Hi James R,
Has your issue been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)
Domic V.
VBS and HVCI Intune security baseline fails on Business Premium devices
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 56.00000000000001%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
James R
0
Reputation points
Raising this after exhausting Microsoft support to get broader visibility on an issue affecting Microsoft 365 Business Premium customers.
The issue
Applying a standard Intune security baseline including VBS and HVCI to Windows 11 Business Premium devices returns persistent errors 65000 and 0x82b00006 (policy rejected due to licensing).
What testing revealed
Removing the Windows Business component from the licence and running "ClipDLS.exe removesubscription" then "ClipRenew.exe" sees the errors clear. The device returns to a clean Windows Pro state and the policy applies successfully. Microsoft support confirmed this is currently working as designed.
Outstanding questions
Is anyone else seeing this on Business Premium devices? Has anyone found a workaround that doesn't involve removing a paid licence component? Has anyone successfully escalated this to get a permanent resolution?
Windows for business | Windows Client for IT Pros | Devices and deployment | Licensing and activation
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 33%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDV%3C/text%3E%3C/svg%3E)
Domic Vo 22,925 Reputation points Independent Advisor2026-05-27T14:36:30.6+00:00 -
Domic Vo 22,925 Reputation points Independent Advisor
2026-05-21T06:03:06.5233333+00:00 Hi James Rodoreda,
The errors 65000 and 0x82b00006 occur because the Intune DeviceGuard Configuration Service Provider fails to recognize the Windows 11 Business subscription identifier as a valid licensing tier. As your testing demonstrated, this is a deployment pipeline flaw in how Intune validates the payload rather than a hardware capability or true OS restriction, which is why Microsoft Support states the current validation behavior is structurally working as designed. Since removing your paid license to force a fallback to the standard Windows 11 Pro state is not a sustainable operational strategy, you must bypass the Intune security baseline profile for these specific settings.
The most reliable workaround is to deploy a PowerShell script through Intune to manipulate the local system registry, which directly forces the hardware sandboxing features to activate. You need to target the system registry path at HKLM\System\CurrentControlSet\Control\DeviceGuard and set both the EnableVirtualizationBasedSecurity value and the RequirePlatformSecurityFeatures value to 1. By applying these settings directly to the registry, you instruct the operating system to load memory integrity and Virtualization-Based Security upon the next reboot without asking the flawed Intune policy engine for permission. This method successfully secures your endpoints while retaining your licensing advantages, serving as the standard engineering resolution until Microsoft structurally updates their baseline evaluation logic.
Hope this answer brought you some useful information :)
Domic V.