Ever since I enabled hyper-V on Windows 10 it seems I have had VBS enabled: Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard returns VirtualizationBasedSecurityStatus : 2 Upgrading to Windows 11 yesterday and nothing changed in any significant way. VMWare Workstation 16 runs on top of Hyper-V, bitches about side channel mitigations - but that's just a checkbox in the VM settings. Beyond that everything seems to run fine (on i7 8700K / 64 GB ram). Granted performance under Hyper-V is some 10-15% worse than it was under VMWare's own virtualizer back in Workstation 15 but that's mostly an optimization thing and could be ironed out eventually with future versions. I haven't experienced anything else game-breaking, like not being able to modify settings or crashes or whatever. I don't use VirtualBox but I used to run bluestacks on Hyper-V as well which uses VirtualBox. There's some in-depth info here: Code: Disable Virtualization-Based Security Without Disabling Hyper-V - Microsoft Q&A docs.microsoft.com/en-us/answers/questions/245071/disable-virtualization-based-security-without-disb.html on how to actually disable it while keeping hyper-V in case you need it like I do. But it sounds like too much of a pain to go through so I'll pass and use it like it is.
Judges ignore unreasonable terms that they find unreasonable all the time. Not saying they'll ignore this one, just sayin'.
did anyone ever find a way to disable VBS without turning off Hyper-V ? the only method that works is doing the bcd edit to opt out of CG and VBS. but the downside is it only lasts one boot to the desktop and then is back on the next boot. also you have to press some keys to opt out when booting. why does windows ignore the registry entry EnableVirtualizationBasedSecurity ?
Yea. You need it to disable Memory integrity in Defender and also use the reg key given on this topic. Disables VBS for good and also gets me 10-20% more fps and my PC remains damn cool under heavy gaming.
i have memory integrity disabled but msinfo32 still says vbs is running. also Lsaiso is still running as it's in task manager along with secure system. uninstalling hyper-v disables it all but that's not ideal if you want to use hyper-v. i found out bcdedit has a persistbootsequence option which i tried in a virtual machine with vbs running but it causes a boot loop of the opt out screens and never carries on booting. i assumed it would cause the opt out to appear on every boot but it just sends it into a loop........ edit, removing the IsolatedUserMode packages disables vbs and lsaisolation. install_wim_tweak still has it's uses! will do some more testing to see if hyper-v still functions properly. msinfo32 says vbs = not enabled and taskmanager no longer has lsaiso.exe or secure system processes. which is what you get when hyper-v isn't installed.
for testing wimtweak maybe usefull but it causes dism errors as it doesnt hide properly packages back, try cbsenum instead
ah i forgot about that tool, haven't use it in ages. will switch to that instead. funnily enough removing Microsoft-OneCore-IsolatedUserMode-Package does not remove lsaiso.exe which remains in system32 and in the component store / winsxs so it removes something else, i don't know what though....is there someway to log what it's removing? does cbsenum log ?
I don't think it can produce log file. Only message if removing package was successful or not. Also better remove few packages at once and reboot sometimes. Run reset base if it shows error means cbsenum didn't remove package properly go back to last one you removed and remove it again. As far as I know cbsenum was build on wimtweak as base with gui. Also if you use it against 24h2 updates will stop working I mean you won't be able to install security updates don't know how to bypass that.
just realised i forgot to included the policies... Code: Windows Registry Editor Version 5.00 ;EnableVirtualizationBasedSecurity = 2 means disabled, 0 is not disabled, so i guess it's like the bottom ;where 2 also means disabled [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard] "RequirePlatformSecurityFeatures"=dword:00000001 "EnableVirtualizationBasedSecurity"=dword:00000002 "HypervisorEnforcedCodeIntegrity"=dword:00000000 "LsaCfgFlags"=dword:00000000 "ConfigureSystemGuardLaunch"=dword:00000002
Does it matter, when msinfo32 reports that Hyper V is enabled, when the feature/virtualization is disabled?
no, because vbs is just something that runs on virtualization. no hyper-v, no vbs. now you can use hyper-v without vbs / lsaiso always running.
In most recent versions (e.g., 26100.2605) I always get the insane "a hypervisor has been detected". VBS / DriveGuard is definitely off. But HV loads and that prevents VMware Workstation from running nested VMs (i.e., ESXi 8). Really none of the googled hints worked.
Does Code: bcdedit /set hypervisorlaunchtype off or Code: dism.exe /Online /Disable-Feature:Microsoft-Hyper-V from an Administrator command line + following reboot work?