Skip to content

Instantly share code, notes, and snippets.

@bouroo
Created May 3, 2025 04:29
Show Gist options
  • Save bouroo/f19b2aa732b98ba3c8e7d46c186addd3 to your computer and use it in GitHub Desktop.
Save bouroo/f19b2aa732b98ba3c8e7d46c186addd3 to your computer and use it in GitHub Desktop.
Script to disable Virtualization Based Security and Credential Guard
@Echo off
cls
Color 04
Echo ##############################################################################
Echo Script to disable Virtualization Based Security and Credential Guard
Echo Version 20250404 by Metis IT
Echo Script started at %date% %time%
Echo .
Echo DISCLAIMER:
Echo .
Echo This script has been made available by Metis IT!
Echo You should only run this script if you know what you are doing.
Echo You also have taken the following precautions:
Echo - You have made a restore point.
Echo - You checked that you can logon with username and password.
Echo - A local administrator account without Windows Hello authentication is available.
Echo - You have printed out the Bitlocker Recovery Key of your system drive.
Echo - You have a recent backup copy of all your data.
Echo - You know that despite all measures taken, you can damage your pc.
Echo ##############################################################################
Echo .
choice /C YN /M "I have taken precautions and I know the risks! Press N (No) to cancel."
If errorlevel 2 Exit
If errorlevel 1 Echo .
Color
Echo Disable VBS and Credential Guard in the Windows registry
Echo ------------------------------------------------------------------------------
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 00000000 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /t REG_DWORD /d 00000000 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 00000000 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v LsaCfgFlags /t REG_DWORD /d 00000000 /f
Echo ##############################################################################
Echo .
Echo Disable Windows Features that rely on Virtualization Based Security (VBS)
Echo ------------------------------------------------------------------------------
Dism /online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All
Dism /online /Disable-Feature /FeatureName:Microsoft-Hyper-V
Dism /online /Disable-Feature /FeatureName:VirtualMachinePlatform
Dism /online /Disable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux
Echo ##############################################################################
Echo .
Echo Stop and disable the Hyper-V host service
Echo ------------------------------------------------------------------------------
sc config HvHost start= disabled
net stop HvHost /y
timeout /t 5 /nobreak
Echo Kill the Hyper-V host service if the service is still running.
taskkill /F /FI "SERVICES eq HvHost"
Echo ##############################################################################
Echo .
Echo disable Virtualization Based Security and Credential Guard at startup (UEFI lock)
Echo ------------------------------------------------------------------------------
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set vsmlaunchtype off
bcdedit /set hypervisorlaunchtype off
bcdedit /set {current} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
Echo ##############################################################################
Echo .
Echo Script ended at %date% %time%
Echo ##############################################################################
Pause
# Requires -RunAsAdministrator (script will self-elevate if needed)
# Function to check if script is running as Administrator
function Test-Admin {
$currentUser = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
return $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}
# Relaunch the script with elevated privileges if not admin
if (-not (Test-Admin)) {
Write-Warning "This script must be run as Administrator. Relaunching with elevation..."
$psi = New-Object System.Diagnostics.ProcessStartInfo
$psi.FileName = 'powershell.exe'
$psi.Arguments = "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`""
$psi.Verb = 'runas'
try {
[System.Diagnostics.Process]::Start($psi) | Out-Null
exit
}
catch {
Write-Error "User declined the elevation request or error occurred."
exit 1
}
}
# Clear screen
Clear-Host
# Define some colors for output
function Write-Color {
param(
[string]$Text,
[ConsoleColor]$ForegroundColor = 'White',
[ConsoleColor]$BackgroundColor = 'Black'
)
Write-Host $Text -ForegroundColor $ForegroundColor -BackgroundColor $BackgroundColor
}
# Display header and disclaimers
Write-Color "##############################################################################" Red
Write-Color "Script to disable Virtualization Based Security and Credential Guard" Red
Write-Color "Version 20250404 by Metis IT" Red
Write-Host "Script started at $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
Write-Host ""
Write-Color "DISCLAIMER:" Red
Write-Host ""
Write-Host "This script has been made available by Metis IT!"
Write-Host "You should only run this script if you know what you are doing."
Write-Host "You also have taken the following precautions:"
Write-Host "- You have made a restore point."
Write-Host "- You checked that you can logon with username and password."
Write-Host "- A local administrator account without Windows Hello authentication is available."
Write-Host "- You have printed out the Bitlocker Recovery Key of your system drive."
Write-Host "- You have a recent backup copy of all your data."
Write-Host "- You know that despite all measures taken, you can damage your PC."
Write-Color "##############################################################################" Red
Write-Host ""
# Prompt user to confirm they've taken precautions (Y/N)
do {
$choice = Read-Host "I have taken precautions and I know the risks! (Y/N)"
} while ($choice -notmatch '^[YyNn]$')
if ($choice -match '^[Nn]$') {
Write-Host "User cancelled the operation."
exit 0
}
Write-Host ""
# Function to add or set registry DWORD value
function Set-RegistryDword {
param (
[string]$Path,
[string]$Name,
[int]$Data
)
try {
if (-not (Test-Path $Path)) {
New-Item -Path $Path -Force | Out-Null
}
Set-ItemProperty -Path $Path -Name $Name -Value $Data -Type DWord -Force
Write-Host "Set $Name to $Data in $Path"
}
catch {
Write-Warning "Failed to set $Name in $Path: $_"
}
}
Write-Color "Disable VBS and Credential Guard in the Windows registry" Cyan
Write-Color "-------------------------------------------------------------------------------" Cyan
Set-RegistryDword "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" "EnableVirtualizationBasedSecurity" 0
Set-RegistryDword "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" "LsaCfgFlags" 0
Set-RegistryDword "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" "EnableVirtualizationBasedSecurity" 0
Set-RegistryDword "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" "LsaCfgFlags" 0
Write-Color "##############################################################################" Green
Write-Host ""
Write-Color "Disable Windows Features that rely on Virtualization Based Security (VBS)" Cyan
Write-Color "-------------------------------------------------------------------------------" Cyan
$featuresToDisable = @(
"Microsoft-Hyper-V-All",
"Microsoft-Hyper-V",
"VirtualMachinePlatform",
"Microsoft-Windows-Subsystem-Linux"
)
foreach ($feature in $featuresToDisable) {
Write-Host "Disabling feature: $feature ..."
# Using Dism via PowerShell
Start-Process DISM.exe -ArgumentList "/online /Disable-Feature /FeatureName:$feature /NoRestart" -Wait -NoNewWindow
}
Write-Color "##############################################################################" Green
Write-Host ""
Write-Color "Stop and disable the Hyper-V host service" Cyan
Write-Color "-------------------------------------------------------------------------------" Cyan
# Disable HvHost service
try {
Write-Host "Setting HvHost service startup type to disabled"
Set-Service -Name HvHost -StartupType Disabled -ErrorAction Stop
}
catch {
Write-Warning "Failed to set HvHost startup type: $_"
}
try {
Write-Host "Stopping HvHost service"
Stop-Service -Name HvHost -Force -ErrorAction Stop
}
catch {
Write-Warning "Could not stop HvHost service or service not running: $_"
}
# Wait 5 seconds
Start-Sleep -Seconds 5
# Kill any remaining HvHost processes
Write-Host "Killing any remaining HvHost processes..."
Get-Process -Name HvHost -ErrorAction SilentlyContinue | ForEach-Object {
try {
$_.Kill()
Write-Host "Killed process Id $($_.Id)"
}
catch {
Write-Warning "Failed to kill process Id $($_.Id): $_"
}
}
Write-Color "##############################################################################" Green
Write-Host ""
Write-Color "Disable Virtualization Based Security and Credential Guard at startup (UEFI lock)" Cyan
Write-Color "-------------------------------------------------------------------------------" Cyan
# Mount EFI system partition to X:
Write-Host "Mounting EFI system partition to drive X:"
$mountOutput = mountvol X: /s 2>&1
if ($LASTEXITCODE -ne 0) {
Write-Warning "Failed to mount EFI system partition: $mountOutput"
exit 1
}
# Copy SecConfig.efi to EFI boot folder
$sourceFile = "$env:windir\System32\SecConfig.efi"
$destFile = "X:\EFI\Microsoft\Boot\SecConfig.efi"
try {
Copy-Item -Path $sourceFile -Destination $destFile -Force
Write-Host "Copied $sourceFile to $destFile"
}
catch {
Write-Warning "Failed to copy SecConfig.efi: $_"
mountvol X: /d | Out-Null
exit 1
}
# Create and configure bootloader entry
$guid = "{0cb3b571-2f2e-4343-a879-d86a476d7215}"
Write-Host "Creating bootloader entry $guid ..."
$bcdCreate = bcdedit /create $guid /d "DebugTool" /application osloader
if ($LASTEXITCODE -ne 0) {
Write-Warning "Failed to create bootloader entry"
mountvol X: /d | Out-Null
exit 1
}
$bcdSetPath = bcdedit /set $guid path "\EFI\Microsoft\Boot\SecConfig.efi"
$bcdSetBootSeq = bcdedit /set {bootmgr} bootsequence $guid
$bcdSetLoadOptions1 = bcdedit /set $guid loadoptions DISABLE-LSA-ISO
$bcdSetDevice = bcdedit /set $guid device partition=X:
$bcdSetLoadOptions2 = bcdedit /set $guid loadoptions DISABLE-LSA-ISO,DISABLE-VBS
$bcdSetVsmlaunchType = bcdedit /set vsmlaunchtype off
$bcdSetHypervisorLaunchType = bcdedit /set hypervisorlaunchtype off
$bcdSetCurrentLoadOptions = bcdedit /set {current} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
# Check for errors after each bcdedit call (optional)
if ($LASTEXITCODE -ne 0) {
Write-Warning "One or more bcdedit commands failed."
mountvol X: /d | Out-Null
exit 1
}
# Unmount EFI volume
Write-Host "Unmounting EFI system partition from drive X:"
mountvol X: /d
Write-Color "##############################################################################" Green
Write-Host ""
Write-Host "Script ended at $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
Write-Color "##############################################################################" Green
Write-Host ""
Write-Host "Press Enter to exit..."
[void][System.Console]::ReadLine()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment