Skip to content

Instantly share code, notes, and snippets.

@buswedg

buswedg/disable_hypervisor_and_vbs_on_win11.md

Last active April 27, 2026 21:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save buswedg/eb4e3879c331f0032ea7b6358896a8f7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save buswedg/eb4e3879c331f0032ea7b6358896a8f7 to your computer and use it in GitHub Desktop.
Download ZIP
Disable Hyper-V and VBS on Windows 11
Raw
disable_hypervisor_and_vbs_on_win11.md

Disable Windows Hypervisor (Hyper-V) and Virtualization Based Security (VBS) on Windows 11

What?

Steps to completely disable the Windows Hypervisor and Virtualization Based Security (VBS) features on Windows 11.

Why?

Disabling the hypervisor can improve performance on gaming-focused machines and is often necessary when using low-level system tools or alternative virtualization software that conflicts with Hyper-V.

Note

This guide is based on an install of Windows 11 Pro 25H2 (OS Build 26200.8246).

Steps

  1. Check current status by opening PowerShell as Administrator and running:

    systeminfo

    If active, it will show: A hypervisor has been detected. Features required for Hyper-V will not be displayed.

  2. Disable Virtualization-based features by opening PowerShell as Administrator and running:

    Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName HypervisorPlatform -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName Containers -NoRestart

  3. Disable Hyper-V by opening Command Prompt as Administrator and running:

    bcdedit /set hypervisorlaunchtype Off
bcdedit /set vsmlaunchtype Off

  4. Restart the system.

  5. Disable VBS and Credential Guard (CG) (if necessary) — If you have VBS enabled with UEFI Lock, or if any VBS features (such as Device Guard or Credential Guard) are still using the hypervisor, they must be disabled to ensure no hypervisor components remain active.

    • First, if you previously enabled Windows PIN (Windows Hello) login with CG active, it will likely force enable VBS. You should first disable PIN (Windows Hello):
      • Press Win + R and run ms-settings:signinoptions.
      • Select 'PIN (Windows Hello)' and disable.
    • Then open PowerShell as Administrator and run the following to disable the Windows Hello Device Guard scenario: 
      REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\WindowsHello" /v "Enabled" /t REG_DWORD /d 0 /f

    Now, choose one of the following options to disable the core VBS/CG components:

    Option A: Use the DG Readiness Tool (Official)

    • Set the PowerShell execution policy to unrestricted: 
      Set-ExecutionPolicy unrestricted
    • Download and run the DG Readiness Tool: 
      .\DG_Readiness.ps1 -Disable

    Option B: Run manual PowerShell commands

    • Open PowerShell as Administrator and run the following block. This manually performs the registry changes and stages the SecConfig.efi boot tool:

      # Disable VBS, Credential Guard, and HVCI via Registry
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
REG DELETE "HKLM\System\CurrentControlSet\Control\LSA\LsaCfgFlags" /f

# Mount EFI partition and stage SecConfig.efi
$FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random
mountvol $FreeDrive /s
Copy-Item "$env:windir\System32\SecConfig.efi" "$FreeDrive\EFI\Microsoft\Boot\SecConfig.efi" -Force

# Create BCD boot entry and set sequence
bcdedit /create "{0cb3b571-2f2e-4343-a879-d86a476d7215}" /d DGOptOut /application osloader
bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" path \EFI\Microsoft\Boot\SecConfig.efi
bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" loadoptions "DISABLE-LSA-ISO,DISABLE-VBS"
bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" device partition=$FreeDrive
bcdedit /set "{bootmgr}" bootsequence "{0cb3b571-2f2e-4343-a879-d86a476d7215}"

# Unmount EFI partition
mountvol $FreeDrive /d

    • Finally, restart the system. On the next boot, you will be prompted to confirm the removal of Credential Guard and VBS. Press F3 to confirm for both.

  6. Verify status — Open PowerShell as Administrator and run:

    systeminfo

    If disabled, it will show: Virtualization-based security: Status: Not enabled

  7. You can now re-enable Windows PIN (Windows Hello) login if desired. To do so:

    • Press Win + R and run ms-settings:signinoptions.
    • Select 'PIN (Windows Hello)' and configure.

  8. Verify final status and clean-up — Restart the system, re-check that VBS has remained disabled, and delete the log folder created by DG Readiness at C:\DGLogs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment