From 5b10942cce3eccae3a13f3c5e38f77773d9ce121 Mon Sep 17 00:00:00 2001
From: justingross-msft <110203253+justingross-msft@users.noreply.github.com>
Date: Mon, 31 Mar 2025 21:55:46 -0400
Subject: [PATCH] Update
 enable-virtualization-based-protection-of-code-integrity.md

This is a known issue in Azure as shown here, https://supportability.visualstudio.com/AzureIaaSVM/_wiki/wikis/AzureIaaSVM/1763930/VBS-Enabled-But-Not-Running-After-Install-HyperV_Windows. Having this note will hopefully allow customers to set this correct or have us share this page when the issue is seen.
---
 .../enable-virtualization-based-protection-of-code-integrity.md  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index 928f69bd65..b0810ce013 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -22,6 +22,7 @@ appliesto:
 >
 > - Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
 > - Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. When nested virtualization is enabled, memory integrity works better when the VM is version >= 9.3.
+> - Azure VMs do not support memory integrity where **Secure Boot with DMA** is selected. If this is selected, VBS will show as enabled but not running. For this reason, please make sure to choose **Secure Boot** only using one of the methods below.
 
 ## Memory integrity features