Solved Virtualization Based Security


kellymac35

Well-known member
Member
VIP
Local time
3:45 PM
Posts
52
Visit site
OS
Windows 11 Pro
Hello,

I noticed my Hypervisor-protected code integrity (HVCI) is disabled. I found these settings in the Local Group Policy Editor and was ready to go for it when
I thought I'd better ask. Does anyone else have this enabled on their system? I checked the tutorials and could not find any reference on these settings.


Screenshot 2022-02-28 194853.pngScreenshot 2022-02-28 194808.png
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    AMD Ryzen 9 5950X (Zen 3) 16-Core
    Motherboard
    EVGA X570 FTW WIFI
    Memory
    G.SKILL Trident Z Neo (For AMD Ryzen) 32G DDR4-3600
    Graphics Card(s)
    EVGA GeForce RTX 3070 XC3 ULTRA PCI Express 4.0, Resizable BAR : Yes
    Screen Resolution
    3840 x 2160
    Hard Drives
    SB-ROCKET-NVMe4-500 M.2
    970 EVO Plus 1TB - M.2
    2TB 7200 RPM Hard Drive
    4TB WD My Passport
    PSU
    Super Flower Leadex V Gold PRO 1000W 130mm
    Case
    HYTE Y60 Modern Aesthetic Dual Chamber Panoramic Tempered Glass
    Cooling
    EK AIO 360mm Liquid CPU Cooler
    Keyboard
    NPET K11 Wireless Gaming Keyboard, Rechargeable Backlit
    Mouse
    Logitech
    Internet Speed
    T Mobile Home Internet 5G. $50.00 A month with autopay
    Antivirus
    Windows Defender / Malwarebytes Premium
  • Operating System
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    AMD Ryzen 7 5800X 8-core
    Motherboard
    MSI MPG X570 GAMING PLUS
    Memory
    GeIL EVO X II AMD Edition 32 GB
    Graphics card(s)
    EVGA GeForce RTX 2060 KO ULTRA
    Screen Resolution
    1920 x 1080
    Hard Drives
    PNY CS1030 250GB M.2 NVMe Windows
    PNY CS1030 250GB M.2 NVMe Xbox
    Sandisk 500GB SSD Steam / Origin
    Sandisk 120GB SSD Storage
    PSU
    Corsair CX 750M
    Case
    EVGA DG-76 Matte Black Mid-Tower
    Cooling
    AMD Wraith Prism
    Mouse
    Logitech
    Keyboard
    Logitech
    Internet Speed
    T Mobile Home Internet 5G. $50.00 A month with autopay
    Antivirus
    Windows Defender / Malwarebytes
Does anyone else have this enabled on their system? I checked the tutorials and could not find any reference on these settings.
I do on two out of my three Windows 11 machines. It works the same in Windows 10, so this tutorial is relevant.


EDIT: This tutorial has now been updated for Windows 11.


Virtualisation Based Security should be enabled by default - providing all installed drivers are compatible with VBS. But if your system uses an incompatible driver you cannot enable it. See my post #34 here for more details, and why my 3rd machine can never run VBS.

 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Acer Aspire 3 A315-23
    CPU
    AMD Athlon Silver 3050U
    Memory
    8GB
    Graphics Card(s)
    Radeon Graphics
    Monitor(s) Displays
    laptop screen
    Screen Resolution
    1366x768 native resolution, up to 2560x1440 with Radeon Virtual Super Resolution
    Hard Drives
    1TB Samsung EVO 870 SSD
    Internet Speed
    50 Mbps
    Browser
    Edge, Firefox
    Antivirus
    Defender
    Other Info
    fully 'Windows 11 ready' laptop. Windows 10 C: partition migrated from my old unsupported 'main machine' then upgraded to 11. A test migration ran Insider builds for 2 months. When 11 was released on 5th October 2021 it was re-imaged back to 10 and was offered the upgrade in Windows Update on 20th October. Windows Update offered the 22H2 Feature Update on 20th September 2022. It got the 23H2 Feature Update on 4th November 2023 through Windows Update, and 24H2 on 3rd October through Windows Update by setting the Target Release Version for 24H2.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro (and all my Hyper-V VMs).

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 8GB RAM, 256GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro RTM and Insider Dev, Beta, and RP 24H2 as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 8GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro, plus the Insider Beta, Dev, Canary, and Release Preview builds as a native boot .vhdx.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude E4310
    CPU
    Intel® Core™ i5-520M
    Motherboard
    0T6M8G
    Memory
    8GB
    Graphics card(s)
    (integrated graphics) Intel HD Graphics
    Screen Resolution
    1366x768
    Hard Drives
    500GB Crucial MX500 SSD
    Browser
    Firefox, Edge
    Antivirus
    Defender
    Other Info
    unsupported machine: Legacy bios, MBR, TPM 1.2, upgraded from W10 to W11 using W10/W11 hybrid install media workaround. In-place upgrade to 22H2 using ISO and a workaround. Feature Update to 23H2 by manually installing the Enablement Package. In-place upgrade to 24H2 using hybrid 23H2/24H2 install media. Also running Insider Beta, Dev, and Canary builds as a native boot .vhdx.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro (and all my Hyper-V VMs).

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 8GB RAM, 256GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro RTM and Insider Dev, Beta, and RP 24H2 as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 8GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro, plus the Insider Beta, Dev, Canary, and Release Preview builds as a native boot .vhdx.
Virtualisation Based Security should be enabled by default

Yes it is enabled by default when Virtualization is enabled in the BIOS. Maybe the OP does not have Virtualization enabled their BIOS?
 

My Computer

System One

  • OS
    Windows 11 - Release Preview channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Kol's custom ROG
    CPU
    Intel 13900K
    Motherboard
    Asus ROG Maximus Hero Z790
    Memory
    Corsair Dominator Platinum RGB 32GB DDR5 6000MHz
    Graphics Card(s)
    Gigabyte 4090 Gaming OC
    Sound Card
    SoundBlaster X-AE5
    Monitor(s) Displays
    Dell Alienware AW3821DW
    Screen Resolution
    3840x1600 144hz
    Hard Drives
    Samsung 980 Pro 500GB
    860 EVO's
    Samsung 990 Pro 2TB
    External RAID enclosure - 2x Seagate 3TB HDD
    PSU
    Seasonic Prime Ultra 1300W Platinum
    Case
    Phanteks Eclipse P600S
    Cooling
    Custom water cooling. EK Velocity (CPU), EK Quantum Vector2 (GPU), EK Quantum D5 Pump, 360mm radiator in case + 560mm external radiator
    Keyboard
    Corsair K100
    Mouse
    Logitech G502X
    Antivirus
    Windows Defender, VBS
Hi folks

For ordinary home users a lot of this stuff is WAY OTT. Who as a typical home user using a Virtual Machine has anything to fear about a hacker getting in to some weird CPU trick to gain access to a machine --- to do what with I ask. The typical user is far more susceptible to scams etc which don't need any serious hacking at all. Why would people bother to spend a lot of time and hard work in gaining access to a small users machine -- to gain what -- 50 USD !! -- there's infinitely easier and larger pickings to be had by these "miscreants".

At a corporate level it's more important -- attacking infrastructure such as transport, energy and health sectors , media sites, dos attacks etc is these days where the problems will be at.

Just install the basic Windows WD software - and simply surf safely and take sensible precautions with emails etc. Even Torrent sites are relatively safe these days --they make money by advertising and people won't come back if their computers get loaded with malware. Don't though download .rar or other compressed files --if you want multi-media download the mp3/mp4/flac/m4a/mkv/avi files directly as it's almost impossible to include a nasty payload with those.

Most domestic Anti Virus products were designed for a different bygone era when the OS was as leaky as a sieve and scamming of the order we have today was in its infancy -- then hacking was a more serious problem on domestic machines. -- WD is fine now.

If you want to add 3rd party or other convoluted security measures then if it gives you peace of mind then OK - can't argue with that - but from a technical point of view it's 100% unnecessary these days provided you keep WD up to date. It's updated several times a week anyway.

For prevention against SCams only the Human Brain is successful currently. This type of prevention would take really sophisticated Machine learning and Artificial Intelligence and we are a long way off getting to that level of sophistication yet.

Cheers
jimbo
 

My Computer

System One

  • OS
    Windows XP,7,10,11 Linux Arch Linux
    Computer type
    PC/Desktop
    CPU
    2 X Intel i7
I personally feel VBS is worth the extra security even on my home PC. :) Scams on home users can lead to system takeovers.
 

My Computer

System One

  • OS
    Windows 11 - Release Preview channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Kol's custom ROG
    CPU
    Intel 13900K
    Motherboard
    Asus ROG Maximus Hero Z790
    Memory
    Corsair Dominator Platinum RGB 32GB DDR5 6000MHz
    Graphics Card(s)
    Gigabyte 4090 Gaming OC
    Sound Card
    SoundBlaster X-AE5
    Monitor(s) Displays
    Dell Alienware AW3821DW
    Screen Resolution
    3840x1600 144hz
    Hard Drives
    Samsung 980 Pro 500GB
    860 EVO's
    Samsung 990 Pro 2TB
    External RAID enclosure - 2x Seagate 3TB HDD
    PSU
    Seasonic Prime Ultra 1300W Platinum
    Case
    Phanteks Eclipse P600S
    Cooling
    Custom water cooling. EK Velocity (CPU), EK Quantum Vector2 (GPU), EK Quantum D5 Pump, 360mm radiator in case + 560mm external radiator
    Keyboard
    Corsair K100
    Mouse
    Logitech G502X
    Antivirus
    Windows Defender, VBS
I did a repair install of Windows 11 with an in-place upgrade a few weeks ago and I believe this is how my setting must have been changed. I went ahead and reenabled my setting in group policy now (HVCI) shows enabled. Thank you to all who responded.



Screenshot 2022-03-01 033255.png
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    AMD Ryzen 9 5950X (Zen 3) 16-Core
    Motherboard
    EVGA X570 FTW WIFI
    Memory
    G.SKILL Trident Z Neo (For AMD Ryzen) 32G DDR4-3600
    Graphics Card(s)
    EVGA GeForce RTX 3070 XC3 ULTRA PCI Express 4.0, Resizable BAR : Yes
    Screen Resolution
    3840 x 2160
    Hard Drives
    SB-ROCKET-NVMe4-500 M.2
    970 EVO Plus 1TB - M.2
    2TB 7200 RPM Hard Drive
    4TB WD My Passport
    PSU
    Super Flower Leadex V Gold PRO 1000W 130mm
    Case
    HYTE Y60 Modern Aesthetic Dual Chamber Panoramic Tempered Glass
    Cooling
    EK AIO 360mm Liquid CPU Cooler
    Keyboard
    NPET K11 Wireless Gaming Keyboard, Rechargeable Backlit
    Mouse
    Logitech
    Internet Speed
    T Mobile Home Internet 5G. $50.00 A month with autopay
    Antivirus
    Windows Defender / Malwarebytes Premium
  • Operating System
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    AMD Ryzen 7 5800X 8-core
    Motherboard
    MSI MPG X570 GAMING PLUS
    Memory
    GeIL EVO X II AMD Edition 32 GB
    Graphics card(s)
    EVGA GeForce RTX 2060 KO ULTRA
    Screen Resolution
    1920 x 1080
    Hard Drives
    PNY CS1030 250GB M.2 NVMe Windows
    PNY CS1030 250GB M.2 NVMe Xbox
    Sandisk 500GB SSD Steam / Origin
    Sandisk 120GB SSD Storage
    PSU
    Corsair CX 750M
    Case
    EVGA DG-76 Matte Black Mid-Tower
    Cooling
    AMD Wraith Prism
    Mouse
    Logitech
    Keyboard
    Logitech
    Internet Speed
    T Mobile Home Internet 5G. $50.00 A month with autopay
    Antivirus
    Windows Defender / Malwarebytes
Who as a typical home user using a Virtual Machine has anything to fear about a hacker getting in to some weird CPU trick to gain access to a machine...
...Just install the basic Windows WD software - and simply surf safely...
We are not talking about using a Virtual Machine here. We are talking about enabling one of the functions in your 'basic Windows WD software' - Core Isolation (a function that is normally on by default).

1646144548212.png
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Acer Aspire 3 A315-23
    CPU
    AMD Athlon Silver 3050U
    Memory
    8GB
    Graphics Card(s)
    Radeon Graphics
    Monitor(s) Displays
    laptop screen
    Screen Resolution
    1366x768 native resolution, up to 2560x1440 with Radeon Virtual Super Resolution
    Hard Drives
    1TB Samsung EVO 870 SSD
    Internet Speed
    50 Mbps
    Browser
    Edge, Firefox
    Antivirus
    Defender
    Other Info
    fully 'Windows 11 ready' laptop. Windows 10 C: partition migrated from my old unsupported 'main machine' then upgraded to 11. A test migration ran Insider builds for 2 months. When 11 was released on 5th October 2021 it was re-imaged back to 10 and was offered the upgrade in Windows Update on 20th October. Windows Update offered the 22H2 Feature Update on 20th September 2022. It got the 23H2 Feature Update on 4th November 2023 through Windows Update, and 24H2 on 3rd October through Windows Update by setting the Target Release Version for 24H2.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro (and all my Hyper-V VMs).

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 8GB RAM, 256GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro RTM and Insider Dev, Beta, and RP 24H2 as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 8GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro, plus the Insider Beta, Dev, Canary, and Release Preview builds as a native boot .vhdx.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude E4310
    CPU
    Intel® Core™ i5-520M
    Motherboard
    0T6M8G
    Memory
    8GB
    Graphics card(s)
    (integrated graphics) Intel HD Graphics
    Screen Resolution
    1366x768
    Hard Drives
    500GB Crucial MX500 SSD
    Browser
    Firefox, Edge
    Antivirus
    Defender
    Other Info
    unsupported machine: Legacy bios, MBR, TPM 1.2, upgraded from W10 to W11 using W10/W11 hybrid install media workaround. In-place upgrade to 22H2 using ISO and a workaround. Feature Update to 23H2 by manually installing the Enablement Package. In-place upgrade to 24H2 using hybrid 23H2/24H2 install media. Also running Insider Beta, Dev, and Canary builds as a native boot .vhdx.

    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro (and all my Hyper-V VMs).

    My SYSTEM FOUR is a 2-in-1 convertible Lenovo Yoga 11e 20DA, Celeron N2930, 8GB RAM, 256GB ssd. Unsupported device: currently running Win10 Pro, plus Win11 Pro RTM and Insider Dev, Beta, and RP 24H2 as native boot vhdx.

    My SYSTEM FIVE is a Dell Latitude 3190 2-in-1, Pentium Silver N5030, 8GB RAM, 512GB NVMe ssd, supported device running Windows 11 Pro, plus the Insider Beta, Dev, Canary, and Release Preview builds as a native boot .vhdx.

Latest Support Threads

Back
Top