Solved Virtualization Based Security


kellymac35

Active member
Member
VIP
Local time
9:09 PM
Posts
50
OS
Windows 11 Pro
Hello,

I noticed my Hypervisor-protected code integrity (HVCI) is disabled. I found these settings in the Local Group Policy Editor and was ready to go for it when
I thought I'd better ask. Does anyone else have this enabled on their system? I checked the tutorials and could not find any reference on these settings.


Screenshot 2022-02-28 194853.pngScreenshot 2022-02-28 194808.png
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    AMD Ryzen 9 5950X (Zen 3) 16-Core
    Motherboard
    MSI PRESTIGE X570 CREATION
    Memory
    G.SKILL Trident Z Neo (For AMD Ryzen) 32G DDR4-3600
    Graphics Card(s)
    EVGA GeForce RTX 3070 XC3 ULTRA PCI Express 4.0, Resizable BAR : Yes
    Screen Resolution
    3840 x 2160
    Hard Drives
    SB-ROCKET-NVMe4-500 M.2
    SB-ROCKET-NVMe4-500 M.2
    970 EVO Plus 1TB - M.2
    ADATA XPG SX8200 Pro 1TB M.2
    2TB 7200 RPM Hard Drive
    PSU
    Super Flower Leadex V Gold PRO 1000W 130mm
    Case
    MSI Premium Mid-Tower MPG GUNGNIR 100
    Cooling
    EK AIO 360mm Liquid CPU Cooler
    Keyboard
    NPET K11 Wireless Gaming Keyboard, Rechargeable Backlit
    Mouse
    Logitech
    Internet Speed
    T Mobile Home Internet 5G. $50.00 A month with autopay
    Antivirus
    Windows Defender / Malwarebytes Premium
    Other Info
    M.2 XPANDER-Z GEN4
  • Operating System
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    AMD Ryzen 7 5800X 8-core
    Motherboard
    MSI MPG X570 GAMING PLUS
    Memory
    GeIL EVO X II AMD Edition 32 GB
    Graphics card(s)
    EVGA GeForce RTX 2060 KO ULTRA
    Screen Resolution
    1920 x 1080
    Hard Drives
    PNY CS1030 250GB M.2 NVMe Windows
    PNY CS1030 250GB M.2 NVMe Xbox
    Sandisk 500GB SSD Steam / Origin
    Sandisk 120GB SSD Storage
    PSU
    Corsair CX 750M
    Case
    EVGA DG-76 Matte Black Mid-Tower
    Cooling
    AMD Wraith Prism
    Mouse
    Logitech
    Keyboard
    Logitech
    Internet Speed
    T Mobile Home Internet 5G. $50.00 A month with autopay
    Antivirus
    Windows Defender / Malwarebytes

Bree

Well-known member
Pro User
VIP
Local time
3:09 AM
Posts
2,328
Location
S/E England, UK
OS
Windows 11 Home
Does anyone else have this enabled on their system? I checked the tutorials and could not find any reference on these settings.
I do on two out of my three Windows 11 machines. It works the same in Windows 10, so this tutorial is relevant.


EDIT: This tutorial has now been updated for Windows 11.


Virtualisation Based Security should be enabled by default - providing all installed drivers are compatible with VBS. But if your system uses an incompatible driver you cannot enable it. See my post #34 here for more details, and why my 3rd machine can never run VBS.

 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Acer Aspire 3 A315-23
    CPU
    AMD Athlon Silver 3050U
    Memory
    8GB
    Graphics Card(s)
    Radeon Graphics
    Monitor(s) Displays
    laptop screen
    Screen Resolution
    1366x768 native resolution, up to 2560x1440 with Radeon Virtual Super Resolution
    Hard Drives
    1TB HDD
    Browser
    Edge, Firefox
    Antivirus
    Defender
    Other Info
    fully 'Windows 11 ready' laptop. Windows 10 C: partition migrated from my old unsupported 'main machine' then upgraded to 11. A test migration ran Insider builds for 2 months. When 11 was released on 5th October it was re-imaged back to 10 and was offered the upgrade in Windows Update on 20th October.


    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, Windows 11 Pro.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Lattitude E4310
    CPU
    i5 M 520
    Motherboard
    0T6M8G
    Memory
    4GB
    Screen Resolution
    1366x768
    Hard Drives
    500GB HDD
    Browser
    Firefox, Edge
    Antivirus
    Defender
    Other Info
    unsupported machine: Legacy bios, MBR, TPM 1.2, upgraded from W10 to W11 using W10/W11 hybrid install media workaround.


    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, Windows 11 Pro.

Kol12

Active member
Member
VIP
Local time
2:09 PM
Posts
252
OS
Windows 11 - Release Preview channel
Virtualisation Based Security should be enabled by default

Yes it is enabled by default when Virtualization is enabled in the BIOS. Maybe the OP does not have Virtualization enabled their BIOS?
 

My Computer

System One

  • OS
    Windows 11 - Release Preview channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Kol's custom ROG Z590
    CPU
    Intel 10900K @ 5.1 Ghz
    Motherboard
    Asus ROG Maximus XIII Hero Z590
    Memory
    Corsair Dominator Platinum RGB 32GB (4x8) OC to 3866Mhz CL 16
    Graphics Card(s)
    Asus ROG Strix 3080 OC edition
    Sound Card
    SoundBlaster X-AE5
    Monitor(s) Displays
    Asus ROG PG349Q 34" 120hz Gysnc
    Screen Resolution
    3440x1440
    Hard Drives
    Samsung 980 Pro 500GB
    860 EVO's
    Adata SX2000 Pro 1TB
    External RAID enclosure - Seagate 3TB HDD's
    PSU
    Seasonic Prime Ultra 1300W Platinum
    Case
    Phanteks Eclipse P600S
    Cooling
    Custom water cooling. EK Velocity (CPU), EK Quantum Vector (GPU), EK Quantum D5 Pump, 360 + 280 mm rads, 3x120mm Corsair LL, 3x 140mm Corsair LL fans
    Keyboard
    Corsair K70 MK.2 SE
    Mouse
    Corsair Dark Core Pro Wireless
    Antivirus
    Windows Defender

jimbo45

Well-known member
Power User
VIP
Local time
2:09 AM
Posts
1,486
Location
Hafnarfjörður IS
OS
Windows XP,7,10,11 Linux Arch Linux
Hi folks

For ordinary home users a lot of this stuff is WAY OTT. Who as a typical home user using a Virtual Machine has anything to fear about a hacker getting in to some weird CPU trick to gain access to a machine --- to do what with I ask. The typical user is far more susceptible to scams etc which don't need any serious hacking at all. Why would people bother to spend a lot of time and hard work in gaining access to a small users machine -- to gain what -- 50 USD !! -- there's infinitely easier and larger pickings to be had by these "miscreants".

At a corporate level it's more important -- attacking infrastructure such as transport, energy and health sectors , media sites, dos attacks etc is these days where the problems will be at.

Just install the basic Windows WD software - and simply surf safely and take sensible precautions with emails etc. Even Torrent sites are relatively safe these days --they make money by advertising and people won't come back if their computers get loaded with malware. Don't though download .rar or other compressed files --if you want multi-media download the mp3/mp4/flac/m4a/mkv/avi files directly as it's almost impossible to include a nasty payload with those.

Most domestic Anti Virus products were designed for a different bygone era when the OS was as leaky as a sieve and scamming of the order we have today was in its infancy -- then hacking was a more serious problem on domestic machines. -- WD is fine now.

If you want to add 3rd party or other convoluted security measures then if it gives you peace of mind then OK - can't argue with that - but from a technical point of view it's 100% unnecessary these days provided you keep WD up to date. It's updated several times a week anyway.

For prevention against SCams only the Human Brain is successful currently. This type of prevention would take really sophisticated Machine learning and Artificial Intelligence and we are a long way off getting to that level of sophistication yet.

Cheers
jimbo
 

My Computer

System One

  • OS
    Windows XP,7,10,11 Linux Arch Linux
    Computer type
    PC/Desktop
    CPU
    2 X Intel i7

Kol12

Active member
Member
VIP
Local time
2:09 PM
Posts
252
OS
Windows 11 - Release Preview channel
I personally feel VBS is worth the extra security even on my home PC. :) Scams on home users can lead to system takeovers.
 

My Computer

System One

  • OS
    Windows 11 - Release Preview channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Kol's custom ROG Z590
    CPU
    Intel 10900K @ 5.1 Ghz
    Motherboard
    Asus ROG Maximus XIII Hero Z590
    Memory
    Corsair Dominator Platinum RGB 32GB (4x8) OC to 3866Mhz CL 16
    Graphics Card(s)
    Asus ROG Strix 3080 OC edition
    Sound Card
    SoundBlaster X-AE5
    Monitor(s) Displays
    Asus ROG PG349Q 34" 120hz Gysnc
    Screen Resolution
    3440x1440
    Hard Drives
    Samsung 980 Pro 500GB
    860 EVO's
    Adata SX2000 Pro 1TB
    External RAID enclosure - Seagate 3TB HDD's
    PSU
    Seasonic Prime Ultra 1300W Platinum
    Case
    Phanteks Eclipse P600S
    Cooling
    Custom water cooling. EK Velocity (CPU), EK Quantum Vector (GPU), EK Quantum D5 Pump, 360 + 280 mm rads, 3x120mm Corsair LL, 3x 140mm Corsair LL fans
    Keyboard
    Corsair K70 MK.2 SE
    Mouse
    Corsair Dark Core Pro Wireless
    Antivirus
    Windows Defender

kellymac35

Active member
Member
VIP
Thread Starter
Local time
9:09 PM
Posts
50
OS
Windows 11 Pro
I did a repair install of Windows 11 with an in-place upgrade a few weeks ago and I believe this is how my setting must have been changed. I went ahead and reenabled my setting in group policy now (HVCI) shows enabled. Thank you to all who responded.



Screenshot 2022-03-01 033255.png
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    AMD Ryzen 9 5950X (Zen 3) 16-Core
    Motherboard
    MSI PRESTIGE X570 CREATION
    Memory
    G.SKILL Trident Z Neo (For AMD Ryzen) 32G DDR4-3600
    Graphics Card(s)
    EVGA GeForce RTX 3070 XC3 ULTRA PCI Express 4.0, Resizable BAR : Yes
    Screen Resolution
    3840 x 2160
    Hard Drives
    SB-ROCKET-NVMe4-500 M.2
    SB-ROCKET-NVMe4-500 M.2
    970 EVO Plus 1TB - M.2
    ADATA XPG SX8200 Pro 1TB M.2
    2TB 7200 RPM Hard Drive
    PSU
    Super Flower Leadex V Gold PRO 1000W 130mm
    Case
    MSI Premium Mid-Tower MPG GUNGNIR 100
    Cooling
    EK AIO 360mm Liquid CPU Cooler
    Keyboard
    NPET K11 Wireless Gaming Keyboard, Rechargeable Backlit
    Mouse
    Logitech
    Internet Speed
    T Mobile Home Internet 5G. $50.00 A month with autopay
    Antivirus
    Windows Defender / Malwarebytes Premium
    Other Info
    M.2 XPANDER-Z GEN4
  • Operating System
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    AMD Ryzen 7 5800X 8-core
    Motherboard
    MSI MPG X570 GAMING PLUS
    Memory
    GeIL EVO X II AMD Edition 32 GB
    Graphics card(s)
    EVGA GeForce RTX 2060 KO ULTRA
    Screen Resolution
    1920 x 1080
    Hard Drives
    PNY CS1030 250GB M.2 NVMe Windows
    PNY CS1030 250GB M.2 NVMe Xbox
    Sandisk 500GB SSD Steam / Origin
    Sandisk 120GB SSD Storage
    PSU
    Corsair CX 750M
    Case
    EVGA DG-76 Matte Black Mid-Tower
    Cooling
    AMD Wraith Prism
    Mouse
    Logitech
    Keyboard
    Logitech
    Internet Speed
    T Mobile Home Internet 5G. $50.00 A month with autopay
    Antivirus
    Windows Defender / Malwarebytes

Bree

Well-known member
Pro User
VIP
Local time
3:09 AM
Posts
2,328
Location
S/E England, UK
OS
Windows 11 Home
Who as a typical home user using a Virtual Machine has anything to fear about a hacker getting in to some weird CPU trick to gain access to a machine...
...Just install the basic Windows WD software - and simply surf safely...
We are not talking about using a Virtual Machine here. We are talking about enabling one of the functions in your 'basic Windows WD software' - Core Isolation (a function that is normally on by default).

1646144548212.png
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Acer Aspire 3 A315-23
    CPU
    AMD Athlon Silver 3050U
    Memory
    8GB
    Graphics Card(s)
    Radeon Graphics
    Monitor(s) Displays
    laptop screen
    Screen Resolution
    1366x768 native resolution, up to 2560x1440 with Radeon Virtual Super Resolution
    Hard Drives
    1TB HDD
    Browser
    Edge, Firefox
    Antivirus
    Defender
    Other Info
    fully 'Windows 11 ready' laptop. Windows 10 C: partition migrated from my old unsupported 'main machine' then upgraded to 11. A test migration ran Insider builds for 2 months. When 11 was released on 5th October it was re-imaged back to 10 and was offered the upgrade in Windows Update on 20th October.


    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, Windows 11 Pro.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Lattitude E4310
    CPU
    i5 M 520
    Motherboard
    0T6M8G
    Memory
    4GB
    Screen Resolution
    1366x768
    Hard Drives
    500GB HDD
    Browser
    Firefox, Edge
    Antivirus
    Defender
    Other Info
    unsupported machine: Legacy bios, MBR, TPM 1.2, upgraded from W10 to W11 using W10/W11 hybrid install media workaround.


    My SYSTEM THREE is a Dell Latitude 5410, i7-10610U, 32GB RAM, 512GB ssd, Windows 11 Pro.
Top Bottom