VMware Workstation

 View Only
Back to discussions
Expand all | Collapse all

Windows 11 24h2 hsot - how to disable Virtual Based Security

  • 1.  Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Nov 14, 2024 09:33 AM

    Trying to switch from a Windows 2025 host to Windows 11 24h2 host.   AMD 8840U hardware.    Done registery changes.   Done Security Core setting change.   Done BCDEDIT changes.    Done GPO changes on Devguard.    Best case was to disable SVM in BIOS.   And that only turned out to be VBS enabled but not running.    What can I do to DISABLE VBS in Windows 11 24h2?



  • 2.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Dec 04, 2024 04:55 PM

    Download this Powershell script and run as admin with the -disable option
    Download Device Guard and Credential Guard hardware readiness tool from Official Microsoft Download Center


    Original Message


  • 3.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Jun 07, 2025 05:02 AM

    Muchas gracias, esto funciono para mi en Win 11 Pro 


    Original Message


  • 4.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Dec 12, 2024 05:00 PM

    Hi guys, do it with me:

    1/ Disable Credential Guard with Registry settings
           Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
           Key name: LsaCfgFlags
           Type: REG_DWORD
           Value: 0


           Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
           Key name: LsaCfgFlags
           Type: REG_DWORD
           Value: 0

    2/ Disable Credential Guard with UEFI lock, run Windows Command Prompt as administrator
           mountvol X: /s
           copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
           bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
           bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
           bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
           bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
           bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
           mountvol X: /d

    3/ Disable VBS with Registry settings, Delete the following registry keys:
           Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
           Key name: EnableVirtualizationBasedSecurity

           Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
           Key name: RequirePlatformSecurityFeatures

    4/ Run Windows Command Prompt as administrator
           bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
           bcdedit /set vsmlaunchtype off

    5/ Open Group policies editor 

    Computer Configuration -> Admininistrative Templates -> System -> Device Guard -> select "Turn ON Virtualization Base Security "  and choose "Disable" option.

    6/ Turn off all options in Core isolation of windows 11 24h2
    Windows start -> core isolation -> Turn off all options

    7/ Windows Start -> In Feature windows 11, uncheck: Hyper-V, Virtual machine plafrorm, Windows subsystem for Linux

    8/ Restart PC
    Restart the device. Before the OS boots, a prompt appears notifying that UEFI was modified, and asking for confirmation. (Press F3 and press enter to continue).


    Original Message


  • 5.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Dec 13, 2024 08:07 AM

    Hi Danh,

    You are really an angel; it works for me and Eve-ng is working perfectly.


    Original Message


  • 6.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Dec 13, 2024 10:09 AM

    Excellent post.   Item 4 of particular interest.   Windows 11 24h2 boot partition does a check and enables VBS at boot time.    But the GUID in item 4 disables that.  If that does not happen for you, you can go the long route and use dgreadiness 1st, and then issue commands to alter the boot record.


    Original Message


  • 7.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Jan 01, 2025 11:04 PM

    Sadly, none of this worked for me.  No matter what I try, Virtualization-based security refuses to disable.  Workstation in turn won't run certain VMs, and some others run rather poorly.  I'm running 24H2 on an HP Elitebook G9


    Original Message


  • 8.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Jan 07, 2025 09:04 AM

    Hi,

    Disabling "Secure Boot" in my BIOS was necessary in my case (HP ZBook computer). Otherwise VBS was still running (loadoptions did'nt disable it)


    Original Message


  • 9.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Feb 01, 2025 10:21 AM

    Thank you so much, Only your post was able to help from all over the Internet


    Original Message


  • 10.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Feb 24, 2025 12:40 PM

    Thanks Danh, you're a life saver.


    Original Message


  • 11.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Mar 06, 2025 03:28 PM 
    Danh Nguyen thanks for your help. My laptop has an amd processor but the problem was that when I rebooted  my laptop, the Virtual Based Security was enabled again. The solution was to disable HV Host Service:

    

    Step 1: right-click "This PC", click "Manage", jump to the interface of "Computer Management" - "Service and Applications" - "Services", find "HV Host Service"
    




    




    Step 2: double click "HV Host Service", change the Startup type into "Manual" or "Disable", then click "OK".

    Original Message


  • 12.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Jun 13, 2025 08:55 AM

    With a Secure Core computer running Pro or Enterprise versions of Windows - this only lasts to the next reboot.

    -Stickybit


    Original Message


  • 13.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted 20 hours ago
    Edited by Sunil Kumar J 18 hours ago

    Define this script to execute in task scheduler to execute at startup will disable this virtualization security permanently.

    EX: 
    post download dgreadiness_v3.6 extract it and schedule it via task scheduler and select to execute at start up

    C:\Users\sunil\Downloads\dgreadiness_v3.6\dgreadiness_v3.6\DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot

    -------------------------------------------

    Original Message


  • 14.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted 18 days ago

    Post #4 worked for me, thank you Danh!

    I skipped step 1 because the first key path had a slightly different key name: "LsaCfgFlagsDefault", and the second key path Key Name was not there.

    1/ Disable Credential Guard with Registry settings
           Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
           Key name: LsaCfgFlags       << different name
           Type: REG_DWORD
           Value: 0


           Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
           Key name: LsaCfgFlags    << not present
           Type: REG_DWORD
           Value: 0

    Note I am using an HP Z book so I also disabled secure boot in the BIOS.  (restart PC, press ESC until menu comes up, go to advanced, boot options)


    Original Message


  • 15.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted 4 days ago

    Your instructions were the only helpful settings that really helped me after I tried infinite tutorials, videos and so on. I'm very thankful. 😎


    Original Message


  • 16.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted 2 days ago

    You sir, are a time saver! Cisco CML VM now boots in VMWare Workstation with no issues!

    Thank you! 

    -------------------------------------------

    Original Message


  • 17.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted 20 hours ago

    i do not know who you are or where you are . all i can say is that you are simply a genius . i have done a 4 days research online to go round this watch several YouTube videos . none of them proof to be successful . but your approach is technical and on point . 

    Thank you soo much !! i almost throw away my PC 

    -------------------------------------------

    Original Message


  • 18.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted 18 hours ago
    Thanks good to hear that issue resolved.

    Thanks and Regards
    Sunilkumar J


    Original Message


  • 19.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted Jan 07, 2025 04:08 PM

    Someone on the Windows 11 board posted this to disable VBS.   Have not tried it yet.   If it does work it is simple solution but do not know if there are any side effects.

    In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\WindowsHello    DWORD parameter "Enabled" to 0
    Resstart PC.    VBS should be turned off.
     


    Original Message


  • 20.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted May 26, 2025 10:23 AM
    Edited by byd2k May 26, 2025 10:24 AM

    Thanks!  This worked for me.  I just lost about 5 hours of my life on this.  

    Here's the summary for others...  

    Windows 11 is enabled to install the latest updates automatically. For my PC, this must have happened sometime in early May 2025.
    Running Workstation version pre-Broadcom 17.x
    Upgrade Workstation to the latest version (think I was a few numbers below the second octet)- did not help
    Ran the above items that I found elsewhere on the net (mostly for Win 10) - did not help
    Ran system restore, did not help - Maybe it would have if I had restore back to a pre May 2025 time period.
    Finally ran "In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\WindowsHello    DWORD parameter "Enabled" to 0"  - It worked!

    I'm not sure if this, in combination with all of the previous items, was required to resolve.  

    Broadcom - Please create an executable for this!  Thank you all for your posts above to resolve this issue.  


    Original Message


  • 21.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted May 29, 2025 05:26 PM

    Thank you byd2k, this single WindowsHello thing worked for me after a lot of time wasted. I would have never guessed it. Also, it might after rebooting I got a semi-scary log in experience because "something was wrong with my pin". This might happen if you use windows hello. Just login with your password, and I managed by disabling my pin entirely. 


    Original Message


  • 22.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted 29 days ago

    Did you perhaps create the key yourself?
    Sadly I couldn't find it in regedit so I created it myself and it didn't work.
    VBS is still running.


    Original Message


  • 23.  RE: Windows 11 24h2 hsot - how to disable Virtual Based Security

    Posted 13 days ago

    Greetings to all. I've been trying several itineraries and have managed to figure it out. Some things aren't necessary, and others are important. Here's what I did, with some links for reference.

    I started by turning off BitLocker on the C: drive and changing the boot, disabling Secure Boot, restarting after this.


    Open "Turn Windows features on or off":

    • Container Server : disable
    • Containers : disable
    • Hyper-V : disable
    • Virtual Machine Platform : disable
    • Windows Hypervisor Platform : disable
    • Windows Sandbox : disable
    • Windows Subsystem for Linux : disable


    Using bcdedit tool:

    It has a Boot Manager bootstrap block and a Boot Loader block for loading Windows 11.

    Help
      https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/adding-boot-entries

    • Record the previous state
      bcdedit /v > bcdedit_antes_alter.txt
      bcdedit /export "bcdedit_export.bcd"
    • View current status
      bcdedit /enum
    • Copy the Boot Loader block to a new block, as a backup
      bcdedit /copy {current} /d "Windows 11 original"
    • Remove (if present) the isolated context from the Boot Manager
      bcdedit /deletevalue {bootmgr} isolatedcontext
    • Adjust the original Boot Loader entry
      bcdedit /set {default} isolatedcontext No
      bcdedit /set {default} vsmlaunchtype off
    • I didn't need to do this
      bcdedit /set {default} loadoptions DISABLE-LSA-ISO, DISABLE-VBS

    Once everything is working, we can delete the second entry and keep the original one that was changed

    If Windows stops booting with the above changes,

    See
        https://www.tenforums.com/tutorials/163900-backup-restore-boot-configuration-data-bcd-store-windows.html
    and
        https://www.digitalcitizen.life/command-prompt-fix-issues-your-boot-records/
    and
         https://woshub.com/how-to-rebuild-bcd-file-in-windows-10/

    Virtualization Based Security in group policies

    (gpedit.msc, at Computer Configuration -> Administrative Templates -> System -> Device Guard, "Turn On Virtualization Based Security")

    I didn't change it, leaving the default "Not configured." 

    regedit

    -Em Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
     LsaCfgFlags              Delete
     LsaCfgFlagsDefault  Keep, value 0

    -Em Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
     EnableVirtualizationBasedSecurity        Delete
     RequirePlatformSecurityFeatures          Delete
     HyperVVirtualizationBasedSecurityOptOut  Delete
     WasEnabledBy                             Delete

    -At each "key" (folder)
     Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\<name>\
     Enabled : if exists and is not zero, change to 0 
     (HypervisorEnforcedCodeIntegrity, WindowsHello, etc)

    In Services

    The "HV Host Service" service had a Startup Type of Manual.
    There was no need to change its configuration. It is only activated when Virtual Secure Mode (VSM) / Virtual-based Security (VBS) is enabled. If it is successfully disabled, the service's status remains blank (not running).

    In Windows settings:

    Menu -> Settings -> Privacy & Security -> Windows Security -> Device Security ->
    Core Isolation

    • Memory Integrity, needs to be set to "Off"
    • Kernel-mode Hardware-enforced Stack Protection was off and locked
      (it also requires Memory Integrity to be enabled)
    • Local Security Authority protection, can be set to "on" (no conflict)
    • Microsoft Vulnerable Driver Blocklist, can be set to "on"

    Reboot, choose the old boot entry

    To check that Virtualization-based security has been turned off:

        System Information

    • Open the System Information app
    • Select System Summary in the left pane
    • In the list on the right, see the "Virtualization-based security" value;
      it cannot be "Running."

        And on the VM logs, after starting a VM:

    • Open C:\<VM path>\<VM name>\vmware.log
    • Look for a line like 2025-(...) vmx Monitor Mode
    • It should indicate Monitor Mode: CPL0 (Current Privilege Level 0)


    Original Message