4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11

Learn how to Enable or Disable Virtualization Based Security (VBS) on Windows 11. The implementation of VBS uses hardware virtualization features to create and isolate a certain memory region from the normal Operating System window. It uses the secure virtual mode to host several security solutions.

Hypervisor Enforced Code Integrity (HVCI), called Memory Integrity, uses Virtualization-Based Security (VBS) to enforce code integrity policy. VBS protects system memory from loading unsigned drivers and system files. VBS protects the vital system and operating system resources by enforcing restrictions.

VBS protects security assets such as authenticated user credentials. VBS creates a secure environment that can host several security features. VBS greatly improves platform security. VBS also changes the trust boundaries in a window device. As per Microsoft, VBS reduces the impact of Kernel viruses and Malware attacks.

To improve the performance of windows 11 and a smooth gaming experience need to disable Virtualization-Based Security (VBS). If you are using a low-end gaming device or an old device upgraded from Windows 10 to Windows 11.

Patch My PC
[sibwp_form id=2]

Is it Safe to Disable Virtualization Based Security on Windows 11

After all the above discussion, the question will arise “What is the need to disable VBS (such powerful security enabled by default in Windows 11) from Windows 11?”. The answer: According to many tests, it’s clear that the VBS will lower your device performance, especially while playing games.

The Advantages and Disadvantages of Disabling VBS on Windows 11

Let’s quickly look at the Advantages Vs. Disadvantages of disabling VBS. We don’t recommend disabling the VBS at all. But if you have a specific scenario where disabling VBS is mandatory, you can use any of the following methods.

Advantages of Disabling VBSDisadvantages of Disabling VBS
Improvement in PC as well as the gaming performanceWeaken the securities features of Windows
Recommended for low-end gaming PC, and old upgraded PCDisabling VBS, the over PC security may get compromised, and this could break Hyper-V related features
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Table 1

Checking Status of VBS in Windows 11

There is a simple process to check the status of VBS on Windows 11 if it is enabled (activate) or disabled (deactivate). Let’s follow the steps below to check the status of Virtualization Based Security.

  • Click the Search icon on the taskbar
  • Type System Information or msinfo32
  • Click Open of System Information
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.1.1
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.1.1

The System Information window opens, and the System Summary section is under it. In the System Summary section, some items with their value appear; scroll down a little to find the object named Virtualization-based security and its value. If the value shows Running, it means the VBS is enabled. If the value indicates Not enabled, VBS is disabled on your device.

Adaptiva
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.1.2
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.1.2

Core Isolation Method to Disable Virtualization Based Security (VBS)

There is a process to disable VBS simply under the system settings named Core Isolation. This is how we must change VBS setting using GUI. Let’s follow the steps below:

  • Click the Search icon on the taskbar
  • Type Core Isolation
  • Click Open of Core Isolation System Settings
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.2.1
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.2.1

Now you are in the Windows Security section, Core Isolation. Just check for Memory Integrity, whether it is on or off. Toggle to turn off the button of Memory Integrity to disable the VBS features.

  • Memory Integrity (toggle to Off)
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.2.2
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.2.2

After disabling VBS, a security window pop-up and says, “Restart to apply protection changes.” The recent change to your protection settings required a restart of your device. Restart the device for the applicability of the changes made therein.

Windows Features Method to Disable Virtualization-Based Security (VBS)

Another process to disable VBS using Windows Features. This is a more advanced option to disable the Virtualization Based Security settings using GUI.

  • Click on the Search icon on the taskbar.
  • Type “Windows Features” in the search box.
  • Click on Open under the Turn Windows Features on or off to explore windows features.
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.3.1
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.3.1

The turn windows feature on or off opens now, find and uncheck the adjacent boxes of the options are Windows Hypervisor Platform, Virtual Machine Platform, and Microsoft Defender Application Guard. Once unchecked all the above categories, press OK to complete the process of disabling VBS.

4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.3.2
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.3.2

Registry Method to Disable Virtualization-Based Security (VBS)

There is another way to enable or disable VBS completely. This procedure is done using the Registry Editor. Let’s discuss the step-by-step guidelines for it.

Setting TypeHiveKeyValueValue NameValue Data
RegistryHKEY_LOCAL_MACHINESystem\CurrentControlSet\Control\DeviceGuardDWORD (32-bit)EnableVirtualizationBasedSecurity0 to Disable
1 to Enable
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Table 2

Open run Window, press Windows Key + R from the keyboard simultaneously. This is the keyboard shortcut to open the run window. Now, type regedit and click on OK to continue. Then it asks the Admin’s permission to make changes to the device click Yes.

  • Window Key + R (To open run command)
  • Type ‘regedit‘ and press OK
  • Administrator Permission press Yes.
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.4.1
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.4.1

Now, the Registry Editor opens. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard is the path. Following the trail, I reached the Device Guard sub-folder for a further course of action.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard

4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11- Fig.4.2
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.4.2

Clicking on Device Guard shows several options in the right panel. From the several options, double-click on EnableVirtualizationBasedSecurity and set the value data 0, press OK and restart the device. Now you successfully disabled VBS from your device.

Value of EnableVirtualizationBasedSecurityDescription
0Disables virtualization-based security. This is the default OS value.
1Enables virtualization-based security.
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Table 3

Restart the Windows 11 device after changing the registry values to take effect.

4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.4.2
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.4.2

Intune Policy to Disable Virtualization-Based Security VBS on Windows 11

Let’s check the Intune Setting catalog policy options to Enable or Disable Virtualization-Based Security (VBS) on Windows 11 devices. You can go through Intune Settings Catalog Guide to create the policy in detail. However, for this context, search with the following keyboard – EnableVirtualizationBasedSecurity.

NOTE! – More details on Intune settings catalog guideCreate Intune Settings Catalog Policy.

  • Search with “EnableVirtualizationBasedSecurity” in the Settings picker search box.
  • Select the Device Guard Category.
  • Enable Virtualization Based Security options from the Settings name section.
  • Keep the policy’s settings to DISABLED or ENABLE if you want to keep it enabled.

NOTE! Restart the Windows 11 device after changing the registry values to take effect.

4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.4.3
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 -Fig.4.3

Group Policy Settings – Disable Virtualization-Based Security (VBS) on Windows 11

You can use Group Policy Settings to Disable Virtualization-Based Security (VBS). You can use this method for Domain Joined devices to automate the entire process. Let’s see how to open it in Group Policy Settings.

  • Window Key + R (To open run command)
  • Type ‘gpedit.msc‘ and press OK
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 - Fig.5.1
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 – Fig.5.1
  • GP unique name: EnableVirtualizationBasedSecurity
  • GP name: Turn On Virtualization Based Security
  • GP path (Mandatory): Administrative Templates/System/Device Guard/
  • GP path (Recommended): Administrative Templates/System/Device Guard- Default Settings (users can override)/
  • GP ADMX file name:

When the group policy editor opens, follow the path “Local Computer Policy/Computer Configuration/Administrative Templates/System/Device Guard” to reach the proper location to perform the desired task.

Computer Configuration/Administrative Templates/System/Device Guard

4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 - Fig.5.2
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 – Fig.5.2

After reaching Device Guard click on it to explore. Select and double-click on the option Turn On Virtualization Based Security. In the next pop-up window, check the box adjacent to Disable, click on Apply, and press Ok to continue.

I have also added how to enable Virtualization Based Security (VBS) using group policy settings on Windows 11 devices.

Note! Don’t forget to restart your device after performing the above methods.

4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 - Fig.5.3
4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11 – Fig.5.3

Author

Alok is a Master of Computer Applications (MCA) graduate. He loves writing on Windows 11 and related technologies. He likes to share his knowledge, quick tips, and tricks with Windows 11 or Windows 10 with the community.

6 thoughts on “4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11”

  1. Has anyone managed to disable credential guard on Windows 11 22H2 OSD (SCCM Task Sequence) yet? On a clean install of W11 22H2 MS enabled it by default (with uefi lock), the registry keys do not seem to matter. If you upgrade to W11 22H2 the keys are honored and it stays disabled.

    Reply
  2. For me and my newest Windows 11 Canary Release, the Command in CMD | Power Shell “bcdedit /set hypervisorlaunchtype off” is useful, at last.

    Reply
  3. Try Setting these keys all to 0 first, if a failure then delete the keys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\EnableVirtualizationBasedSecurity
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RequireMicrosoftSignedBootChain
    Delete the key DeviceGuard
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\CachedDrtmAuthIndex
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\Locked
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequireMicrosoftSignedBootChain
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired

    Next Disable credential guard from CMD
    mountvol X: /s
    copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
    bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d “DebugTool” /application osloader
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path “\EFI\Microsoft\Boot\SecConfig.efi”
    bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
    mountvol X: /d
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
    bcdedit /set vsmlaunchtype off
    bcdedit /set hypervisorlaunchtype off
    dism /online /disable-feature /featurename:Microsoft-hyper-v-all

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.