Since virtual environments cannot normally coexist with Windows 11 Pro 23H2 Japanese Edition, it was necessary to disable VBS (virtualization-based security) in order to use VMware Workstation Pro 17.5.
A quick Google search reveals that in order to disable VBS, you need to turn off Hyper-V, which Windows uses, and also turn off Device Guard, Credential Guard, and Core Isolation, which Windows Defender uses. However, even though I turned off all of these, including all features that use Hyper-V, some features still use Hyper-V, so as a result, I was unable to turn off VBS, which caused a problem where the virtualization software VMware Workstation Pro 17.5 could not be used properly.
Coexistence with Hyper-V using WHP
It is not accurate to say that VMware Workstation Pro 17.5 uses Hyper-V and cannot coexist with it; you can create a virtual environment as ULM using WHP (Windows Hypervisor Platform).
However, it creates a nested virtual machine on Hyper-V, which consumes a lot of resources, but results in a virtual machine with poor performance. To check what your virtual machine is running, start the virtual machine once and look at the monitor mode of vmware.log.
CPL0 uses VMware’s virtualization functions, so it operates at its original performance.
However, if it is a ULM, then WHP is used to run the virtual machine, which will have a significant impact on performance.
About VBS
This is a defense function that uses the Windows hypervisor that comes standard with Windows Pro. This function uses an isolated environment to prevent intrusions into the host.
Virtualization-based Security (VBS)
Provides guidance on what an OEM should do to enable VBS
Memory integrity is listed as an example of one of the VBS functions.
Enable memory integrity - Windows Security
This article explains the steps to opt in to using memory integrity on Windows devices.
During the troubleshooting process, I had to disable all VBS functions, which required me to investigate Windows’ defense mechanisms.
To check if VBS is turned off, use msinfo32 or systeminfo at the command prompt.
How to turn off general VBS
Generally, VBS should be disabled by doing the following:
Disable Device Guard
Disabled Credential Guard
Disable Secure Boot in BIOS
Enable only VT-d in BIOS (varies depending on CPU. Disabling VT-d will indeed disable VBS, but it is equivalent to disabling all virtualization functions.)
Disable Core Isolation in Windows Security
There are many steps to do the above if you google it, so I will only briefly describe them here.
Uninstall Hyper-V
Control Panel -> Programs and Features -> Turn Windows features on or off
Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security
Fighting technical support
There may be many things I have forgotten to mention, but I followed all of the steps above, disabled them from the UI, manipulated the registry directly, and even disabled them all from the command line, but Hyper-V was still enabled and I was unable to disable VBS.
The procedures above are discussed in the VMware community, and after about 10 hours of Googling and trying all the solutions, I was unable to turn it off, so I first opened a paid support ticket with VMware.
vs VMware Support
I didn’t expect that at all.
When writing the support content, there was a check box to specify the date, that is, 9:00-18:00 from Monday to Friday. Around 22:00 on Friday, I wrote down the inquiry content and submitted the ticket.
On Monday at around 1pm my mobile rang, it was VMware, it was a support call and I had to fight because they were speaking very fast Indian English.
I will write about this in a separate post, but I opened two tickets and VMware had a solution for one of the issues.
In the end, VMware Support knew that the VMware performance issue could be resolved by using a virtual machine with CPL0 instead of WHP, but we spent five hours over two days trying to figure out how to disable VBS such as Device Guard and how to set the BIOS, sharing our screens, but we were unable to solve the problem.
I tried all possible solutions but was unable to resolve the issue and was told that this is a Windows issue and is not supported by VMware.
By the way, when I asked what would happen if I uninstalled WHP from a virtual machine that was running on ULM, I was told that it would run on CPL0 without any effort. However, while it is easy to install the WHP module, it is very difficult to remove it. I was given instructions on how to do it, but my impression was that it would be quicker to do a clean install. I thought so.
According to policy, once you open a paid ticket, you must continue to receive support for one year until the issue is resolved.
vs Lenovo Support
Initially, the PC was a Thinkpad P1 Gen6 with Windows 11 Pro pre-installed by Lenovo.
Fortunately, I had a one-year Lenovo support contract, so I was able to receive support.
I asked if they had any pre-installed software, such as protection features using Hyper-V.
After investigation, it was determined that Lenovo had not installed such software.
You can see a lot of discussion on the Lenovo community, but to be honest, it’s not Lenovo’s fault.
How to enable Virtualization Technology on Lenovo PC computers – Lenovo Support DE
Steps and instructions on how to enable Virtualization Technology on Lenovo PC computers.
Unable-to-disable-virtualization-based-security-on-Windows-11 – English Community – LENOVO COMMUNITY
2023-09-30 00:14:24
Just in case, after consulting with Lenovo Support, we decided to try reinstalling using a clean image.
I was also unable to turn off VBS even when using the clean image provided by Microsoft.
This means that there are no problems with any of the software and drivers pre-installed by Lenovo.
vs Kaspersky Support
I had Kaspersky installed as security software, so I asked them without much thought.
I thought that maybe there was a function like Core Isolation, but Kaspersky Support said to end Kaspersky from the task list and check if VBS is disabled. If it is not disabled, it is not a Kaspersky problem.
Personally, I thought that since it was an OS problem, I would have to uninstall Kaspersky and restart the OS to find out what was wrong, but based on the results of my contact with Lenovo Support above, I reinstalled the OS using a clean image.
The result was that the problem was not resolved, so it turned out that Kaspersky was not the problem.
vs Microsoft Support
VMware was a formidable opponent, but Microsoft Support was also a formidable opponent in some ways.
I contacted Microsoft technical support, but having spent dozens of hours researching the Windows virtualization defense mechanism, I ended up explaining the function of the Windows virtualization defense mechanism to them more than the Windows technical support staff.
Although it said that Hyper-V is disabled by default, it was in fact enabled.
Due to circumstances, I have contacted them three times, but none of the support engineers have been able to answer. They said it was too technical and outside the scope of their support.
As a result, we were referred to Microsoft Unified, Microsoft’s top-level support desk, for issues that could not be handled by personal technical support.
Microsoft Unified Overview | Microsoft Unified
Maximize your investment with Microsoft Unified and discover what Microsoft can do as a partner to help enable your technological success.
This is a support desk that mainly provides support for large companies when building large-scale networks using AD and Azure. The Microsoft Support that introduced me to this support desk said that the ticket would be at least 50,000 yen, and depending on the problem, it could be even more.
I wondered why I would have to get corporate support for personal use.
The savior appears.
A few days later, Kaspersky Support interpreted my question as meaning that I wanted to use the virtualization defense mechanism provided by Kaspersky, and although it was not my original purpose, they asked the virtualization defense function specialist team and guided me through the steps on how to disable VBS. Among them, there was a solution I had never seen before.
If you want to “Use hardware virtualization when available”, there are many steps to take, so please try the following operations.
*The following are operations on the OS side, so if you have any questions, please consult your PC manufacturer or Microsoft.
[1] Turn off Smart App Control.
Click the [Start] button, enter Windows Security, and press Enter.
Click “App and browser control” on the left, and click “Smart app control settings” on the right.
Click “Off”.
Restart your PC and check if there is any improvement.
If the above does not improve the situation, correct the message “Code integrity control is enabled in the operating system”.
[2]
Click the [Start] button, enter Power Shell in the search field,
right-click Power Shell, and select Run as administrator.
If the command fails because the file is not found, try the following command: C:\DG_Readiness_Tool_v3.6\DG_Readiness_Tool_v3.6\DG_Readiness.ps1 -Disable
Restart the PC. Check if there is any improvement.
If the above operation does not improve the situation, start regedit and navigate to the following path: HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Control -> DeviceGuard
Export this registry branch.
Next, write a new key on the right side. Right-click → New → DWORD (32-bit) Value. Name it “EnableVirtualizationBasedSecurity”. It should be set to 0 by default. Double-click to check the value. 14. Restart your PC. Check if there is any improvement. If there is no improvement after performing the above steps, please perform the following steps. [4] 1. Click Settings → Apps → Optional features → Other Windows features → [Turn Windows features on or off] and select [Microsoft Defender Application Guard] in the dialog. *Please check the setting status of “Microsoft Defender Application Guard”. If it is checked, uncheck it. Also, expand the window and take a screenshot of all the settings. *If you are asked to restart, please be careful not to restart yet. 3. Start regedit again and navigate to the following path. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Check whether there is a DeviceGuard subfolder (on the left). If there is, right-click it and select “Delete”.
Restart your PC. Check if there is any improvement.
If Secure Boot is enabled in the BIOS, disable it. *Please refer to the video for instructions.
I have done all of these steps.
The steps that will likely successfully disable VBS are as follows:
Microsoft Support was not aware that Microsoft had released this tool.
Download Device Guard and Credential Guard hardware readiness tool from Official Microsoft Download Center
Use this tool to see if your hardware is ready for Device Guard and Credential Guard. You can also use this to enable Device Guard or Credential Guard.
再起動をかけるとCredential GuardとVBSをDisabledにするけどいい?って警告が出ますが、警告にしWhen I rebooted, a warning appeared asking if it was OK to disable Credential Guard and VBS, but if I followed the warning and pressed a key like F3, VBS was disabled.
Use this tool to see if your hardware is ready for Device Guard and Credential Guard. You can also use this to enable Device Guard or Credential Guard. This tool is a Windows PowerShell script that needs to run with elevated permissions. It will work with Windows 10 (beginning with version 1607) and Windows Server 2016. You can use this tool in the following ways:
Check if the device can run Device Guard or Credential Guard
Check if the device is compatible with the Hardware Lab Kit tests that are ran by partners
Enable and disable Device Guard or Credential Guard
Check the status of Device Guard or Credential Guard on the device
Integrate with System Center Configuration Manager or any other deployment mechanism to configure registry settings that reflect the device capabilities
Use an embedded ConfigCI policy in audit mode that can be used by default to enable Device Guard when a custom policy is not provided
Download this tool and run the following command using PowerShell as an administrator:
Comments