How to Check Everything Related to Virtualization Based Security in Windows 11

Описание: In this video, we take a deep technical dive into Virtualization-Based Security (VBS) in Windows 11 and learn how to check every important configuration and status field directly from the system — and understand what each value actually means.

We’ll use PowerShell and the Win32_DeviceGuard class to inspect the exact security posture of your system and understand what each value actually means.

1️⃣ AvailableSecurityProperties
Shows which hardware security features are available on the device
0 – No relevant properties exist
1 – Hypervisor support available
2 – Secure Boot available
3 – DMA protection available
4 – Secure Memory Overwrite available
5 – NX protections available
6 – SMM mitigations available
7 – MBEC/GMET available
8 – APIC virtualization available
👉 This tells you what the hardware can support.

2️⃣ RequiredSecurityProperties
Shows which hardware features are required to enable VBS.
0 – Nothing required
1 – Hypervisor support required
2 – Secure Boot required
3 – DMA protection required
👉 This tells you what must be present for VBS to work.

It reads from Registry setting HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\RequirePlatformSecurityFeatures

Supported values for RequirePlatformSecurityFeatures
0 – Best effort (no strict requirements).
1 – Requires Hypervisor + Secure Boot (1,2).
3 – Requires Hypervisor + Secure Boot + DMA protection (1,2,3).

3️⃣ Code Integrity Enforcement Status
Kernel Mode
CodeIntegrityPolicyEnforcementStatus
0 – Off
1 – Audit mode
2 – Enforced

User Mode
UsermodeCodeIntegrityPolicyEnforcementStatus
0 – Off
1 – Audit mode
2 – Enforced
👉 Shows whether code integrity policies are disabled, monitoring only (audit), or fully enforced.

4️⃣ SecurityServicesConfigured
Shows which VBS-related services are configured.
0 – None configured
1 – Credential Guard configured
2 – Memory Integrity configured
3 – System Guard Secure Launch configured
4 – SMM Firmware Measurement configured
5 – Kernel-mode Hardware-enforced Stack Protection configured
6 – Kernel-mode Stack Protection configured (Audit mode)
7 – Hypervisor-Enforced Paging Translation configured
👉 Configured means enabled in settings, not necessarily running.

5️⃣ SecurityServicesRunning
Shows which services are actively running.
0 – None running
1 – Credential Guard running
2 – Memory Integrity running
3 – System Guard Secure Launch running
4 – SMM Firmware Measurement running
5 – Kernel-mode Hardware-enforced Stack Protection running
6 – Kernel-mode Stack Protection running (Audit mode)
7 – Hypervisor-Enforced Paging Translation running
👉 Running means currently active and enforced.

6️⃣ VirtualizationBasedSecurityStatus
0 – VBS not enabled
1 – VBS enabled but not running
2 – VBS enabled and running
👉 Shows overall VBS state.

7️⃣ VirtualMachineIsolation
Indicates whether virtual machine–based hardware isolation is enabled.

8️⃣ VirtualMachineIsolationProperties
Shows which advanced VM isolation technologies are available:
1 – AMD SEV-SNP
2 – Virtualization-Based Security
3 – Intel TDX
👉 These provide stronger hardware-level isolation beyond standard VBS.

9️⃣ SmmIsolationLevel
Indicates the isolation level of System Management Mode (SMM).
Higher levels mean stronger firmware-level protection.