There is no single switch to turn off VBS. VBS must be turned off individually for each security application.
First, check if Virtualization-based Security is enabled by one of the Windows security features, if so, perform the appropriate method provided below to disable the option:
-
Click
Start.
-
Click the
Search field, and then type
msinfo32.
-
Click
Open.
-
On the
System Information page, identify the
Virtualization-Based Security Status for the impacted security features.
-
Follow the guidelines provided below to turn off/disable
VBS for the impacted Windows Security features (if VBS is enabled):
Impacted Windows Security features and methods to disable VBS:
To disable
Hypervisor-protected code integrity (HVCI):
-
Click
Start >
Settings.
-
Click
Privacy & Security >
Windows Security >
Device security.
-
Locate
Core Isolation, and then click
Core isolation details.
-
Switch the
Memory Integrity option to
Off.
-
Close Windows.
To disable
Microsoft Defender Application Guard, Virtual Machine Platform, and
Windows Hypervisor Platform:
-
Open the
Control Panel.
-
Click
Programs and Features.
-
Click
Turn Windows features on or off in the left pane.
Windows features list opens.
-
Locate and uncheck
Microsoft Defender Application Guard,
Virtual Machine Platform, and
Windows Hypervisor Platform.
-
Click
OK.
-
Close the
Control Panel.
IMPORTANT: The following steps to disable
Windows Credential Guard might only be required on a computer that is under a
Managed Network. The steps below require editing the registry. If you believe your computer is in a managed network, or these steps are too complex, contact your IT department for support.
caution:
The next step provides instructions for modifying the registry. Editing the registry incorrectly might cause problems that might require you to reinstall your operating system to correct. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs.
To disable
Windows Credential Guard (on an IT managed network):
To disable Windows Defender Credential Guard, you can use the following set of procedures or the
Device Guard and Credential Guard hardware readiness tool. If Credential Guard was enabled with UEFI Lock, then you must use the following procedure as the settings are persistent in EFI (firmware) variables and it will require physical presence at the computer to press a function key to accept the changes being made. If Credential Guard was enabled without UEFI Lock, it can be turned off by using Group Policy.
-
If Group Policy is used, disable the Group Policy setting you used to enable Windows Defender Credential Guard (
Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security).
-
Navigate to the registry key and delete the following registry settings:
HKEY _LOCAL_MACHINE\System\CurrentControlSet\Control\LsaCfgFlags
HKEY _LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
-
If you also wish to disable Virtualization-Based Security, delete the following registry settings:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures
IMPORTANT: If you do not delete all required registry settings the computer might enter BitLocker Recovery. If you manually delete these registry settings, ensure you delete them all.
-
Delete the Windows Defender Credential Guard EFI variables by using
bcdedit. Type the following commands from an elevated Command Prompt:
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {bootmgr} {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} Device partition=X:
mountvol X: /d
- Restart the computer.