Learn how to Enable or Disable Virtualization Based Security (VBS) on Windows 11. The implementation of VBS uses hardware virtualization features to create and isolate a certain memory region from the normal Operating System window. It uses the secure virtual mode to host several security solutions.
Hypervisor Enforced Code Integrity (HVCI), called Memory Integrity, uses Virtualization-Based Security (VBS) to enforce code integrity policy. VBS protects system memory from loading unsigned drivers and system files. VBS protects the vital system and operating system resources by enforcing restrictions.
VBS protects security assets such as authenticated user credentials. VBS creates a secure environment that can host several security features. VBS greatly improves platform security. VBS also changes the trust boundaries in a window device. As per Microsoft, VBS reduces the impact of Kernel viruses and Malware attacks.
To improve the performance of windows 11 and a smooth gaming experience need to disable Virtualization-Based Security (VBS). If you are using a low-end gaming device or an old device upgraded from Windows 10 to Windows 11.
- Intune Microsoft Store Repository First Look of Windows Package Manager Integration
- Improve Windows 11 Performance using Debloat Tool
- Issue: Unable to enroll devices in Microsoft Intune | iOS devices accessing protected Apps
Is it Safe to Disable Virtualization Based Security on Windows 11
After all the above discussion, the question will arise “What is the need to disable VBS (such powerful security enabled by default in Windows 11) from Windows 11?”. The answer: According to many tests, it’s clear that the VBS will lower your device performance, especially while playing games.
The Advantages and Disadvantages of Disabling VBS on Windows 11
Let’s quickly look at the Advantages Vs. Disadvantages of disabling VBS. We don’t recommend disabling the VBS at all. But if you have a specific scenario where disabling VBS is mandatory, you can use any of the following methods.
Advantages of Disabling VBS | Disadvantages of Disabling VBS |
---|---|
Improvement in PC as well as the gaming performance | Weaken the securities features of Windows |
Recommended for low-end gaming PC, and old upgraded PC | Disabling VBS, the over PC security may get compromised, and this could break Hyper-V related features |
Checking Status of VBS in Windows 11
There is a simple process to check the status of VBS on Windows 11 if it is enabled (activate) or disabled (deactivate). Let’s follow the steps below to check the status of Virtualization Based Security.
- Click the Search icon on the taskbar
- Type System Information or msinfo32
- Click Open of System Information
The System Information window opens, and the System Summary section is under it. In the System Summary section, some items with their value appear; scroll down a little to find the object named Virtualization-based security and its value. If the value shows Running, it means the VBS is enabled. If the value indicates Not enabled, VBS is disabled on your device.
Core Isolation Method to Disable Virtualization Based Security (VBS)
There is a process to disable VBS simply under the system settings named Core Isolation. This is how we must change VBS setting using GUI. Let’s follow the steps below:
- Click the Search icon on the taskbar
- Type Core Isolation
- Click Open of Core Isolation System Settings
Now you are in the Windows Security section, Core Isolation. Just check for Memory Integrity, whether it is on or off. Toggle to turn off the button of Memory Integrity to disable the VBS features.
- Memory Integrity (toggle to Off)
After disabling VBS, a security window pop-up and says, “Restart to apply protection changes.” The recent change to your protection settings required a restart of your device. Restart the device for the applicability of the changes made therein.
Windows Features Method to Disable Virtualization-Based Security (VBS)
Another process to disable VBS using Windows Features. This is a more advanced option to disable the Virtualization Based Security settings using GUI.
- Click on the Search icon on the taskbar.
- Type “Windows Features” in the search box.
- Click on Open under the Turn Windows Features on or off to explore windows features.
The turn windows feature on or off opens now, find and uncheck the adjacent boxes of the options are Windows Hypervisor Platform, Virtual Machine Platform, and Microsoft Defender Application Guard. Once unchecked all the above categories, press OK to complete the process of disabling VBS.
Registry Method to Disable Virtualization-Based Security (VBS)
There is another way to enable or disable VBS completely. This procedure is done using the Registry Editor. Let’s discuss the step-by-step guidelines for it.
Setting Type | Hive | Key | Value | Value Name | Value Data |
---|---|---|---|---|---|
Registry | HKEY_LOCAL_MACHINE | System\CurrentControlSet\Control\DeviceGuard | DWORD (32-bit) | EnableVirtualizationBasedSecurity | 0 to Disable 1 to Enable |
Open run Window, press Windows Key + R from the keyboard simultaneously. This is the keyboard shortcut to open the run window. Now, type regedit and click on OK to continue. Then it asks the Admin’s permission to make changes to the device click Yes.
- Window Key + R (To open run command)
- Type ‘regedit‘ and press OK
- Administrator Permission press Yes.
Now, the Registry Editor opens. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard is the path. Following the trail, I reached the Device Guard sub-folder for a further course of action.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
Clicking on Device Guard shows several options in the right panel. From the several options, double-click on EnableVirtualizationBasedSecurity and set the value data 0, press OK and restart the device. Now you successfully disabled VBS from your device.
Value of EnableVirtualizationBasedSecurity | Description |
---|---|
0 | Disables virtualization-based security. This is the default OS value. |
1 | Enables virtualization-based security. |
Restart the Windows 11 device after changing the registry values to take effect.
Intune Policy to Disable Virtualization-Based Security VBS on Windows 11
Let’s check the Intune Setting catalog policy options to Enable or Disable Virtualization-Based Security (VBS) on Windows 11 devices. You can go through Intune Settings Catalog Guide to create the policy in detail. However, for this context, search with the following keyboard – EnableVirtualizationBasedSecurity.
NOTE! – More details on Intune settings catalog guide – Create Intune Settings Catalog Policy.
- Search with “EnableVirtualizationBasedSecurity” in the Settings picker search box.
- Select the Device Guard Category.
- Enable Virtualization Based Security options from the Settings name section.
- Keep the policy’s settings to DISABLED or ENABLE if you want to keep it enabled.
NOTE! Restart the Windows 11 device after changing the registry values to take effect.
Group Policy Settings – Disable Virtualization-Based Security (VBS) on Windows 11
You can use Group Policy Settings to Disable Virtualization-Based Security (VBS). You can use this method for Domain Joined devices to automate the entire process. Let’s see how to open it in Group Policy Settings.
- Window Key + R (To open run command)
- Type ‘gpedit.msc‘ and press OK
- GP unique name: EnableVirtualizationBasedSecurity
- GP name: Turn On Virtualization Based Security
- GP path (Mandatory): Administrative Templates/System/Device Guard/
- GP path (Recommended): Administrative Templates/System/Device Guard- Default Settings (users can override)/
- GP ADMX file name:
When the group policy editor opens, follow the path “Local Computer Policy/Computer Configuration/Administrative Templates/System/Device Guard” to reach the proper location to perform the desired task.
Computer Configuration/Administrative Templates/System/Device Guard
After reaching Device Guard click on it to explore. Select and double-click on the option Turn On Virtualization Based Security. In the next pop-up window, check the box adjacent to Disable, click on Apply, and press Ok to continue.
I have also added how to enable Virtualization Based Security (VBS) using group policy settings on Windows 11 devices.
Note! Don’t forget to restart your device after performing the above methods.
Author
Alok is a Master of Computer Applications (MCA) graduate. He loves writing on Windows 11 and related technologies. He likes to share his knowledge, quick tips, and tricks with Windows 11 or Windows 10 with the community.
Has anyone managed to disable credential guard on Windows 11 22H2 OSD (SCCM Task Sequence) yet? On a clean install of W11 22H2 MS enabled it by default (with uefi lock), the registry keys do not seem to matter. If you upgrade to W11 22H2 the keys are honored and it stays disabled.
Thank you 🙂
I followed many other recommendations, but non helped until I read your post.
Thanks for your feedback.
I am getting the same error. Not able to disable VBS on Windows 11 21H2
For me and my newest Windows 11 Canary Release, the Command in CMD | Power Shell “bcdedit /set hypervisorlaunchtype off” is useful, at last.
Try Setting these keys all to 0 first, if a failure then delete the keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\EnableVirtualizationBasedSecurity
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RequireMicrosoftSignedBootChain
Delete the key DeviceGuard
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\CachedDrtmAuthIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\Locked
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequireMicrosoftSignedBootChain
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired
Next Disable credential guard from CMD
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d “DebugTool” /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path “\EFI\Microsoft\Boot\SecConfig.efi”
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set vsmlaunchtype off
bcdedit /set hypervisorlaunchtype off
dism /online /disable-feature /featurename:Microsoft-hyper-v-all