From 70151ee624b3e8c93f6dd7aca3b0f89d22d0fb02 Mon Sep 17 00:00:00 2001 From: "John (Linuxydable) BENARD" Date: Thu, 5 Dec 2024 18:32:03 +0100 Subject: [PATCH] Fully disable VBS --- .../7. Security/Core Isolation (VBS)/Disable VBS.reg | 7 +++++++ .../7. Security/Core Isolation (VBS)/Enable VBS.reg | 7 +++++++ .../AtlasModules/Scripts/ScriptWrappers/ConfigVBS.ps1 | 9 ++++----- 3 files changed, 18 insertions(+), 5 deletions(-) create mode 100644 src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Disable VBS.reg create mode 100644 src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Enable VBS.reg diff --git a/src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Disable VBS.reg b/src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Disable VBS.reg new file mode 100644 index 0000000000..e94357280c --- /dev/null +++ b/src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Disable VBS.reg @@ -0,0 +1,7 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity] +"Enabled"=dword:00000000 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] +"EnableVirtualizationBasedSecurity"=dword:00000000 \ No newline at end of file diff --git a/src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Enable VBS.reg b/src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Enable VBS.reg new file mode 100644 index 0000000000..12bbaebeda --- /dev/null +++ b/src/playbook/Executables/AtlasDesktop/7. Security/Core Isolation (VBS)/Enable VBS.reg @@ -0,0 +1,7 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity] +"Enabled"=dword:00000001 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard] +"EnableVirtualizationBasedSecurity"=dword:00000001 \ No newline at end of file diff --git a/src/playbook/Executables/AtlasModules/Scripts/ScriptWrappers/ConfigVBS.ps1 b/src/playbook/Executables/AtlasModules/Scripts/ScriptWrappers/ConfigVBS.ps1 index 48aa242e42..7c5916b06e 100644 --- a/src/playbook/Executables/AtlasModules/Scripts/ScriptWrappers/ConfigVBS.ps1 +++ b/src/playbook/Executables/AtlasModules/Scripts/ScriptWrappers/ConfigVBS.ps1 @@ -14,11 +14,7 @@ if ($DisableAllVBS) { Write-Warning "Disabling VBS features..." # Memory Integrity - if (Test-Path $memIntegrity) { - New-ItemProperty -Path $memIntegrity -Name "Enabled" -Value 0 -PropertyType DWORD -Force - Remove-ItemProperty -Path $memIntegrity -Name "ChangedInBootCycle" -EA 0 - Remove-ItemProperty -Path $memIntegrity -Name "WasEnabledBy" -EA 0 - } + New-ItemProperty -Path $memIntegrity -Name "Enabled" -Value 0 -PropertyType DWORD -Force # Need to be forced since Windows 11 24H2 # Kernel-mode Hardware-enforced Stack Protection (Windows 11 only) if (Test-Path $kernelShadowStacks) { @@ -36,6 +32,9 @@ if ($DisableAllVBS) { # LSA Protection (24H2 only) New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0 -PropertyType DWORD -Force + + # VBS General setting (24H2 only) https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-enablevirtualizationbasedsecurity + New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 0 -PropertyType DWORD -Force exit } elseif ($EnableMemoryIntegrity) { Write-Warning "Enabling memory integrity..."