19

Android Studio requires Hyper-V, but installing Hyper-V also enabled VBS (Virtualization-based Security). The problem is AMD's Ryzen software doesn't run if VBS is enabled.

enter image description here

Applying the following script gave me an option to "opt-out" from VBS on the next reboot, but that does not seem to be permanent. Restarting Windows seems to enable VBS again. So, it seems that I have to run the script and press the opt-out key every time.

Is there anyway to disable VBS permanently and never ask me to disable it again?

set FREE_MOUNT_VOL_DRIVELETTER=L:
mountvol %FREE_MOUNT_VOL_DRIVELETTER% /s
copy C:\WINDOWS\System32\SecConfig.efi L:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DG" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=%FREE_MOUNT_VOL_DRIVELETTER%
mountvol %FREE_MOUNT_VOL_DRIVELETTER% /d

Local Group Policy does not seem to work. enter image description here

The Registry value EnableVirtualizationBasedSecurity already has been set to 0.

enter image description here

Damn Vegetables
  • 4,308
  • 19
  • 60
  • 98

9 Answers9

3

"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard and add a new DWORD value named EnableVirtualizationBasedSecurity and set its value to 0 " DID the trick for me.

Mohkam
  • 31
1

This procedure should disable Virtualization Based Security:

  • Run gpedit.msc
  • Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard
  • Double click Turn on Virtualization Based Security
  • Select Disabled
  • Click OK
  • A reboot might be required.
harrymc
  • 498,455
1

I did all the same things you did (GPedit, RegEdit).

Finally, disabling secure boot and any VBS option in the BIOS did the trick.

Moe Khalil
  • 11
1

As far as I understand: Either it can't be disabled unless disabling Hyper-V, or Ryzen Master is treating Hyper-V same way as VBS.

Any way OP was asking this question because he wanted to execute Ryzen Master (as well as I was today).

Heare I would print hacky solution to launch Ryzen Master without disabling Hyper-V.

Reddit user klauspost has created a patch that allows bypassing this checks in Ryzen Master. I've tested and it works on my machine and it indeed able to change CPU configuration.

The patch itself: https://github.com/klauspost/ryzen-master-vbs-patch Reddit thread: https://www.reddit.com/r/Amd/comments/gtvy2w/patch_for_amd_ryzen_master_to_work_with/

Some youtube video with tutorial how to apply patch: https://www.youtube.com/watch?v=h7xId0RO9Rk

P.S. As far as I understand: AMD don't want to cause any stability issues so they won't officially allow ti run with Hyper-V. It can cause some issues with virtualization. Hyper-V is such type of VM that is running at top of Windows, so your OS is always run inside VM.

So use this patch for your own risk. Neither I nor patch author is responsible for possible damage.

Bohdan Mart
  • 142
1

If this is an option for you, update to a newer version of Ryzen Master and have Hyper-V turned on and VBS running, without making other changes. It appears that newer version(s) of Ryzen Master allow VBS to be running. But specifically which versions do or do not, I'm not sure.

I am using Windows 10 Pro version 1909 and Ryzen Master version 2.8.0.1937, with Hyper-V turned on and VBS running.

System information via Ryzen Master and Windows

Tarocco
  • 119
0

I have 20.04 installed and what I found is that other than what @dyasta had mentioned above, be sure to unselect the Windows Features of Windows Defender Application Guard.

In my case, I managed to turn VBS off by making the GPEDIT change suggested above, turned off all Hyper-V features, turned off Windows Defender Application Guard, and reboot.

Anthony Tsim
  • 1
0

I had the same error as you. What I did was turn off the below features in Windows features.

  • Windows Hypervisor Platform
  • Virtual Machine Platform
  • Microsoft Defender Application Guard

The reason: there are multiple System Components that utilize VBS.

ZygD
  • 2,577
Martis
  • 1
0

here's how i disabled VBS and LSAISO (the isolated lsa + secure system processes that appear in task manager)

basically this allows you to keep hyper-v installed and working. no need to uninstall hyper-v or set hypervisorlaunchtype to off or do the bootmgr device guard / vbs bypass at every reboot...

tl;dr

disable secureboot and also tpm is you want. (secureboot is a tad annoying anyway as it prevents you from altering the bcd via bcdedit as it says access denied)

just remember to add a bypass to your windows installation media or re-enable these things when doing a upgrade and then turn them off again.

apply the below registry script. (some entries are probably redundant) but it's more of a try it all just to be sure.

EnableVirtualizationBasedSecurity = 2 disables vbs, i know...why doesn't 0 do it ? not sure.

i posted the following on mdl forums;

first part of post not important...so left out.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] "Unlocked"=dword:00000001 "Locked"=dword:00000000 "RequirePlatformSecurityFeatures"=dword:00000001 "LsaCfgFlags"=dword:00000000 "EnableVirtualizationBasedSecurity"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities] "CG_Capable"=dword:00000000 "DG_Capable"=dword:00000000 "HVCI_Capable"=dword:00000000 "OSSKU"=dword:00000000 "SecureBoot"=dword:00000000 "Virtualization"=dword:00000000 "TPM"=dword:00000000 "SecureMOR"=dword:00000000 "UEFINX"=dword:00000000 "SMMProtections"=dword:00000000 "HyperVEnabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard] "Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity] "Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks] "Enabled"=dword:00000000

some may not be required but i've basically been trying anything and everything.

webpages i used for info;

https://learn.microsoft.com/en-us/a...le-virtualization-based-security-without-disa

https://admx.help/?Category=Windows...dows.DeviceGuard::VirtualizationBasedSecurity

https://learn.microsoft.com/en-us/w...ualization-based-protection-of-code-integrity

https://learn.microsoft.com/en-us/w...ection/credential-guard/configure?tabs=intune

https://learn.microsoft.com/en-us/v...ndows/user-guide/enable-nested-virtualization

https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/vsm

https://gist.github.com/benhar-dev/1403b4e070655787c3f8ff1e15b1ab73

i think what finally did it was "EnableVirtualizationBasedSecurity"=dword:00000002 which seems undocumented as i found nothing on duckduckgo other than the same entry with values of 0 which is supposed to mean disabled so the group policy stuff says and 1 which is enabled.

it was the last change i made to the registry before it suddenly got turned off.

hyper-v still works and thus no package removals are required or the boot sequence opt out.

i also added vsmlaunchtype Off to bcd also isolatedcontext to No. these are both related to hyper-v but i don't really know if they helped disabled vbs. i know the the vsm one is related to virtual secure machine.

i also disabled secure boot and tpm.

here is msinfo32 output...see attachment.

had to enable nested virtualization to the vm so hyper-v in hyper-v could be tested. i had to reduce the memory as only 4gb was available and it errored which almost made me think hyper-v was now broken but setting ram to 2gb allowed the vm to power up and work as normal.

so i think i can now pat myself on the back...i think.

edit,

"EnableVirtualizationBasedSecurity"=dword:00000002 = not enabled (fully disabled and lsaiso is disabled too) (only if secureboot is disabled otherwise shows as running) "EnableVirtualizationBasedSecurity"=dword:00000001 = Enabled but not running (only if secureboot is disabled otherwise shows as running) "EnableVirtualizationBasedSecurity"=dword:00000000 = Running (only if secureboot is disabled otherwise shows as running)

"RequirePlatformSecurityFeatures"=dword:00000001 = only secureboot as requirement disabling secureboot results in EnableVirtualizationBasedSecurity setting working on 0,1,2

with securboot enabled, the settings 0, 1, 2 are ignored. only with it off is the user allowed to toggle between 0, 1, 2.

hope that made sense.

Richard B
  • 1
-2
  1. Make sure you've removed Windows Features that may use Hyper-V. Including, Hyper-V, Windows Subsystem for Linux, Sandbox, etc...

  2. Modify boot configuration to disable Hypervisor services:

    bcdedit /set hypervisorlaunchtype off

dyasta
  • 450