1. Information
Disabling Virtualization Based Security (VBS), will automatically disable Credential Guard and other features that rely on VBS.
2. Disable
-
Enter the following commands at a PowerShell Command Prompt with administrative privileges.
$Path = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" # Create registry key if it does not exist. if (-not (Test-Path -Path $Path)) { $Null = New-Item -Force -Path $Path } $Null = New-ItemProperty -Force -Name "EnableVirtualizationBasedSecurity" -Path $Path -PropertyType "DWord" -Value "0" $Null = New-ItemProperty -Force -Name "RequirePlatformSecurityFeatures" -Path $Path -PropertyType "DWord" -Value "0" $Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" # Create registry key if it does not exist. if (-not (Test-Path -Path $Path)) { $Null = New-Item -Force -Path $Path } $Null = New-ItemProperty -Force -Name "LsaCfgFlags" -Path $Path -PropertyType "DWord" -Value "0" $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" # Create registry key if it does not exist. if (-not (Test-Path -Path $Path)) { $Null = New-Item -Force -Path $Path } $Null = New-ItemProperty -Force -Name "LsaCfgFlags" -Path $Path -PropertyType "DWord" -Value "0" mountvol.exe X: /s Copy-Item -Force -Path "${Env:SystemRoot}\System32\SecConfig.efi" -Destination "X:\EFI\Microsoft\Boot\SecConfig.efi" $Null = bcdedit.exe /create "{0cb3b571-2f2e-4343-a879-d86a476d7215}" /d "DebugTool" /application osloader $Null = bcdedit.exe /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" path "\EFI\Microsoft\Boot\SecConfig.efi" $Null = bcdedit.exe /set "{bootmgr}" bootsequence "{0cb3b571-2f2e-4343-a879-d86a476d7215}" $Null = bcdedit.exe /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" loadoptions DISABLE-LSA-ISO,DISABLE-VBS $Null = bcdedit.exe /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" device partition=X: mountvol.exe X: /d $Null = bcdedit.exe /set hypervisorlaunchtype off $Null = bcdedit.exe /set vsmlaunchtype off Write-Host "Restart the computer." Write-Host "Press F3 to disable Device Guard." Write-Host "Press F3 to disable Virtualization Based Security."
3. Enable
-
Enter the following commands at a PowerShell Command Prompt with administrative privileges.
$Path = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" # Create registry key if it does not exist. if (-not (Test-Path -Path $Path)) { $Null = New-Item -Force -Path $Path } $Null = New-ItemProperty -Force -Name "EnableVirtualizationBasedSecurity" -Path $Path -PropertyType "DWord" -Value "1" $Null = New-ItemProperty -Force -Name "RequirePlatformSecurityFeatures" -Path $Path -PropertyType "DWord" -Value "3" # Use Secure Boot and DMA protection. $Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" # Create registry key if it does not exist. if (-not (Test-Path -Path $Path)) { $Null = New-Item -Force -Path $Path } $Null = New-ItemProperty -Force -Name "LsaCfgFlags" -Path $Path -PropertyType "DWord" -Value "1" # Enable Credential Guard with UEFI lock. mountvol.exe X: /s Copy-Item -Force -Path "${Env:SystemRoot}\System32\SecConfig.efi" -Destination "X:\EFI\Microsoft\Boot\SecConfig.efi" $Null = bcdedit.exe /create "{0cb3b571-2f2e-4343-a879-d86a476d7215}" /d "DebugTool" /application osloader $Null = bcdedit.exe /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" path "\EFI\Microsoft\Boot\SecConfig.efi" $Null = bcdedit.exe /set "{bootmgr}" bootsequence "{0cb3b571-2f2e-4343-a879-d86a476d7215}" $Null = bcdedit.exe /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" loadoptions ENABLE-LSA-ISO,ENABLE-VBS $Null = bcdedit.exe /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" device partition=X: mountvol.exe X: /d $Null = bcdedit.exe /set hypervisorlaunchtype auto $Null = bcdedit.exe /set vsmlaunchtype auto Write-Host "Restart the computer."