Windows 11 Windows 11 Home: Unable to Disable VBS After Manufacturer Repair

[CWXFred]

Hello,
I am unable to disable VBS on Windows 11 Home Edition after my PC was repaired by the manufacturer. Before the repair, I was able to disable VBS without any issues.

I have already tried/deactivated the following:

1. Windows Security > Device Security > Core Isolation > Memory Integrity: off
2. regedit > Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity > Enabled > value = 0
3. bcdedit /set hypervisorlaunchtype off -> restart
4. Windows features > Hypervisor Platform and Virtual Machine Platform: disabled
5. UEFI VT-d: off
6. Settings > Privacy & Security > Virus & Threat Protection > Real-time protection: off

After all of this, msinfo still shows: “Virtualization-based Security: Running (On)”.

Why could VBS still be active? Thanks in advance for your help.

 

[ChatGPT]

Hi CWXFred,
The most likely reason is that you disabled Memory Integrity/HVCI, but VBS itself can still be started by another VBS service or policy. Also, turning off VT-d is not the same as turning off the CPU virtualization feature required by VBS.

Most likely causes​

• CPU virtualization is still enabled
• Intel systems usually have both:
• Intel Virtualization Technology / VT-x
• VT-d
• AMD systems usually have:
• SVM Mode
• IOMMU
• You disabled VT-d, but VBS mainly depends on VT-x or AMD SVM.
• Credential Guard or another VBS service is still configured
• msinfo32 can show VBS as running even if Memory Integrity is off.
• Check these lines in msinfo32:
• Virtualization-based Security Services Configured
• Virtualization-based Security Services Running
• Manufacturer repair may have reset BIOS/UEFI security defaults
• Secure Boot, TPM, virtualization, DMA protection, or “Secured-core PC” settings may have been re-enabled.
• A policy key may still be forcing VBS
• Windows 11 Home does not include full Group Policy Editor, but registry-based policy keys can still exist.
• UEFI lock may be involved
• If VBS/Credential Guard/HVCI was enabled with UEFI lock, normal registry changes may not fully disable it.
• Real-time protection is unrelated
• Defender real-time protection does not control VBS. I recommend turning it back on.

Step 1: Check what is actually keeping VBS active​

• Open Windows Terminal / PowerShell as Administrator.
• Run:

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object VirtualizationBasedSecurityStatus, SecurityServicesConfigured, SecurityServicesRunning, RequiredSecurityProperties, AvailableSecurityProperties

• Interpret the important values:

VirtualizationBasedSecurityStatus:
0 = VBS not enabled
1 = VBS enabled but not running
2 = VBS enabled and running

SecurityServicesConfigured / SecurityServicesRunning:
1 = Credential Guard
2 = Memory Integrity / HVCI
3 = System Guard Secure Launch
5 = Kernel-mode Hardware-enforced Stack Protection
7 = Hypervisor-Enforced Paging Translation

If you post that output, we can tell exactly which component is keeping it alive.

Step 2: Disable the missing firmware setting​

• Enter BIOS/UEFI setup.
• Look for one of these settings:

Intel Virtualization Technology
Intel VT-x
AMD SVM Mode
SVM
Virtualization Technology

• Set it to Disabled.
• Save and reboot.

Expected result: If CPU virtualization is truly disabled, VBS should not be able to run.
Warning: This will also break or disable things like WSL2, Hyper-V, VirtualBox/VMware acceleration, Android emulators, Docker Desktop, and some security features.

Step 3: Disable VBS policy values from Windows​

Before doing this, create a restore point:

• Press Win + R.
• Run:

SystemPropertiesProtection.exe

• Create a restore point.
• Open Command Prompt as Administrator.
• Run:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f
bcdedit /set hypervisorlaunchtype off
bcdedit /set vsmlaunchtype off
shutdown /r /t 0

• After reboot, check msinfo32 again.

Step 4: If it still says VBS is running​

• Check if the PC is managed:

dsregcmd /status

• Also check:

Settings > Accounts > Access work or school

• If a work/school account or MDM profile is connected, it may be reapplying VBS policy.
• If SecurityServicesRunning shows 1, Credential Guard may be involved.
• If Locked or UEFI lock was used, you may need to temporarily disable Secure Boot in BIOS, reboot, apply the disable settings again, then re-enable Secure Boot if desired.

Undo / restore​

To undo the boot changes later:

bcdedit /set hypervisorlaunchtype auto
bcdedit /set vsmlaunchtype auto

Then re-enable the BIOS virtualization setting if you need WSL2, Hyper-V, Docker, VMware, VirtualBox acceleration, or emulators.

Important note​

Please turn Defender real-time protection back on. It does not disable VBS and leaving it off reduces your system protection.
If you can, please post the output of the PowerShell Win32_DeviceGuard command and the exact msinfo32 lines for Services Configured and Services Running. That will show whether this is HVCI, Credential Guard, Secure Launch, or a policy/firmware lock.

 

[CWXFred]

Step 1:
VirtualizationBasedSecurityStatus : 2
SecurityServicesConfigured : {0}
SecurityServicesRunning : {0}
RequiredSecurityProperties : {0}
AvailableSecurityProperties : {1, 4, 5, 7...}

Step 2:

in my UEFI settings, I can only find the option ‘VT-d’: on or off. > VT-d is off

Step 4:

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : NO
Virtual Desktop : NOT SET
Device Name : LAPTOP-OH42PT3J

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : consumers
WamDefaultId : Sign in to your account
WamDefaultGUID : {D7F9888F-E3FC-49B0-9EA6-A85B5F392A4F} (MicrosoftAccount)

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

AzureAdPrt : NO
AzureAdPrtAuthority : NO
EnterprisePrt : NO
EnterprisePrtAuthority : NO

+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+

Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+

Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

IsDeviceJoined : NO
IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision

no work/school account connected

 

[CWXFred]

solved! Step 3 seemed to fix the issue.

 

[ChatGPT]

Great news, CWXFred — glad Step 3 fixed it!
That means VBS was most likely being kept active by a registry/policy configuration, not by the Windows Security “Memory Integrity” toggle alone.
A few final checks I recommend:

1. Open msinfo32.
2. Confirm:

Virtualization-based Security: Not enabled

1. Turn Microsoft Defender real-time protection back on if it is still disabled:

Windows Security > Virus & threat protection > Manage settings > Real-time protection > On

1. If you use Docker, WSL2, Hyper-V, VMware/VirtualBox acceleration, or Android emulators later, remember that the bcdedit changes may affect them. To restore hypervisor launching later, run as Administrator:

bcdedit /set hypervisorlaunchtype auto
bcdedit /set vsmlaunchtype auto

Then reboot.
Thanks for reporting back — this will help others with the same post-repair VBS issue.