Microsoft windows 10 64 bit vbs not enabled

In this post, we will show you how to disable or enable Virtualization-based Security (VBS) in Windows 11/10. You can follow these steps to turn on VBS if you find that Virtualization-based Security is not enabled on your computer.

Virtualization-based Security creates a secure and isolated region of memory from the regular operating system, allowing users to host various security solutions. While checking the status of Virtualization-based security in the System Information wizard, you might find it Not enabled in Windows 11/10. If so, here is everything you need to know about this security functionality, whether you should disable or enable it, its requirements, etc.

What is Virtualization-based Security (VBS) in Windows 11

Virtualization-based Security of VBS is a security functionality included in Windows 11, allowing users to prevent unsigned drivers, codes, software, etc., from residing in the memory of your system. That being said, it creates an isolated regime, which works as an additional security layer to protect your system. For your information, it works alongside Core isolation and Memory integrity.

The problem begins when it starts consuming more than usual resources. As it requires running in the background continuously, you must provide a lump sum of CPU resources for a smoother experience. It works fine when you do not game or run multiple high-performance apps simultaneously on mid-range hardware.

Should I disable Virtualization-based Security (VBS) in Windows 11?

Disabling Virtualization-based Security in Windows 11 frees up some resources, making your PC a lot smoother for gaming, but the security takes a beating for sure. If you think you do not need such a feature or want to compromise it with your gaming performance, you can undoubtedly disable Virtualization-based Security or VBS.

However, if you want to make your PC more secure in exchange for some resources, you can keep it running. Nonetheless, if the status is Not enabled, this article will let you turn it on.

If Virtualization-based Security is not enabled in Windows 11/10, then use one of these methods:

1. Using Windows Security
2. Using Registry Editor

To learn more about these steps, continue reading.

How to enable Virtualization-based Security (VBS) in Windows 11/10

1] Using Windows Security

It is probably the easiest way to enable or disable Virtualization-based Security in Windows 11. In other words, you need to enable Core isolation to get it done. For that, do the following:

• Search for windows security in the Taskbar search box.
• Click on the individual search result.
• Switch to the Device security tab.
• Click on the Core isolation details option.
• Toggle the Memory integrity button to turn it on.
• Restart your computer.

After restarting, you can open the System Information window to find the status. However, if you want to disable Virtualization-based Security in Windows 11, you need to check if it is turned on. If so, toggle the same button to disable the feature.

2] Using Registry Editor

To turn on Virtualization-based Security in Windows 11 using Registry Editor, do the following:

Press Win+R to open the Run prompt.

Type regedit > press the Enter button > click the Yes option.

Go to-

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceGuardScenariosHypervisorEnforcedCodeIntegrity

Right-click on HypervisorEnforcedCodeIntegrity > New > DWORD (32-bit) Value.

Name it as Enabled.

Double-click on it to set the Value data as 1.

Click the OK button.

Close all windows and restart your computer.

After that, you can find it enabled. However, if you want to disable Virtualization-based Security in Windows 11, you need to set the Value data as 0.

What are the requirements for VBS in Windows 11?

If the Virtualization-based Security is not enabled even after following the aforementioned guides, you need to check if your computer complies with the system requirements:

• x64 CPU
• SLAT or Second Level Address Translation
• Intel VT-D or AMD-Vi
• Trusted Platform Module 2.0
• SMM protection supported firmware
• UEFI memory reporting
• Security MOR 2
• HVCI or Hypervisor Code Integrity

How to check if VBS is enabled?

To check if VBS is enabled, you need to search for System Information in the Taskbar search box and click on the individual search result. Then, find out the Virtualization-based security section and check the status on the right side. You can find either Enabled or Not enabled.

Read: How to disable VBS?

How to disable VBS in Windows 11?

As mentioned in the post, to disable VBS in Windows 11, you need to open Windows Security. Then, switch to the Device security tab, and click on the Core isolation details. Following that, toggle the Memory integrity button to turn it off.

Hope this guide helped.

With version 6.7, VMware added support for the Windows 10 virtualization-based security (VBS) feature to the vSphere suite. Microsoft’s VBS is also available for Windows Server 2016 operating systems (OSes).

What is Virtualization-based Security (VBS)?

VBS uses hardware and software virtualization features to enhance Windows system security by creating an isolated, hypervisor-restricted, specialized subsystem.

Basically, Microsoft is using a Windows role (or component) called the Hyper-V role, which boots the OS. This hypervisor allows Microsoft to isolate some sensitive information in places that would normally be accessible to the OS. Here we can think of cached credentials and such things.

Most modern systems have a Trusted Platform Module (TPM) 2.0 device built into the hardware. However, someone had to do it in software. And this is the goal. To give you an idea, here is a screenshot from a VMware blog post.

As you can see, the Windows 10 virtual machine (VM) has a hypervisor role active and has the credentials stored elsewhere.

What are the restrictions on VBS-enabled VMs?

VBS is only usable on Windows 10 and Windows Server 2016, and vSphere features exist that are not compatible with VBS:

• VMware Fault Tolerance (FT)
• vSphere PCI passthrough
• vSphere hot add for CPU or memory

What are the vSphere requirements for VBS?

As mentioned above, VBS is only available as of vSphere 6.7. The requirements for working with VBS are:

• A VM with virtual hardware 14
• Hardware virtualization and an input/output memory management unit (IOMMU) exposed to the VM
• Secure boot enabled
• EFI firmware
• 64-bit CPU
• Intel VT-d or AMD-Vi ARM64 system memory management units (SMMUs)
• TPM 2.0

How do you enable VBS?

In the VMware vSphere client, first connect to vSphere and select the VM for which you want to enable VBS.

1. Shut down the VM and tick the Enable box next to Virtualization Based Security under VM Options.

Note: The VM has to be booting EFI (not BIOS) to satisfy the requirements. If you are creating new Windows 10 or Windows 2016 VMs, you should make sure you are selecting UEFI firmware before installing. After installing the system, it is pretty difficult to switch.

And once the VM is up and running, we’ll need to activate the Hyper-V role. You can do this through a simple command appwiz.cpl, which automatically brings up the window where we select Add/Remove Turn Windows features on and off. Once there, we can look for the Hyper-V section and check the box Hyper-V Hypervisor.

If you want to add a Hyper-V role on Windows Server 2016, you’ll use the Add roles and features wizard within your Server Manager.

Once you’re done, it’ll ask you to reboot the system.

Let’s continue after the VM comes up.

1. In the VM, open gpedit.msc and browse to:

Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security. Set it to Enable and configure the options as follows:

• Select Platform Security Level: Secure Boot and DMA Protection
• Virtualization Based Protection of Code Integrity: Enabled with UEFI lock
• Credential Guard Configuration: Enabled with UEFI lock

If you want to be able to turn off Windows Defender Credential Guard remotely, choose Enabled without lock.

If you want to activate VBS for multiple systems, you can do this via Group Policy in your domain.

Final words

I think there will be further expansion of VBS in Windows Server 2019. It is a great feature that helps protect Windows against malware and all kinds of attacks where credentials are involved.

Subscribe to 4sysops newsletter!

VMware vSphere 6.7 has brought this feature in collaboration with Microsoft. It is great to see that these two giants now work hand in hand on features that improve security.

Функция Безопасность на основе виртуализации (Virtualization Based Security или VBS) появилась ещё в Windows 10 и позже перекочевала в Windows 11. Смысл её работы в том, что VBS изолирует потенциально опасный код в памяти компьютера, предотвращая его выполнение напрямую в операционной системе. С точки зрения безопасности — Функция полезная. Но вот если у Вас слабый или игровой компьютер, то рекомендуется отключить безопасность на основе виртуализации в Windows для повышения производительности. Так же есть ряд приложений, которые вообще отказываются запускаться, если VBS включена.

В этой инструкции я покажу как выключить функцию Virtualization Based Security, используя редактор локальной и групповой политики Windows 11, а так же включить его обратно, при необходимости. А ещё расскажу про альтернативные способы, если вдруг через политики это сделать не получится.

Проверка состояния функции «Безопасность на основе виртуализации»

Прежде чем думать как отключить функцию — сначала проверьте работает ли она вообще. Как это сделать? Нам поможет инфопанель msinfo32.

Нажмите клавиши Win+R, введите команду «msinfo32» и нажмите на «Enter».

В разделе «Сведения о системе» прокрутите страничку вниз, где найдете пункт «Безопасность на основе виртуализации» — там будет указан текущий статус работы функции. Если стоит «Не включено», то и выключать не придётся!

Управляем Virtualization Based Security через групповые политики

Самый главный способ отключить Безопасность на основе виртуализации (Virtualization Based Security) — это настройка соответствующей групповой политики в Windows.  Для этого надо открыть редактор групповых политик. Нажимаем правой кнопкой мыши по кнопке «Пуск» и выбираем пункт «Выполнить», вводим команду gpedit.msc и нажимаем клавишу «Enter».

Дальше, в редакторе локальной групповой политики надо открыть раздел «Конфигурация компьютера» ⇒ «Административные шаблоны» ⇒ «Система» ⇒ «Device Guard». В правой части окна кликните дважды по пункту «Включить средство обеспечение безопасности на основе виртуализации».

Чтобы отключить VBS Windows 11 — поставьте флажок на значение «Отключено» и нажмите кнопку «ОК».

После этого нужно будет перезагрузить компьютер.

Если вдруг потребуется снова Virtualization Based Security включить, то опять открываем эту политику и ставим значение «Включено»:

После этого нужно будет опять перезагрузить компьютер.

Windows 11 Home Edition

Для тех, у кого на ПК установлена домашняя версия Windows — Home Edition — в которой нет доступа к редактору групповых политик, тоже есть выход! Можно использовать редактор реестра! Чтобы его открыть — нажмите клавиши Win+R на клавиатуре, в появившемся окне «Выполнить» введите команду «regedit» и нажмите клавишу Enter.

Перейдите вот в этот раздел реестра:

После этого в правой части окна редактора надо нажать правой кнопкой мыши в пустом месте и через открывшееся меню создайте новый параметр DWORD с именем EnableVirtualizationBasedSecurity. Установите значение параметра равным «0». Если там уже есть такой параметр, то дважды кликните по нему и измените значение на «0».

Перезагрузите свой компьютер и проверьте работу функции через msinfo32.

Прочие способы отключить Virtualization Based Security

Если с редактором групповых политик у Вас есть какие-то сложности, то можно воспользоваться альтернативными способами.

Командная строка

Запустите командную строку от имени Администратора и введите команду:

bcdedit /set hypervisorlaunchtype off

Нажмите клавишу «Enter», чтобы выполнить её.  Вот так:

После этого перезагрузите компьютер.

Отключение компонентов Windows 11

Отключить виртуализацию в Windows можно через раздел «Программы и компоненты». Для этого с помощью комбинации клавиш Win+R открываем окно «Выполнить», вводим команду: appwiz.cpl и нажимаем на кнопку «ОК». В открывшемся окне кликаем на ссылку «Включение или отключение компонентов Windows»:

В появившемся окне «Компоненты Windows» найдите и отключите компоненты «Application Guard в Microsoft Defender», «Hyper-V», «Платформа виртуальной машины». Нажмите на кнопку «Ок». Перезагрузите компьютер.

Virtualization-based Security (VBS)

Virtualization-based security, or VBS, uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. Windows can use this «virtual secure mode» to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections.

One such example security solution is Hypervisor-Enforced Code Integrity (HVCI), commonly referred to as Memory integrity, which uses VBS to significantly strengthen code integrity policy enforcement. Kernel mode code integrity checks all kernel mode drivers and binaries before they’re started, and prevents unsigned drivers or system files from being loaded into system memory.

VBS uses the Windows hypervisor to create this virtual secure mode, and to enforce restrictions which protect vital system and operating system resources, or to protect security assets such as authenticated user credentials. With the increased protections offered by VBS, even if malware gains access to the OS kernel the possible exploits can be greatly limited and contained, because the hypervisor can prevent the malware from executing code or accessing platform secrets.

Similarly, user mode configurable code integrity policy checks applications before they’re loaded, and will only start executables that are signed by known, approved signers. HVCI leverages VBS to run the code integrity service inside a secure environment, providing stronger protections against kernel viruses and malware. The hypervisor, the most privileged level of system software, sets and enforces page permissions across all system memory. Pages are only made executable after code integrity checks inside the secure region have passed, and executable pages are not writable. That way, even if there are vulnerabilities like a buffer overflow that allow malware to attempt to modify memory, code pages cannot be modified, and modified memory cannot be made executable.

VBS requires the following components be present and properly configured.

Please notice that TPM is not a must requirement, but we highly recommend to implement TPM.

Источник

Enable virtualization-based protection of code integrity

Applies to

This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. If this happens, see Troubleshooting for remediation steps.

Because it makes use of Mode Based Execution Control, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called Restricted User Mode, which has a bigger impact on performance.

HVCI Features

How to turn on HVCI in Windows 10

To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:

Windows Security app

HVCI is labeled Memory integrity in the Windows Security app and it can be accessed via Settings > Update & Security > Windows Security > Device security > Core isolation details > Memory integrity. For more information, see KB4096339.

Enable HVCI using Intune

Enabling in Intune requires using the Code Integrity node in the AppLocker CSP.

Enable HVCI using Group Policy

Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.

Navigate to Computer Configuration > Administrative Templates > System > Device Guard.

Double-click Turn on Virtualization Based Security.

Click Enabled and under Virtualization Based Protection of Code Integrity, select Enabled with UEFI lock to ensure HVCI cannot be disabled remotely or select Enabled without UEFI lock.

Click Ok to close the editor.

To apply the new policy on a domain-joined computer, either restart or run gpupdate /force in an elevated command prompt.

Use registry keys to enable virtualization-based protection of code integrity

Set the following registry keys to enable HVCI. This provides exactly the same set of configuration options provided by Group Policy.

Among the commands that follow, you can choose settings for Secure Boot and Secure Boot with DMA. In most situations, we recommend that you choose Secure Boot. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.

In contrast, with Secure Boot with DMA, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.

All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users’ computers.

For Windows 10 version 1607 and later

Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):

If you want to customize the preceding recommended settings, use the following settings.

To enable VBS

To enable VBS and require Secure boot only (value 1)

To enable VBS with Secure Boot and DMA (value 3)

To enable VBS without UEFI lock (value 0)

To enable VBS with UEFI lock (value 1)

To enable virtualization-based protection of Code Integrity policies

To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)

To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)

For Windows 10 version 1511 and earlier

Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):

If you want to customize the preceding recommended settings, use the following settings.

To enable VBS (it is always locked to UEFI)

To enable VBS and require Secure boot only (value 1)

To enable VBS with Secure Boot and DMA (value 3)

To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)

To enable virtualization-based protection of Code Integrity policies without UEFI lock

Validate enabled Windows Defender Device Guard hardware-based security features

Windows 10 and Windows Server 2016 have a WMI class for related properties and features: Win32_DeviceGuard. This class can be queried from an elevated Windows PowerShell session by using the following command:

The Win32_DeviceGuard WMI class is only available on the Enterprise edition of WindowsВ 10.

Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.

The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.

AvailableSecurityProperties

This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.

InstanceIdentifier

A string that is unique to a particular device. Valid values are determined by WMI.

RequiredSecurityProperties

This field describes the required security properties to enable virtualization-based security.

SecurityServicesConfigured

This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.

SecurityServicesRunning

This field indicates whether the Windows Defender Credential Guard or HVCI service is running.

Version

This field lists the version of this WMI class. The only valid value now is 1.0.

VirtualizationBasedSecurityStatus

This field indicates whether VBS is enabled and running.

PSComputerName

This field lists the computer name. All valid values for computer name.

Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the System Summary section.

Troubleshooting

A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using Device Manager.

B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.

C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see Windows RE Technical Reference. After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.

How to turn off HVCI

Run the following command from an elevated prompt to set the HVCI registry key to off:

Restart the device.

To confirm HVCI has been successfully disabled, open System Information and check Virtualization-based security Services Running, which should now have no value displayed.

HVCI deployment in virtual machines

HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable WDAC are the same from within the virtual machine.

WDAC protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable WDAC for a virtual machine:

Источник

Безопасность на основе виртуализации

Безопасность на основе виртуализации (VBS) использует функции виртуализации оборудования для создания и изоляции защищенного региона памяти от обычной операционной системы. Windows может использовать этот «виртуальный безопасный режим» для размещения ряда решений по обеспечению безопасности, предоставляя им значительно повышенную защиту от уязвимостей в операционной системе и предотвращая использование вредоносных эксплойтов, пытающихся предотвратить защиту.

Одним из таких примеров решения безопасности является Hypervisor-Enforcedная целостность кода (обязательная политика HVCI), которая, как правило, называется целостностью памяти, которая использует VBS для значительного усиления применения политики целостности кода. Целостность кода в режиме ядра проверяет все драйверы и двоичные файлы режима ядра перед их запуском и предотвращает загрузку неподписанных драйверов или системных файлов в системную память.

VBS использует гипервизор Windows для создания этого виртуального безопасного режима, а также для обеспечения ограничений, которые защищают критически важные ресурсы системы и операционной системы или защищают активы безопасности, например учетные данные пользователя, прошедшего проверку подлинности. Благодаря расширенным средствам защиты, предоставляемым VBS, даже если вредоносная программа получает доступ к ядру ОС, возможные эксплойты могут быть значительно ограничены и храниться, так как гипервизор может препятствовать выполнению кода или доступу к секретам платформы.

Аналогично, настраиваемая политика целостности кода в пользовательском режиме проверяет приложения перед их загрузкой и запустит только исполняемые файлы, подписанные известными, утвержденными подписавшими. ОБЯЗАТЕЛЬНАЯ политика HVCI использует VBS для запуска службы целостности кода в безопасной среде, обеспечивая более надежную защиту от вирусов и вредоносных программ ядра. Гипервизор, самый Привилегированный уровень программного обеспечения системы, устанавливает и применяет разрешения страницы во всей системной памяти. Страницы становятся исполняемыми только после прохождения проверки целостности кода в защищенной области, а исполняемые страницы недоступны для записи. Таким образом, даже если существуют уязвимости, например переполнение буфера, которые позволяют вредоносным программам пытаться изменить память, кодовые страницы не могут быть изменены, а измененная память не может быть сделана исполняемой.

Для VBS необходимо, чтобы были установлены и правильно настроены следующие компоненты.

Обратите внимание, что доверенный платформенный модуль не обязательно должен быть обязательным, но мы настоятельно рекомендуем реализовать TPM.