Microsoft 'will be enabling VBS on most new PCs over this next year' and that can tank performance

Discussion in 'Windows 11' started by k3lt, Oct 2, 2021.

  1. fafner

    fafner MDL Novice

    Oct 14, 2009
    4
    0
    0
    Nope. Not here. Tried everything I could find (including those two and a loooot more). :waycon1:
     
  2. biorpg

    biorpg MDL Novice

    Jul 18, 2010
    38
    15
    0
    Hanlon sounds kinda dumb, tbh
     
  3. Jean D

    Jean D MDL Novice

    Nov 10, 2023
    1
    0
    0
    Is it possible to disable on IOT LTSC ? easily
     
  4. RanCorX2

    RanCorX2 MDL Expert

    Jul 19, 2009
    1,032
    585
    60
    here's the definitive way to disable vbs but keep hyper-v installed / enabled.

    Code:
    ; RequirePlatformSecurityFeatures for vbs to be enabled/running
    ; ffffffff = disables vbs,
    ; 0 = no requirements,
    ; 1 = secure boot,
    ; 2 = bvs/dma protect,
    ; 3 = bvs/secure boot/dma protect
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard]
    "RequirePlatformSecurityFeatures"=dword:ffffffff
    "EnableVirtualizationBasedSecurity"=dword:00000000
    "HyperVVirtualizationBasedSecurityOptout"=dword:00000001
    
    HyperVVirtualizationBasedSecurityOptout seems newish, only found out about that setting recently.
    disables vbs without editing RequirePlatformSecurityFeatures but editing it as well works without issues.

    0 = nothing extra needed to enable vbs
    1 = requires secure boot only as extra requirement to enable vbs
    2 & 3 = requires extra properties

    tested on hyper-v with nested virtualiztion + secure boot on.

    without HyperVVirtualizationBasedSecurityOptout, EnableVirtualizationBasedSecurity is ignored.
     
  5. ceo54

    ceo54 MDL Addicted

    Aug 13, 2015
    969
    466
    30
    Heh, I just created this today after I ripped the security app so there's no GUI left to toggle the switches

    Code:
    Windows Registry Editor Version 5.00
    
    ; Disable Memory Integrity (HVCI)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity]
    "Enabled"=dword:00000000
    
    ; Disable Virtualization-Based Security (VBS/Core Isolation)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard]
    "EnableVirtualizationBasedSecurity"=dword:00000000
    
    ; Disable Credential Guard/LSA Protection
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "LsaCfgFlags"=dword:00000000
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. ceo54

    ceo54 MDL Addicted

    Aug 13, 2015
    969
    466
    30
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. biorpg

    biorpg MDL Novice

    Jul 18, 2010
    38
    15
    0
    I've toiled over this for years, and it seems the answer is not so black and white.
    From what I can tell, these otherwise inexplicable changes are the result of a corporation exploiting an ecosystem it has direct control over in such a way that complies with the governments that have control over it. So this is a consequence of capitalism and statistical governance architected by old guys who turn to industry professionals to explain new technology to them when those professionals include ones selected by the same corporations gaming the system.
    Most directly, these recent Windows changes seem to be in response to mandates and other governmental moves to assert control over a majority of computer systems to limit their capability and use them for surveillance.
    The reason we're still able to configure the system the way we want is because we are a small minority, and for now the government's focus is on wrangling the majority.
    For now.