Windows 10: Permanently disable VBS (Virtualization-based security)?

Android Studio requires Hyper-V, but installing Hyper-V also enabled VBS (Virtualization-based Security). The problem is AMD's Ryzen software doesn't run if VBS is enabled.

Applying the following script gave me an option to "opt-out" from VBS on the next reboot, but that does not seem to be permanent. Restarting Windows seems to enable VBS again. So, it seems that I have to run the script and press the opt-out key every time.

Is there anyway to disable VBS permanently and never ask me to disable it again?

set FREE_MOUNT_VOL_DRIVELETTER=L:
mountvol %FREE_MOUNT_VOL_DRIVELETTER% /s
copy C:\WINDOWS\System32\SecConfig.efi L:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DG" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=%FREE_MOUNT_VOL_DRIVELETTER%
mountvol %FREE_MOUNT_VOL_DRIVELETTER% /d

Local Group Policy does not seem to work.

The Registry value EnableVirtualizationBasedSecurity already has been set to 0.

Damn Vegetables

Posted 2019-10-04T16:42:47.560

Reputation: 1 914

Is this system connected to an Active Directory domain? – Ramhound – 2019-10-04T18:09:20.457

No, it is not joined to a domain. – Damn Vegetables – 2019-10-04T18:14:08.850

did you ever find a solution? – user5389726598465 – 2019-11-13T18:38:14.790

figured it out. virtualization based security isn't a registry or bios setting. It's the same as setting bcd with bcdedit hypervisorlaunchtype off that I've been doing for years for hyper-v vmware dual boot. http://www.hanselman.com/blog/SwitchEasilyBetweenVirtualBoxAndHyperVWithABCDEditBootEntryInWindows81.aspx

– user5389726598465 – 2019-11-13T19:27:34.377

Answers

This procedure should disable Virtualization Based Security:

Run gpedit.msc
Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard
Double click Turn on Virtualization Based Security
Select Disabled
Click OK
A reboot might be required.

harrymc

Posted 2019-10-04T16:42:47.560

Reputation: 306 093

1It already has been set to "Disabled". – Damn Vegetables – 2019-10-04T17:13:18.987

Then how come it is not disabled? Please run System Information to verify if this is the case (it is found very low in the list). – harrymc – 2019-10-04T17:36:22.033

I have added the screenshot to the end of the question. It seems that Windows ignores that setting and re-enables VBS every time (except when I ran the script). – Damn Vegetables – 2019-10-04T18:03:52.523

Strange. Try this: Go to registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard and add a new DWORD value named EnableVirtualizationBasedSecurity and set its value to 0 to disable virtualization-based security, then reboot normally. Verify using System Information. – harrymc – 2019-10-04T18:56:59.967

That value already exists and has been set to 0. I think I probably had tried some script on the Internet to try to disable VBS, and that might have done that. I'll add the screenshot to the end of my question. – Damn Vegetables – 2019-10-04T19:41:37.430

Try to delete (after backup) the values like Require* and reboot. – harrymc – 2019-10-04T19:46:23.587

I did that but the result was the same. I deleted the two "Require..." values, but after rebooting, "RequirePlatformSecurityFeatures" = (0) was automatically created. – Damn Vegetables – 2019-10-04T20:23:57.087

I don't know what exactly did your script. Also did you take a backup before replacing SecConfig.efi? All I have left to suggest is to try to rollback Windows to a System Restore point from before all these manipulations and try only my answer, no scripts, using Windows and not forcing anything. This can fail if the problem is with the replaced SecConfig.efi. – harrymc – 2019-10-04T20:42:46.603

I did all the same things you did (GPedit, RegEdit).

Finally, disabling secure boot and any VBS option in the BIOS did the trick.

Moe Khalil

Posted 2019-10-04T16:42:47.560

Reputation: 1

2What do you mean "VBS option in the BIOS"? You mean, virtualisation feature such as AMD-V or Intel VT-X? If so, that has the same effect as disabling Hyper-V. I need to use Hyper-V. – Damn Vegetables – 2019-10-30T22:34:39.337