Skip to content

Commit 70151ee

Browse files
LinuxydableLinuxydable
committed
Fully disable VBS
1 parent dad2711 commit 70151ee

File tree

3 files changed

+18
-5
lines changed

3 files changed

+18
-5
lines changed

src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Disable VBS.reg

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
Windows Registry Editor Version 5.00
2+
3+
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity]
4+
"Enabled"=dword:00000000
5+
6+
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard]
7+
"EnableVirtualizationBasedSecurity"=dword:00000000

src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Enable VBS.reg

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
Windows Registry Editor Version 5.00
2+
3+
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity]
4+
"Enabled"=dword:00000001
5+
6+
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard]
7+
"EnableVirtualizationBasedSecurity"=dword:00000001

src/playbook/Executables/AtlasModules/Scripts/ScriptWrappers/ConfigVBS.ps1

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,7 @@ if ($DisableAllVBS) {
1414
Write-Warning "Disabling VBS features..."
1515

1616
# Memory Integrity
17-
if (Test-Path $memIntegrity) {
18-
New-ItemProperty -Path $memIntegrity -Name "Enabled" -Value 0 -PropertyType DWORD -Force
19-
Remove-ItemProperty -Path $memIntegrity -Name "ChangedInBootCycle" -EA 0
20-
Remove-ItemProperty -Path $memIntegrity -Name "WasEnabledBy" -EA 0
21-
}
17+
New-ItemProperty -Path $memIntegrity -Name "Enabled" -Value 0 -PropertyType DWORD -Force # Need to be forced since Windows 11 24H2
2218

2319
# Kernel-mode Hardware-enforced Stack Protection (Windows 11 only)
2420
if (Test-Path $kernelShadowStacks) {
@@ -36,6 +32,9 @@ if ($DisableAllVBS) {
3632

3733
# LSA Protection (24H2 only)
3834
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0 -PropertyType DWORD -Force
35+
36+
# VBS General setting (24H2 only) https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-enablevirtualizationbasedsecurity
37+
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 0 -PropertyType DWORD -Force
3938
exit
4039
} elseif ($EnableMemoryIntegrity) {
4140
Write-Warning "Enabling memory integrity..."

0 commit comments

Comments
 (0)