here's the definitive way to disable vbs but keep hyper-v installed / enabled. Code: ; RequirePlatformSecurityFeatures for vbs to be enabled/running ; ffffffff = disables vbs, ; 0 = no requirements, ; 1 = secure boot, ; 2 = bvs/dma protect, ; 3 = bvs/secure boot/dma protect [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] "RequirePlatformSecurityFeatures"=dword:ffffffff "EnableVirtualizationBasedSecurity"=dword:00000000 "HyperVVirtualizationBasedSecurityOptout"=dword:00000001 HyperVVirtualizationBasedSecurityOptout seems newish, only found out about that setting recently. disables vbs without editing RequirePlatformSecurityFeatures but editing it as well works without issues. 0 = nothing extra needed to enable vbs 1 = requires secure boot only as extra requirement to enable vbs 2 & 3 = requires extra properties tested on hyper-v with nested virtualiztion + secure boot on. without HyperVVirtualizationBasedSecurityOptout, EnableVirtualizationBasedSecurity is ignored.
Heh, I just created this today after I ripped the security app so there's no GUI left to toggle the switches Code: Windows Registry Editor Version 5.00 ; Disable Memory Integrity (HVCI) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity] "Enabled"=dword:00000000 ; Disable Virtualization-Based Security (VBS/Core Isolation) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] "EnableVirtualizationBasedSecurity"=dword:00000000 ; Disable Credential Guard/LSA Protection [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "LsaCfgFlags"=dword:00000000
I've toiled over this for years, and it seems the answer is not so black and white. From what I can tell, these otherwise inexplicable changes are the result of a corporation exploiting an ecosystem it has direct control over in such a way that complies with the governments that have control over it. So this is a consequence of capitalism and statistical governance architected by old guys who turn to industry professionals to explain new technology to them when those professionals include ones selected by the same corporations gaming the system. Most directly, these recent Windows changes seem to be in response to mandates and other governmental moves to assert control over a majority of computer systems to limit their capability and use them for surveillance. The reason we're still able to configure the system the way we want is because we are a small minority, and for now the government's focus is on wrangling the majority. For now.