Created
October 18, 2025 19:44
-
-
Save avoidik/3978e5a21f2d61e163f382c1822da9b7 to your computer and use it in GitHub Desktop.
Windows 11 25H2 - Disable Credential Guard, Disable Virtualization-based Security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| REM Disable VBS with registry settings | |
| REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f | |
| REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f | |
| REM Disable Credential Guard with registry settings | |
| REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d "0" /f | |
| REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d "0" /f | |
| REM Disable Credential Guard with UEFI lock | |
| mountvol X: /s | |
| copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y | |
| bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader | |
| bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" | |
| bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} | |
| bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS | |
| bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: | |
| mountvol X: /d | |
| REM Deactivate VSM and Hyper-V | |
| bcdedit /set vsmlaunchtype off | |
| bcdedit /set hypervisorlaunchtype off | |
| REM Reboot and press F3 twice |
Disabled Windows drivers update over WU
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "ExcludeWUDrivers" /t REG_DWORD /d "1" /f
REG ADD "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching" /v "DriverUpdateWizardWuSearchEnabled" /t REG_DWORD /d "0" /f
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Reference https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure