Skip to main content

Disable virtualization-based security (VBS)

Overview

About this script

This script improves your privacy on Windows.

These changes use Windows system commands to update your settings.

This script disables Virtualization-based Security (VBS) in Windows.

Virtualization-based security (VBS) uses hardware virtualization to create an isolated, secure environment 1. This environment helps protect vital system and operating system resources, as well as security assets like authenticated user credentials 1. VBS requires Secure Boot to run 1 2.

VBS includes a memory integrity feature 1, also called hypervisor-protected code integrity (HVCI) 1 and hypervisor enforced code integrity 1. It protects Windows by running kernel mode code integrity within the isolated virtual environment 1.

Initially released as part of Defender Device Guard 1 this feature is now part of Defender Application Control 3 4. Although the Device Guard brand is no longer used, it still appears in some Windows registry settings 1 5. VBS and its memory integrity feature now operate independently 5.

This script may enhance privacy by giving you more control over your system. VBS isolates kernel mode drivers and executables, preventing modifications 1. For example, you may want to disable Defender, which collects telemetry and personal data 6. Disabling Defender requires disabling its kernel drivers 7, which are protected by VBS. Disabling VBS allows for deeper system-level changes to improve privacy.

This script may also improve system performance. VBS can slow down apps and games by 5 to 15% 8.

However, disabling VBS has security implications:

  • It reduces protection against credential theft.
  • It makes the system more vulnerable to certain types of malware.
  • If you disable VBS, you will automatically disable Credential Guard, which relies on VBS 9. Credential Guard uses VBS to store credentials and other secrets in a protected environment 10. This environment is isolated from the operating system 10.
Caution

This action may reduce system security by removing protections that block malicious code from accessing critical components.

Technical Details

This script modifies multiple registry keys to disable VBS and its features:

  • Disables VBS through:
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!EnableVirtualizationBasedSecurity 8 9 11 12 13 14
    • HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!EnableVirtualizationBasedSecurity 2
  • Disables Secure Boot and DMA protection 2 9 11 through:
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!RequirePlatformSecurityFeatures 2 9 11 12 13 14
    • HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!RequirePlatformSecurityFeatures 2
  • Disables memory integrity 2 11 through:
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!Enabled 11 12 13 14
  • Disables UEFI lock 11 through:
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Locked 11 14
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Unlocked 13
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!NoLock 14
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!Locked 14
  • Disables boot prevention if VBS modules fail 11 through:
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Mandatory 11
  • Disables signature check:
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!RequireMicrosoftSignedBootChain 12
  • Disable Hypervisor-Protected Code Integrity (HVCI):
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!HVCIMATRequired 12
    • HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!HVCIMATRequired 2

This script uses Batch (batchfile) scripting language.

Not Advised

This script should only be used by advanced users. This script is not recommended for daily use as it breaks important functionality. Do not run it without having backups and system snapshots.

Implementation Details
  • Language: batch

  • Required Privileges: Administrator rights

  • Compatibility: Windows only

  • Reversibility: Can be undone using provided revert script

Explore Categories

This action belongs to Disable system modification restrictions category. This category disables features that restrict system modifications in Windows. This enables deeper system modifications, enhancing privacy by allowing the removal or disabling of data-collecting components like Defender. These features raise several concerns: Less user control: • Users can't... Read more on category page ▶

Apply now

Choose one of three ways to apply:

  1. Automatically via privacy.sexy: The easiest and safest option.
  2. Manually by downloading: Requires downloading a file.
  3. Manually by copying: Advanced flexibility.

Alternative 1. Apply with Privacy.sexy

privacy.sexy is free and open-source application that lets securely apply this action easily.

Open privacy.sexy

You can fully restore this action (revert back to the original behavior) using the application.

privacy.sexy instructions
  1. Open or download the desktop application
  2. Search for the script name: Disable virtualization-based security (VBS).
  3. Check the script by clicking on the checkbox.
  4. Click on Run button at the bottom of the page.

Alternative 2. Download

Irreversible Changes

This script is irreversible, meaning there is no straightforward method to restore changes once applied. Exercise caution before running, restoring it may not be possible.

  1. Download the script file by clicking on the button below:

    Download script

  2. Run the script file by clicking on it.

Download revert script

This file restores your system to its original state, before this script is applied.

Download restore script

Alternative 3. Copy

This is for advanced users. Consider automatically applying or downloading the script for simpler way.

  1. Open Command Prompt as administrator.
HELP: Step-by-step guide
  1. Click on Start menu

  2. Type cmd

  3. Right click on Command Prompt select Run as administrator

  4. Click on Yes to run Command Prompt


Animation showing how to open terminal as administrator on Windows 11

  1. Copy the following code:
Code to apply changes
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!EnableVirtualizationBasedSecurity"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'EnableVirtualizationBasedSecurity' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!EnableVirtualizationBasedSecurity"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'; $data = '0'; reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' /v 'EnableVirtualizationBasedSecurity' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!RequirePlatformSecurityFeatures"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'RequirePlatformSecurityFeatures' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!RequirePlatformSecurityFeatures"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'; $data = '0'; reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' /v 'RequirePlatformSecurityFeatures' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Locked"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'Locked' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!NoLock"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard'; $data = '1'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'NoLock' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Unlocked"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard'; $data = '1'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'Unlocked' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!Locked"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity' /v 'Locked' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!RequireMicrosoftSignedBootChain"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'RequireMicrosoftSignedBootChain' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!Enabled"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity' /v 'Enabled' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!HypervisorEnforcedCodeIntegrity"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'; $data = '0'; reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' /v 'HypervisorEnforcedCodeIntegrity' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Mandatory"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'Mandatory' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!HVCIMATRequired"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity' /v 'HVCIMATRequired' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!HVCIMATRequired"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'; $data = '0'; reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' /v 'HVCIMATRequired' /t 'REG_DWORD' /d "^""$data"^"" /f"
  1. Right click on command prompt to paste it.
  2. Press Enter to apply remaining code.

Copy restore code

Copy and run the following code to restore changes:

Revert code
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!EnableVirtualizationBasedSecurity"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'EnableVirtualizationBasedSecurity' /f 2>$null"
:: Delete the registry value "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!EnableVirtualizationBasedSecurity"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' /v 'EnableVirtualizationBasedSecurity' /f 2>$null"
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!RequirePlatformSecurityFeatures"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'RequirePlatformSecurityFeatures' /f 2>$null"
:: Delete the registry value "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!RequirePlatformSecurityFeatures"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' /v 'RequirePlatformSecurityFeatures' /f 2>$null"
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Locked"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'Locked' /f 2>$null"
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!NoLock"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'NoLock' /f 2>$null"
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Unlocked"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'Unlocked' /f 2>$null"
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!Locked"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity' /v 'Locked' /f 2>$null"
:: Set the registry value "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!RequireMicrosoftSignedBootChain"
PowerShell -ExecutionPolicy Unrestricted -Command "$revertData = '1'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'RequireMicrosoftSignedBootChain' /t 'REG_DWORD' /d "^""$revertData"^"" /f"
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!Enabled"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity' /v 'Enabled' /f 2>$null"
:: Delete the registry value "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!HypervisorEnforcedCodeIntegrity"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' /v 'HypervisorEnforcedCodeIntegrity' /f 2>$null"
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard!Mandatory"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard' /v 'Mandatory' /f 2>$null"
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity!HVCIMATRequired"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity' /v 'HVCIMATRequired' /f 2>$null"
:: Delete the registry value "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!HVCIMATRequired"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' /v 'HVCIMATRequired' /f 2>$null"

Support

This website relies on your support.

Support now

Your donation helps keep the project alive and improves its content ❤️.

Share this page: