Servers

If you are using your own locally hosted DNS Server that are connected to the same subnet as your EdgeRouter (eg: A machine with a hostname pi-hole.local configured with a local static IP Address of 192.168.1.2), such as Unbound, Pi-Hole or BIND9, then you can use the IP Address(es) of your local DNS Server(s) in your System name server list, instead (and this is highly recommended for privacy and security reasons). Though, you must enable DNSSEC in your locally hosted DNS Name Server(s), first.

Verifying DNSSEC is enabled on your network

The most simple way to check if DNSSEC is now active on your network, visit The Wander.science project DNSSEC Resolver Test and click the Start test button. If you get a thumbs up after a few seconds, then you should be good to go. It is also a good idea to check DNSLeakTest.com for DNS Leaks anytime you make changes to your DNS configuration.

If you want to performance test the available upstream DNSSEC-enabled Public DNS providers, you can also download DNS Benchmark from GRC.com for testing a variety of Local and/or Public DNS servers and configurations (recommended Freeware). To test for DNSSEC-enabled servers from DNS Benchmark, right-click anywhere inside the open window (NOT on the title bar, which has even more options for you to test with) then click the bottom option to enable ‘Test DNSSEC Authentication’ and the click ‘Yes’ to re-characterize the available resolvers. Any available DNSSEC capable servers with show as the color Green after that. Choose the best and fasters DNS servers available to your network for optimal internet performance.


Sources:

  • Ubiquity EdgeRouter Information:
    • Official Ubiquity Firmware download site – https://www.ui.com/download
    • UI Community Forum Q/A regarding DNSSEC – https://community.ui.com/questions/DNSSEC-should-i-be-using-it/e5dbd3f3-af02-4966-80db-f8edbc99f608#answer/fe218f25-f39b-45c9-995a-fd7884b481f9
    • UI Community Forum Q/A regarding how to change, commit and save config to persist on reboots
      • https://community.ui.com/questions/Edge-Router-x-Mac-address/052e3556-acd7-47f3-8e92-c21a66294993#answer/76aa579b-7fe2-4e3e-80cb-f6a79a068e26
      • https://help.ui.com/hc/en-us/articles/204960094-EdgeRouter-Configuration-and-Operational-Mode
      • How to “undo” or “unset” configure commands in EdgeOS with delete – https://community.ui.com/questions/How-can-unset-modify-rules-in-EdgeRouter-PoE/2e9c6bd6-5593-483e-8901-58cb2baf02eb
      • DNSSEC settings information:
        • Explanation of the importance of enabling the dnssec-check-unsigned option – https://www.suse.com/support/kb/doc/?id=000020508
        • Example of Issues avoided by using the dnssec-no-timecheck option – https://github.com/systemd/systemd/issues/5873
  • Official Sources of “Internet Governance”
    • Internet Assigned Numbers Authority (IANA) root-anchors (trust anchors)
      • https://data.iana.org/root-anchors/root-anchors.xml
      • https://www.iana.org/dnssec/files
    • Minimal List of DNS Server software that supports DNSSEC (from 2013) – https://www.internetsociety.org/resources/deploy360/2013/dns-servers-supporting-dnssec/
    • Progress of DNSSEC proliferation – https://dnssec-deployment.icann.org/en/dnssec/
  • DNSSEC Tools
    • DNS Benchmark (right-click to enable ‘Test DNSSEC Authentication’ and click ‘Yes’) – https://www.grc.com/dns/benchmark.htm
    • Super Simple DNSSEC Resolver Test – https://wander.science/projects/dns/dnssec-resolver-test/

A Consumer Observation for Evolution of the World Wide Web

In the mid 1990’s, you would be hard-pressed to avoid being inundated with Compact Discs (CDs) with software for installing America On-Line (AOL) to your Windows 95 PC. These CDs were seemingly in every magazine, gas station, grocery store and shopping mall. Due to the constraints of RJ-11 terminated wiring used for “land-line telephone” and “fax machine” connections, consumers and businesses were limited to the maximum theoretical bandwidth of 24Mbps, but only able to achieve about 0.054 Mbps (54kHz) with the available modems of the era usually peaking at 56.6k advertised limits. Plain Old Telephone Service (POTS) networks are often what these these older copper wiring networks are referred to as by the Communications Industries over 30 years later, but consider for a moment what life must have in like in a time of The World where these systems were used in a brand new and cutting edge way that they were not originally designed for.

What many people born after 1990 may not realize, is there was a time where not everyone owned an electronic device capable of transmitting user-created digital information. The common households of developed countries in the 1980’s had a telephone line with service akin to the modern “cable internet” that was paid monthly to corporations like American Telephone and Telegraph Company (AT&T), “Ma Bell“, Microwave Communications, Incorporated (MCI), General Telephone & Electronics Corporation (GTE) and other corporate fossils. These companies were in the business of connecting physical wires all over Earth for the purposes of facilitating communication between human beings. The concept of transmitting information (“data”) was conceived very early in communications technology, such as the first patent for a “Fax Machine” was filed in the 1840’s, but later improved and adapted for use over “POTS networks“. Many households in the early 1990s were still devoid of a computer, with the arguable exceptions of Video Game devices like a Sega Genesis or a Nintendo Game Boy; No consumer gaming consoles from that era had capabilities for internet connectivity.

In the beginning of “The Internet”, the “World Wide Web” or the “Super Information Highway”, each term often colloquially used interchangeably though having different origin, the limitations were that of the physics to the pre-existing infrastructure that property owners had already adopted. Imagination was never the limitation. The sky was the limit for what you might want to use the internet for. The intentions and opinions of an individual person were no longer confined to public speaking or physical media publication. One no longer had to use a megaphone and shout into it to reach more than a few hundred peoples ears and eyes. The ideas and problems of the world were now being shared liberally. Art and self-expression was influenced and inspired though “digital mediums” like GeoCities and eventually DeviantART. The prolific spread of old knowledge and ideas being shared to new regions and minds has had immense benefits, though there were also some unintended consequences along the way. Napster was used as one of the first file sharing services which was most often used to share music in the form of mp3 files, but no royalties or financial upside for music distributors. The traditional “record stores” were no longer the go-to place for unique and obscure songs or different versions of familiar tunes. Suddenly, voters could learn about downstream affects to other parts of their countries the candidates they did or did not help get elected helped generate. Libraries were no longer a required trip to make for middle-school book reports, or if they were, it was because the libraries often had publicly accessible computers with decent internet connections. These disruptive changes did not all happen over night, but when each of them did happen, they seemed to be relatively quickly and in a series. In many ways, this was the start of a trend that has yet to end over 30 years later.

These somewhat humble and questionable beginnings paved the way for modern services and utilities like Social Media, Music and Video Streaming Platforms and Personalized Messaging Applications. These “creative ideas” sparked public interest for an experience that was previous unimagined or unrealized. New innovations were inspired for commercially viable use cases, like WiFi, Bluetooth, Satellite and new variants of Radio Frequencies. As the portable energy storage in rechargeable battery technology improved, so did the performance and efficiencies of CPUs, GPUs, RAM modules and visual displays, all of which paved the way for “cell phones” that ultimately became “smart phones” of today. The intersectionality of influence for the modern technological mainstays during the early years of Commercial Internet Services is vast and profound.

So… what happened?… What stifled all of the new ideas and creativity? Aside from advancements in Blockchain Technology and Artificial Intelligence, what has been inspiring the human mind since the late 2000s? The hopes and aspirations of CoolElectricity.com are fairly simple: Provide honest and genuine observations for technological innovations, and the products and services it spawns.

Thanks for letting us ride shotgun for awhile on your journey. We hope to take another ride with you again, soon.