Hi, Does anyone know how to disable virtualization based security on Server 2025 without also disabling the Hyper-V subsystem altogether? In previous versions of Windows Server it was as simple as setting the group policy, but it does not appear to have any effect on Server 2025 and it forcibly enables the feature regardless. I've tried the various registry edits like EnableVirtualizationBasedSecurity and RequirePlatformSecurityFeatures as well as: Code: Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Key name: LsaCfgFlags Type: REG_DWORD Value: 0 Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard Key name: LsaCfgFlags Type: REG_DWORD Value: 0 And also of course the bootloader overrides like: Code: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS bcdedit /set vsmlaunchtype off Using citool.exe I can see the VBS code integrity policy but I cannot remove it. Is there perhaps a way to remove it from an offline image since it wont allow removing it online? The only thing that works the microsoft DG_Readiness_Tool script, but that is not a usable solution because it requires manual intervention during bootup and it must be run on every boot because it does not persist. I am all out of ideas. Has anyone else figured this out? Thanks in advance.
Replying to my own thread with a fix I found courtesy of RanCorX2 on the Windows 11 forum. This fixes the issue and as a nice side-effect the system is noticeably snappier (for reference dual skylake xeon 8160, total 48 core/96 thread + 1.5TB RAM). Haven't tested the performance improvement yet or managed to narrow down the registry settings to figure out which parts are not needed, but the following script (made from two of RanCorX2's posts works. Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] "Unlocked"=dword:00000001 "Locked"=dword:00000000 "RequirePlatformSecurityFeatures"=dword:00000001 "LsaCfgFlags"=dword:00000000 "EnableVirtualizationBasedSecurity"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities] "CG_Capable"=dword:00000000 "DG_Capable"=dword:00000000 "HVCI_Capable"=dword:00000000 "OSSKU"=dword:00000000 "SecureBoot"=dword:00000000 "Virtualization"=dword:00000000 "TPM"=dword:00000000 "SecureMOR"=dword:00000000 "UEFINX"=dword:00000000 "SMMProtections"=dword:00000000 "HyperVEnabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks] "Enabled"=dword:00000000 ;EnableVirtualizationBasedSecurity = 2 means disabled, 0 is not disabled, so i guess it's like the bottom ;where 2 also means disabled [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard] "RequirePlatformSecurityFeatures"=dword:00000001 "EnableVirtualizationBasedSecurity"=dword:00000002 "HypervisorEnforcedCodeIntegrity"=dword:00000000 "LsaCfgFlags"=dword:00000000 "ConfigureSystemGuardLaunch"=dword:00000002
Assuming you don't even want Hyper-V and the features that depend on Hyper-V like WSL2 etc, you can simply prevent the hypervisor from loading at boot entirely with: Code: bcdedit /set hypervisorlaunchtype off Then the virtualisation instructions should be available for other software to use. I personally use this with VMware workstation on several of my machines since it doesn't support nested virtualisation under Hyper-V, but does support it running its own virtualisation engine.