Skip to content

Commit

Permalink
Fully disable VBS
Browse files Browse the repository at this point in the history
  • Loading branch information
@Linuxydable
Linuxydable committed Dec 5, 2024
1 parent dad2711 commit 70151ee
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 5 deletions.
7 changes: 7 additions & 0 deletions src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Disable VBS.reg
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard]
"EnableVirtualizationBasedSecurity"=dword:00000000
7 changes: 7 additions & 0 deletions src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Enable VBS.reg
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard]
"EnableVirtualizationBasedSecurity"=dword:00000001
9 changes: 4 additions & 5 deletions src/playbook/Executables/AtlasModules/Scripts/ScriptWrappers/ConfigVBS.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,7 @@ if ($DisableAllVBS) {
Write-Warning "Disabling VBS features..."

# Memory Integrity
if (Test-Path $memIntegrity) {
New-ItemProperty -Path $memIntegrity -Name "Enabled" -Value 0 -PropertyType DWORD -Force
Remove-ItemProperty -Path $memIntegrity -Name "ChangedInBootCycle" -EA 0
Remove-ItemProperty -Path $memIntegrity -Name "WasEnabledBy" -EA 0
}
New-ItemProperty -Path $memIntegrity -Name "Enabled" -Value 0 -PropertyType DWORD -Force # Need to be forced since Windows 11 24H2

# Kernel-mode Hardware-enforced Stack Protection (Windows 11 only)
if (Test-Path $kernelShadowStacks) {
Expand All @@ -36,6 +32,9 @@ if ($DisableAllVBS) {

# LSA Protection (24H2 only)
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0 -PropertyType DWORD -Force

# VBS General setting (24H2 only) https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-enablevirtualizationbasedsecurity
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 0 -PropertyType DWORD -Force
exit
} elseif ($EnableMemoryIntegrity) {
Write-Warning "Enabling memory integrity..."
Expand Down

2 comments on commit 70151ee

@kronflux
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While disabling VBS is definitely more secure, I would recommend against doing this by default.
Many applications, including AMD's Adrenaline software, require VBS for various tasks(Adrenaline will fail to verify this is an "AMD system" without VBS enabled)
The "better" way to handle VBS is to simply disable the file association for it.
There may also be methods to harden VBS further, as an alternative.

@Linuxydable
Copy link
Member Author

@Linuxydable Linuxydable commented on 70151ee Dec 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @kronflux,

Thank you for your message.
I'm a fully user of AMD Hardware and I know these requirements, this is the reason of why I include the VBS enabler/disabler script inside the Atlas OS folder once installed.
I don't use VBS for many important reasons and I also use VBS for many other reasons. (gamedev lol)

Anyway, I will keep this disabled by default and if a user has some issues, he can re-enable VBS through the script.

Please sign in to comment.