Created
May 3, 2025 04:29
-
-
Save bouroo/f19b2aa732b98ba3c8e7d46c186addd3 to your computer and use it in GitHub Desktop.
Script to disable Virtualization Based Security and Credential Guard
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@Echo off | |
cls | |
Color 04 | |
Echo ############################################################################## | |
Echo Script to disable Virtualization Based Security and Credential Guard | |
Echo Version 20250404 by Metis IT | |
Echo Script started at %date% %time% | |
Echo . | |
Echo DISCLAIMER: | |
Echo . | |
Echo This script has been made available by Metis IT! | |
Echo You should only run this script if you know what you are doing. | |
Echo You also have taken the following precautions: | |
Echo - You have made a restore point. | |
Echo - You checked that you can logon with username and password. | |
Echo - A local administrator account without Windows Hello authentication is available. | |
Echo - You have printed out the Bitlocker Recovery Key of your system drive. | |
Echo - You have a recent backup copy of all your data. | |
Echo - You know that despite all measures taken, you can damage your pc. | |
Echo ############################################################################## | |
Echo . | |
choice /C YN /M "I have taken precautions and I know the risks! Press N (No) to cancel." | |
If errorlevel 2 Exit | |
If errorlevel 1 Echo . | |
Color | |
Echo Disable VBS and Credential Guard in the Windows registry | |
Echo ------------------------------------------------------------------------------ | |
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 00000000 /f | |
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /t REG_DWORD /d 00000000 /f | |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 00000000 /f | |
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v LsaCfgFlags /t REG_DWORD /d 00000000 /f | |
Echo ############################################################################## | |
Echo . | |
Echo Disable Windows Features that rely on Virtualization Based Security (VBS) | |
Echo ------------------------------------------------------------------------------ | |
Dism /online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All | |
Dism /online /Disable-Feature /FeatureName:Microsoft-Hyper-V | |
Dism /online /Disable-Feature /FeatureName:VirtualMachinePlatform | |
Dism /online /Disable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux | |
Echo ############################################################################## | |
Echo . | |
Echo Stop and disable the Hyper-V host service | |
Echo ------------------------------------------------------------------------------ | |
sc config HvHost start= disabled | |
net stop HvHost /y | |
timeout /t 5 /nobreak | |
Echo Kill the Hyper-V host service if the service is still running. | |
taskkill /F /FI "SERVICES eq HvHost" | |
Echo ############################################################################## | |
Echo . | |
Echo disable Virtualization Based Security and Credential Guard at startup (UEFI lock) | |
Echo ------------------------------------------------------------------------------ | |
mountvol X: /s | |
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y | |
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader | |
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" | |
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} | |
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO | |
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: | |
mountvol X: /d | |
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS | |
bcdedit /set vsmlaunchtype off | |
bcdedit /set hypervisorlaunchtype off | |
bcdedit /set {current} loadoptions DISABLE-LSA-ISO,DISABLE-VBS | |
Echo ############################################################################## | |
Echo . | |
Echo Script ended at %date% %time% | |
Echo ############################################################################## | |
Pause |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Requires -RunAsAdministrator (script will self-elevate if needed) | |
# Function to check if script is running as Administrator | |
function Test-Admin { | |
$currentUser = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) | |
return $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) | |
} | |
# Relaunch the script with elevated privileges if not admin | |
if (-not (Test-Admin)) { | |
Write-Warning "This script must be run as Administrator. Relaunching with elevation..." | |
$psi = New-Object System.Diagnostics.ProcessStartInfo | |
$psi.FileName = 'powershell.exe' | |
$psi.Arguments = "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" | |
$psi.Verb = 'runas' | |
try { | |
[System.Diagnostics.Process]::Start($psi) | Out-Null | |
exit | |
} | |
catch { | |
Write-Error "User declined the elevation request or error occurred." | |
exit 1 | |
} | |
} | |
# Clear screen | |
Clear-Host | |
# Define some colors for output | |
function Write-Color { | |
param( | |
[string]$Text, | |
[ConsoleColor]$ForegroundColor = 'White', | |
[ConsoleColor]$BackgroundColor = 'Black' | |
) | |
Write-Host $Text -ForegroundColor $ForegroundColor -BackgroundColor $BackgroundColor | |
} | |
# Display header and disclaimers | |
Write-Color "##############################################################################" Red | |
Write-Color "Script to disable Virtualization Based Security and Credential Guard" Red | |
Write-Color "Version 20250404 by Metis IT" Red | |
Write-Host "Script started at $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" | |
Write-Host "" | |
Write-Color "DISCLAIMER:" Red | |
Write-Host "" | |
Write-Host "This script has been made available by Metis IT!" | |
Write-Host "You should only run this script if you know what you are doing." | |
Write-Host "You also have taken the following precautions:" | |
Write-Host "- You have made a restore point." | |
Write-Host "- You checked that you can logon with username and password." | |
Write-Host "- A local administrator account without Windows Hello authentication is available." | |
Write-Host "- You have printed out the Bitlocker Recovery Key of your system drive." | |
Write-Host "- You have a recent backup copy of all your data." | |
Write-Host "- You know that despite all measures taken, you can damage your PC." | |
Write-Color "##############################################################################" Red | |
Write-Host "" | |
# Prompt user to confirm they've taken precautions (Y/N) | |
do { | |
$choice = Read-Host "I have taken precautions and I know the risks! (Y/N)" | |
} while ($choice -notmatch '^[YyNn]$') | |
if ($choice -match '^[Nn]$') { | |
Write-Host "User cancelled the operation." | |
exit 0 | |
} | |
Write-Host "" | |
# Function to add or set registry DWORD value | |
function Set-RegistryDword { | |
param ( | |
[string]$Path, | |
[string]$Name, | |
[int]$Data | |
) | |
try { | |
if (-not (Test-Path $Path)) { | |
New-Item -Path $Path -Force | Out-Null | |
} | |
Set-ItemProperty -Path $Path -Name $Name -Value $Data -Type DWord -Force | |
Write-Host "Set $Name to $Data in $Path" | |
} | |
catch { | |
Write-Warning "Failed to set $Name in $Path: $_" | |
} | |
} | |
Write-Color "Disable VBS and Credential Guard in the Windows registry" Cyan | |
Write-Color "-------------------------------------------------------------------------------" Cyan | |
Set-RegistryDword "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" "EnableVirtualizationBasedSecurity" 0 | |
Set-RegistryDword "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" "LsaCfgFlags" 0 | |
Set-RegistryDword "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" "EnableVirtualizationBasedSecurity" 0 | |
Set-RegistryDword "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" "LsaCfgFlags" 0 | |
Write-Color "##############################################################################" Green | |
Write-Host "" | |
Write-Color "Disable Windows Features that rely on Virtualization Based Security (VBS)" Cyan | |
Write-Color "-------------------------------------------------------------------------------" Cyan | |
$featuresToDisable = @( | |
"Microsoft-Hyper-V-All", | |
"Microsoft-Hyper-V", | |
"VirtualMachinePlatform", | |
"Microsoft-Windows-Subsystem-Linux" | |
) | |
foreach ($feature in $featuresToDisable) { | |
Write-Host "Disabling feature: $feature ..." | |
# Using Dism via PowerShell | |
Start-Process DISM.exe -ArgumentList "/online /Disable-Feature /FeatureName:$feature /NoRestart" -Wait -NoNewWindow | |
} | |
Write-Color "##############################################################################" Green | |
Write-Host "" | |
Write-Color "Stop and disable the Hyper-V host service" Cyan | |
Write-Color "-------------------------------------------------------------------------------" Cyan | |
# Disable HvHost service | |
try { | |
Write-Host "Setting HvHost service startup type to disabled" | |
Set-Service -Name HvHost -StartupType Disabled -ErrorAction Stop | |
} | |
catch { | |
Write-Warning "Failed to set HvHost startup type: $_" | |
} | |
try { | |
Write-Host "Stopping HvHost service" | |
Stop-Service -Name HvHost -Force -ErrorAction Stop | |
} | |
catch { | |
Write-Warning "Could not stop HvHost service or service not running: $_" | |
} | |
# Wait 5 seconds | |
Start-Sleep -Seconds 5 | |
# Kill any remaining HvHost processes | |
Write-Host "Killing any remaining HvHost processes..." | |
Get-Process -Name HvHost -ErrorAction SilentlyContinue | ForEach-Object { | |
try { | |
$_.Kill() | |
Write-Host "Killed process Id $($_.Id)" | |
} | |
catch { | |
Write-Warning "Failed to kill process Id $($_.Id): $_" | |
} | |
} | |
Write-Color "##############################################################################" Green | |
Write-Host "" | |
Write-Color "Disable Virtualization Based Security and Credential Guard at startup (UEFI lock)" Cyan | |
Write-Color "-------------------------------------------------------------------------------" Cyan | |
# Mount EFI system partition to X: | |
Write-Host "Mounting EFI system partition to drive X:" | |
$mountOutput = mountvol X: /s 2>&1 | |
if ($LASTEXITCODE -ne 0) { | |
Write-Warning "Failed to mount EFI system partition: $mountOutput" | |
exit 1 | |
} | |
# Copy SecConfig.efi to EFI boot folder | |
$sourceFile = "$env:windir\System32\SecConfig.efi" | |
$destFile = "X:\EFI\Microsoft\Boot\SecConfig.efi" | |
try { | |
Copy-Item -Path $sourceFile -Destination $destFile -Force | |
Write-Host "Copied $sourceFile to $destFile" | |
} | |
catch { | |
Write-Warning "Failed to copy SecConfig.efi: $_" | |
mountvol X: /d | Out-Null | |
exit 1 | |
} | |
# Create and configure bootloader entry | |
$guid = "{0cb3b571-2f2e-4343-a879-d86a476d7215}" | |
Write-Host "Creating bootloader entry $guid ..." | |
$bcdCreate = bcdedit /create $guid /d "DebugTool" /application osloader | |
if ($LASTEXITCODE -ne 0) { | |
Write-Warning "Failed to create bootloader entry" | |
mountvol X: /d | Out-Null | |
exit 1 | |
} | |
$bcdSetPath = bcdedit /set $guid path "\EFI\Microsoft\Boot\SecConfig.efi" | |
$bcdSetBootSeq = bcdedit /set {bootmgr} bootsequence $guid | |
$bcdSetLoadOptions1 = bcdedit /set $guid loadoptions DISABLE-LSA-ISO | |
$bcdSetDevice = bcdedit /set $guid device partition=X: | |
$bcdSetLoadOptions2 = bcdedit /set $guid loadoptions DISABLE-LSA-ISO,DISABLE-VBS | |
$bcdSetVsmlaunchType = bcdedit /set vsmlaunchtype off | |
$bcdSetHypervisorLaunchType = bcdedit /set hypervisorlaunchtype off | |
$bcdSetCurrentLoadOptions = bcdedit /set {current} loadoptions DISABLE-LSA-ISO,DISABLE-VBS | |
# Check for errors after each bcdedit call (optional) | |
if ($LASTEXITCODE -ne 0) { | |
Write-Warning "One or more bcdedit commands failed." | |
mountvol X: /d | Out-Null | |
exit 1 | |
} | |
# Unmount EFI volume | |
Write-Host "Unmounting EFI system partition from drive X:" | |
mountvol X: /d | |
Write-Color "##############################################################################" Green | |
Write-Host "" | |
Write-Host "Script ended at $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" | |
Write-Color "##############################################################################" Green | |
Write-Host "" | |
Write-Host "Press Enter to exit..." | |
[void][System.Console]::ReadLine() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment