17

Android Studio requires Hyper-V, but installing Hyper-V also enabled VBS (Virtualization-based Security). The problem is AMD's Ryzen software doesn't run if VBS is enabled.

enter image description here

Applying the following script gave me an option to "opt-out" from VBS on the next reboot, but that does not seem to be permanent. Restarting Windows seems to enable VBS again. So, it seems that I have to run the script and press the opt-out key every time.

Is there anyway to disable VBS permanently and never ask me to disable it again?

set FREE_MOUNT_VOL_DRIVELETTER=L:
mountvol %FREE_MOUNT_VOL_DRIVELETTER% /s
copy C:\WINDOWS\System32\SecConfig.efi L:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DG" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=%FREE_MOUNT_VOL_DRIVELETTER%
mountvol %FREE_MOUNT_VOL_DRIVELETTER% /d

Local Group Policy does not seem to work. enter image description here

The Registry value EnableVirtualizationBasedSecurity already has been set to 0.

enter image description here

Damn Vegetables
  • 3,622
  • 16
  • 46
  • 78

8 Answers8

2

"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard and add a new DWORD value named EnableVirtualizationBasedSecurity and set its value to 0 " DID the trick for me.

Mohkam
  • 21
  • 3
1

This procedure should disable Virtualization Based Security:

  • Run gpedit.msc
  • Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard
  • Double click Turn on Virtualization Based Security
  • Select Disabled
  • Click OK
  • A reboot might be required.
harrymc
  • 455,459
  • 31
  • 526
  • 924
  • 3
    It already has been set to "Disabled". – Damn Vegetables Oct 04 '19 at 17:13
  • Then how come it is not disabled? Please run System Information to verify if this is the case (it is found very low in the list). – harrymc Oct 04 '19 at 17:36
  • 1
    I have added the screenshot to the end of the question. It seems that Windows ignores that setting and re-enables VBS every time (except when I ran the script). – Damn Vegetables Oct 04 '19 at 18:03
  • Strange. Try this: Go to registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard` and add a new DWORD value named `EnableVirtualizationBasedSecurity` and set its value to `0` to disable virtualization-based security, then reboot normally. Verify using System Information. – harrymc Oct 04 '19 at 18:56
  • That value already exists and has been set to 0. I think I probably had tried some script on the Internet to try to disable VBS, and that might have done that. I'll add the screenshot to the end of my question. – Damn Vegetables Oct 04 '19 at 19:41
  • Try to delete (after backup) the values like `Require*` and reboot. – harrymc Oct 04 '19 at 19:46
  • I did that but the result was the same. I deleted the two "Require..." values, but after rebooting, "RequirePlatformSecurityFeatures" = (0) was automatically created. – Damn Vegetables Oct 04 '19 at 20:23
  • I don't know what exactly did your script. Also did you take a backup before replacing `SecConfig.efi`? All I have left to suggest is to try to rollback Windows to a System Restore point from before all these manipulations and try only my answer, no scripts, using Windows and not forcing anything. This can fail if the problem is with the replaced `SecConfig.efi`. – harrymc Oct 04 '19 at 20:42
  • On a Win10 2004 (post 2004 update) I found that, with all the above things disabled, group policied to disabled and relevant registry entries present, I STILL had to issue `bcdedit /set hypervisorlaunchtype off` at an admin PowerShell then reboot in order to get VMWare Player to fire up a VM. I compared what I'd already done with the guide at https://windowsreport.com/disable-credential-guard-windows-10/ and other responses to this question. – Chris Woods Oct 05 '20 at 23:12
1

As far as I understand: Either it can't be disabled unless disabling Hyper-V, or Ryzen Master is treating Hyper-V same way as VBS.

Any way OP was asking this question because he wanted to execute Ryzen Master (as well as I was today).

Heare I would print hacky solution to launch Ryzen Master without disabling Hyper-V.

Reddit user klauspost has created a patch that allows bypassing this checks in Ryzen Master. I've tested and it works on my machine and it indeed able to change CPU configuration.

The patch itself: https://github.com/klauspost/ryzen-master-vbs-patch Reddit thread: https://www.reddit.com/r/Amd/comments/gtvy2w/patch_for_amd_ryzen_master_to_work_with/

Some youtube video with tutorial how to apply patch: https://www.youtube.com/watch?v=h7xId0RO9Rk

P.S. As far as I understand: AMD don't want to cause any stability issues so they won't officially allow ti run with Hyper-V. It can cause some issues with virtualization. Hyper-V is such type of VM that is running at top of Windows, so your OS is always run inside VM.

So use this patch for your own risk. Neither I nor patch author is responsible for possible damage.

Bogdan Mart
  • 142
  • 5
0

I did all the same things you did (GPedit, RegEdit).

Finally, disabling secure boot and any VBS option in the BIOS did the trick.

Moe Khalil
  • 1
  • 8
    What do you mean "VBS option in the BIOS"? You mean, virtualisation feature such as AMD-V or Intel VT-X? If so, that has the same effect as disabling Hyper-V. I need to use Hyper-V. – Damn Vegetables Oct 30 '19 at 22:34
0

I have 20.04 installed and what I found is that other than what @dyasta had mentioned above, be sure to unselect the Windows Features of Windows Defender Application Guard.

In my case, I managed to turn VBS off by making the GPEDIT change suggested above, turned off all Hyper-V features, turned off Windows Defender Application Guard, and reboot.

Anthony Tsim
  • 1
0

I had the same error as you. What I did was turn off the below features in Windows features.

  • Windows Hypervisor Platform
  • Virtual Machine Platform
  • Microsoft Defender Application Guard

The reason: there are multiple System Components that utilize VBS.

ZygD
  • 2,459
  • 12
  • 26
  • 43
Martis
  • 1
0

If this is an option for you, update to a newer version of Ryzen Master and have Hyper-V turned on and VBS running, without making other changes. It appears that newer version(s) of Ryzen Master allow VBS to be running. But specifically which versions do or do not, I'm not sure.

I am using Windows 10 Pro version 1909 and Ryzen Master version 2.8.0.1937, with Hyper-V turned on and VBS running.

System information via Ryzen Master and Windows

Tarocco
  • 109
  • 2
-2
  1. Make sure you've removed Windows Features that may use Hyper-V. Including, Hyper-V, Windows Subsystem for Linux, Sandbox, etc...

  2. Modify boot configuration to disable Hypervisor services:

    bcdedit /set hypervisorlaunchtype off

dyasta
  • 390
  • 2
  • 7