How to preserve Virtualization Based Security (VBS) in Windows 11?

[OpenSource Ghost]

I want to keep Virtualization Based Security (VBS) and Hypervisor-based Core Isolation, Memory Integrity, Kernel-mode Hardware Enforced Stack Protection, and Credential Guard, but I do not want Windows Defender. I already have exact registry entries for all VBS features I list. They all exist under Device Guard in both registry and Group Policy.

Is Device Guard the only component I need to preserve? What abouth other Hypervisor components? Some guides say Credential Guard needs Hyper-V enabled in Features.

How do I test if VBS enabled? Registry entries are not indicative of VBS working and some system report tools simply read those entries to make (a false) conclusion that VBS is enabled, even when I disable Virtualization for CPU in BIOS/UEFI to test validy of mentioned conclusions. VBS cannot work without CPU Virtualization instructions and as such, those reporting tools cannot be trusted.

 

[francis11]

No preset.
But you can start search from here on Components for want to keep:

 

[OpenSource Ghost]

I don't think Virtualization Based Security is listed in NTLite as an actual component. There are references to it, but research shows that component name is likely Device Guard, which NTLite does list as a component.

I can figure it out myself if I can properly test whether VBS is active, but I don't know how... I know VBS Kernel Stack protection causes some game store anti-cheating software (like BattlEye) to crash because anti-cheating software invades kernel space intrusively, but that is not a good way to test whether VBS is active.

 

[francis11]

Before anyone in the forum can help you - you have to post a preset.
The preset is located in folder \NTLite\Presets named something like Auto-xxxxx.xml

 

[Hellbovine]

Before anyone in the forum can help you - you have to post a preset.

I think you skimmed the thread too fast and didn't take the time to read or interpret the intent of his question, since the thread doesn't actually have anything to do with a broken preset.

To clarify, OP is wanting to know more about how these particular security features and their dependencies work under the hood. In other words, it's a complex question with many facets, and he's asking how to troubleshoot and identify if these features are active, as well as if they are affected by any NTLite removals. He's not asking why they broke after making an image--which would require the upload of a preset.

There isn't going to be a complete answer inside NTLite itself, this is one of those things you will only know about if you intentionally investigate it, and there won't be a lot of credible information on the internet either since advanced topics like these tend to be misunderstood.

Ultimately, OP is going to have to do a lot of Googling, forum searching, and testing to know for sure (or hope someone else already did and posts their findings), because the answers to these types of questions change over time as Windows evolves.

 

[francis11]

No affect Hellbovine but all assumptions is a nice thought.
Several posts from OP and skimmed to fast?- still asking for a preset.

 

[Hellbovine]

Several posts from OP and skimmed to fast?- still asking for a preset.

I know you are very well intentioned and only want to help, so please know I mean no disrespect, but what preset can he provide you with? Again, he did not make an image yet. Nothing is broken, and no XML exists, so how can he upload it? He's asking questions about things in advance, because he's taking what he knows about various features and the knowledge of what might break, and then he's preemptively asking on the forum if there's more food for thought to consider before he follows through.

This is in stark contrast with how 99% of users do things here, which is probably why it's throwing you for a loop, since most people here just randomly click components in NTLite, make an image, install it, then whenever an overtly broken thing appears (error pop-up), they come to the forum and ask us to fix it. Instead, OP is saying to himself, "Okay I see that these dozen features here are important to me, how can I be sure from ground zero to properly preserve these the correct and proper way, rather than fixing it later." And everything isn't documented in NTLite, so these things are rarely obvious.

I'd almost be tempted to say he's doing it the right way, by wanting to test things thoroughly and taking the time to understand what he's tweaking, but I honestly have reservations about that because like you mentioned about other posts, I don't understand half of what OP's posts are about or what his actual final goal is, so there's clearly some XY problem going on. That's not being helped at all though by people not taking the time to read posts and then replying with confusing and unrelated information.

With that being said, francis11 does have a point, and I was going to mention it on the attestation thread the other day too, but felt like Garlin made the point well enough already--OP you are asking a lot of questions, and I do agree that much of this is complicated and deserves discussion, but you're really all over the place right now, it may be time to go back to the drawing board and recollect yourself and figure out what your goals are and shoot for them, step by step, instead of jumping around so much.

 

[garlin]

VBS is a suite of different kernel protection features, several of which can be selectively enabled. It's not all or nothing.

But the best tool for checking compliance is Device Guard and Credential Guard hardware readiness tool.

DG_Readiness.ps1 -Ready

 

[francis11]

I know you are very well intentioned and only want to help, so please know I mean no disrespect, but what preset can he provide you with? Again, he did not make an image yet. Nothing is broken, and no XML exists, so how can he upload it? He's asking questions about things in advance, because he's taking what he knows about various features and the knowledge of what might break, and then he's preemptively asking on the forum if there's more food for thought to consider before he follows through.

This is in stark contrast with how 99% of users do things here, which is probably why it's throwing you for a loop, since most people here just randomly click components in NTLite, make an image, install it, then whenever an overtly broken thing appears (error pop-up), they come to the forum and ask us to fix it. Instead, OP is saying to himself, "Okay I see that these dozen features here are important to me, how can I be sure from ground zero to properly preserve these the correct and proper way, rather than fixing it later." And everything isn't documented in NTLite, so these things are rarely obvious.

I'd almost be tempted to say he's doing it the right way, by wanting to test things thoroughly and taking the time to understand what he's tweaking, but I honestly have reservations about that because like you mentioned about other posts, I don't understand half of what OP's posts are about or what his actual final goal is, so there's clearly some XY problem going on. That's not being helped at all though by people not taking the time to read posts and then replying with confusing and unrelated information.

With that being said, francis11 does have a point, and I was going to mention it on the attestation thread the other day too, but felt like Garlin made the point well enough already--OP you are asking a lot of questions, and I do agree that much of this is complicated and deserves discussion, but you're really all over the place right now, it may be time to go back to the drawing board and recollect yourself and figure out what your goals are and shoot for them, step by step, instead of jumping around so much.

You're right - but why start asking questions about worries about a tool not even used? - if concerns why not try first and ask after?
And no affence - i look forward to see a post from you on 3 lines.

 

[garlin]

My thoughts, while everyone is free to respond to topics -- especially if you've had personal knowledge about a subject, is to ALWAYS try to read into the question's intent. Some questions are open-ended, so you need to ask the poster to provide more background. Other times a poster is relatively inexperienced to Windows or NTLite.

In the second case, asking for a preset is standard practice when you sense the poster doesn't understand how to explain a technical question and it's faster to check what they're attempting to do.

For open-ended questions, once the discussion gets to specifics -- then it's fine to ask for a preset or attachments to understand their work in progress.

What I rather not see NTLite Forum fall into, is the behavior I see at other Windows sites. Their top contributors always nag users to post some data collection script, before even entertaining a simple question. That attitude says everyone is a newbie, or can't be trusted.

Please, treat every question individually. The reason you see me constantly asking for presets, is when a new person posts a 1-2 line question with barely any details -- it's the best place to get started for them. But like I say every time, I READ EVERY PRESET that I ask for.

 

[nuhi]

I want to keep Virtualization Based Security (VBS) and Hypervisor-based Core Isolation, Memory Integrity, Kernel-mode Hardware Enforced Stack Protection, and Credential Guard, but I do not want Windows Defender. I already have exact registry entries for all VBS features I list. They all exist under Device Guard in both registry and Group Policy.

Is Device Guard the only component I need to preserve? What abouth other Hypervisor components? Some guides say Credential Guard needs Hyper-V enabled in Features.

How do I test if VBS enabled? Registry entries are not indicative of VBS working and some system report tools simply read those entries to make (a false) conclusion that VBS is enabled, even when I disable Virtualization for CPU in BIOS/UEFI to test validy of mentioned conclusions. VBS cannot work without CPU Virtualization instructions and as such, those reporting tools cannot be trusted.

Those are all good questions, I would like to have a VBS Compatibility option.
However, same question about proving it troubled me as well, so if someone knows a set of a good set of tests, I'm willing to isolate the needed bits.

 

[garlin]

I don't think there's a comprehensive test (since VBS is an umbrella term), but DG_Readiness.ps1 is the closest thing to a benchmark.

This tool is a Windows PowerShell script that needs to run with elevated permissions. It will work with Windows 10 (beginning with version 1607) and Windows Server 2016.
You can use this tool in the following ways:

1. Check if the device can run Device Guard or Credential Guard
2. Check if the device is compatible with the Hardware Lab Kit tests that are ran by partners
3. Enable and disable Device Guard or Credential Guard
4. Check the status of Device Guard or Credential Guard on the device
5. Integrate with System Center Configuration Manager or any other deployment mechanism to configure registry settings that reflect the device capabilities
6. Use an embedded ConfigCI policy in audit mode that can be used by default to enable Device Guard when a custom policy is not provided

Usage:
DG_Readiness.ps1 –[Enable/Disable/Capable/Ready] –[DG/CG/HVCI/HLK] -Path <ConfigCI policy> -AutoReboot

 

[Hellbovine]

Msinfo32 provides some basics too, such as if VBS is enabled or not. Like OP mentioned though, I'm not sure if that is simply reading a registry key or something similar which could be misleading in component removals or other tweaking scenarios.

 

[Clanger]

Having bareboned Resources i would like to know if i have VBS disabled or not and if it isnt then what amount of resources does it use, i can only get betwen 7xxx and 8xxx handles compared to 3.5xx and 4.5xx on w7. If its airgapped then i dont need that layer of security.

 

[garlin]

VBS doesn't really consume extra memory, but adds some CPU overhead. It increases security by splitting Windows into two layers, and the bottom layer where the drivers reside is protected from post-boot tampering. The top layers runs in a Hypervisor-like state above it.

Thus the constant need to check device drivers are digitally signed and protected at boot. Since device drivers are given free reign over protected memory, a lot of cheat or anti-cheat drivers fail that certification.

 

[nuhi]

I don't think there's a comprehensive test (since VBS is an umbrella term), but DG_Readiness.ps1 is the closest thing to a benchmark.

Thanks. Yeah, that's just checking for enablement, but is it actually active and which attacks it needs to defend is more of a question.
Maybe they were thorough and checked each feature in that pass.

It's tricky, cannot claim to have protected VBS features until I can test it. Probably would even use those if I knew exactly what it's for.
I would like to see something like Chrome Browser being "hacked" without it, or Windows permissions bypassed, then enabling VBS actually helps.
If there is/was no such a case, then it's just marketing/false sense of safety like antivirus background scans catching legacy attacks and causing false positives.
Maybe if someone often runs questionable material it can have a purpose in more cases.

 

[OpenSource Ghost]

For Credential Guard test, you can use Mimikatz, but make sure to test Windows Enterprise version, not the Pro, which has questionable "auto-enablement" features (https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4025)

Keeping HVCI and Kernel Stack protection enabled prevents certain drivers from installing and loading, such as DiskCryptor driver, but it is unknown whether such drivers are simply blacklisted based on driver file name and similar simple factors or whether such drivers are analyzed by the OS on deeper level to determine potential harm.

There are supposed to be newer DeviceGuard Readiness versions (3.7.1+), but links to them are down.

Again, disabling all Hyper-V and Virtualization features, services, and drivers (except Virtual Disk) does not prevent Credential Guard, HVCI, and Kernel Stack protection from being reported as running by MSInfo32 and DeviceGuard Readiness tool.

 

[garlin]

DG_Readiness 3.7.1 is easy to find!

Just kidding, the multiple GitHub issues point to an absolute CF with the docs team. If I had to guess, it's been turned over to a vendor team instead of being staffed by FTE's who belong to the product groups. Left hand/right hand because the docs team can't force a product team to host newer content thru official channels (GitHub project, downloads.microsoft.com).

 

[devilink]

Microsoft-OneCoreUAP-AppRuntime-RemoteAppLifetimeManager-Package
Microsoft-Windows-HVSI-Components-Package
Microsoft-Windows-HVSI-Components-WOW64-Package
Microsoft-Windows-SenseClient-Package
Windows-Defender-ApplicationGuard-Inbox-Package
Windows-Defender-ApplicationGuard-Inbox-WOW64-Package
Windows-Defender-Client-Package
Windows-Defender-Group-Policy-Package

Don't use ntlite with Windows Defender. Use dism to delete these and they will remain

 

[francis11]

Following would be nice to have option to remove in NTL as they are reinstalled after install, but minimize the installer wim for those not intend to make a MS Account.

\NTLite\Temp\NLTmpMnt\ /c Windows-Defender-AM-Default-Definitions-OptionalWrapper-Package
\NTLite\Temp\NLTmpMnt\ /c Windows-Defender-AM-Default-Definitions-Package