Enable VBS by turning on Memory integrity in Windows Security under Device security, and verify it’s running in msinfo32.
VBS (Virtualization-based Security) uses hardware virtualization to isolate critical system processes, making it harder for malware to compromise the kernel. This article explains how to enable VBS on a compatible Windows PC, from turning on the Memory integrity toggle to verifying success with a built-in system tool.
What Is Virtualization-based Security?
Virtualization-based security creates an isolated computing environment using the Windows hypervisor and hardware virtualization features. It protects processes like credential authentication and code integrity from tampering, even if the main OS is compromised. VBS underpins key security features such as Credential Guard, Device Guard, and HVCI (Hypervisor-protected Code Integrity). Running VBS comes with a small performance trade-off, but on modern hardware the security benefits far outweigh the overhead.
What Are the Requirements for VBS?
VBS won’t enable unless your system meets specific hardware and firmware prerequisites. The table below lists what you need and what to check.
| Requirement | Details | What to Check |
|---|---|---|
| CPU virtualization | Intel VT-x or AMD-V must be supported and enabled. | BIOS/UEFI settings for virtualization (often called SVM on AMD, VT-x on Intel). |
| Operating system | Windows 10/11 Pro, Enterprise, or Education. Home edition lacks Memory integrity support. | Settings > System > About shows edition. |
| UEFI Secure Boot | Secure Boot must be enabled. | msinfo32 > System Summary > Secure Boot State shows “On.” |
| TPM 2.0 | Recommended for full VBS features; optional for basic VBS. | Run tpm.msc and check version. |
| RAM | Minimum 4 GB; 8 GB or more recommended. | Task Manager > Performance > Memory. |
| UEFI firmware | System must be running in UEFI mode, not legacy BIOS. | msinfo32 > System Summary > BIOS Mode shows “UEFI.“ |
| Storage | Sufficient free space for Hyper-V components (approximately 1 GB). | Check free space on system drive. |
Enable VBS on a Consumer Windows PC
The simplest way to enable VBS on a personal Windows device is through the Memory integrity setting in Windows Security. Toggling this on activates virtualization-based protection of code integrity, the most common VBS use case.
- Open Windows Security (search for it in the Start menu).
- Go to Device security > Core isolation details.
- Set the Memory integrity toggle to On.
- Click Yes on the User Account Control prompt, then restart your PC when prompted.
After the restart, VBS should be active. If you need to enable additional VBS-based features (such as Credential Guard), those require separate Group Policy or PowerShell configuration.
Verify VBS Is Running
Use the built-in System Information tool to confirm VBS is enabled and running.
- Press Windows Key + R, type msinfo32, and press Enter.
- In the left pane, select System Summary.
- Look for the entry Virtualization-based security. If it says Running, VBS is on.
You can also verify from PowerShell: run Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard and check the VirtualizationBasedSecurityStatus property. A value of 2 means running. Microsoft’s code integrity documentation provides additional detail and alternative verification methods.
Enable VBS on Managed or Virtualized Systems
On enterprise devices joined to a domain, administrators can enable VBS through Group Policy, MDM (Microsoft Intune), or registry keys. The policy setting is located under Computer Configuration > Administrative Templates > System > Device Guard. Turn on Turn On Virtualization Based Security and choose the desired protection layers.
For virtual machines running on VMware vSphere, VBS must be enabled at the VM hardware level (enable “Virtualization based security” in VM settings) and then inside the guest OS using the Memory integrity toggle or policy. The same verification steps through msinfo32 apply inside the guest.
When You Might Need to Disable VBS
Certain applications, such as Riot Games’ VALORANT, may conflict with VBS and trigger compatibility errors (e.g., VAN9005). If you encounter this, disabling VBS is straightforward:
- Open Windows Security > Device security > Core isolation details.
- Set Memory integrity to Off and restart.
- If VBS still shows as Running in msinfo32, open an elevated Command Prompt and run
bcdedit /set hypervisorlaunchtype off, then restart again.
Reverting this is simple: turn Memory integrity back On, or run bcdedit /set hypervisorlaunchtype auto.
Common Mistakes When Enabling VBS
| Mistake | What Happens | How to Fix |
|---|---|---|
| Enabling virtualization only in BIOS | VBS still shows Not Running. | Also turn on Memory integrity in Windows Security. |
| Forgetting to restart after toggling Memory integrity | VBS does not activate. | Restart the PC. |
| Using bcdedit but leaving Memory integrity on | VBS may still run after restart. | Turn off Memory integrity as well. |
| Running Windows 10/11 Home edition | Memory integrity option missing. | Upgrade to Pro or Enterprise. |
| Thinking Secure Boot is optional | VBS may not start properly. | Enable Secure Boot in UEFI. |
| Not checking UEFI mode | Legacy BIOS prevents VBS. | Convert disk to GPT and enable UEFI (requires reinstall). |
| Enabling VBS on an under‑powered VM | Guest OS may fail to boot or run slowly. | Allocate at least 2 vCPUs and 4 GB RAM. |
Final Verification Steps
After completing the enablement process, run through this quick checklist to confirm everything is set:
- msinfo32 shows “Virtualization-based security: Running.”
- Windows Security > Device security shows “Memory integrity: On.”
- Your system boots normally without new errors.
- If you disabled VBS for compatibility, confirm the conflicting application now works.
With VBS active, Windows gains a substantial security layer that makes kernel‑level attacks much harder to execute.
References & Sources
- Microsoft Learn. “Enable virtualization-based protection of code integrity.” Official Microsoft documentation for enabling Memory integrity and verifying VBS.