Unable to power on the workstation vm with Virtualized Inter VT-x/EPT feature.

Workstation 15.x, 16.x, 17.x

Need to disable Hyper-V and VBS on the workstation VM

We can determine if it is enabled or not from vmware.log (Log location - C:\Users\<YourUsername>\Documents\Virtual Machines\<VM Name>\vmware.log)

In VMWare.log file search for "Monitor Mode:" and see the value after the colon. If the value is "CPL0", the VMWare engine is running. If the value is "UML", the slower Hyper-V API is in use.

Monitor Mode CPL0:

In virtualization, Monitor Mode CPL0 is often associated with running code at the highest privilege level (Ring 0) inside a VM. This concept is related to how VMware allows the guest VM to execute instructions that would normally require CPU-level privilege.

UML (User-Mode Linux):

UML (User-Mode Linux) refers to running a Linux kernel as a user-space process on a Linux host. UML allows a Linux kernel to run in a user-space process rather than directly on hardware, which is typically used for testing or security purposes.

Solution:

Support for running ESXi as a nested virtualization solution

Broadcom does not support running nested hypervisors within a virtual machine on VMware vSphere ESXi, VMware Workstation or VMware Fusion with the exception of the following limited scenarios where Hyper-V is used in conjunction with Microsoft Windows Client and Windows Server guest operating systems:

• Enabling Virtualization Based Security (VBS). For more information, see Virtualization Based Security
• Enabling Microsoft Defender Application Guard.
• Installation of Windows Subsystem for Linux 2 (WSL 2).
• Installation of Azure Kubernetes Service Edge Essentials, limited to Single Machine clusters.
• Installation of Azure IoT Edge for Linux on Windows (EFLOW).

Workaround:

1. Hyper-V and VBS in Windows 11:
   • Windows 11 uses Hyper-V for virtualization-based security features (e.g., Device Guard, Credential Guard), which affects system performance.
   • VBS runs the OS as a guest under Hyper-V, which can slow down VMware performance.
2. VMware and Hyper-V Compatibility:
   • VMware Workstation 17+ can coexist with Hyper-V but uses the slower Hyper-V APIs when Hyper-V is enabled, reducing performance.
   • To check if VMware is using the slower Hyper-V API or its own engine, check the VMWare.log file for "Monitor Mode".
3. Decision for the User:
   • Decide whether to keep Hyper-V and VBS for enhanced security or disable them for better VMware performance. Disabling Hyper-V removes some security features and the ability to run WSL.

Steps for Disabling Hyper-V and VBS:

Phase 1: Initial Steps

1. Turn off Memory Integrity:
   • Go to Settings > Core Isolation and turn off Memory Integrity protection.
2. Disable Hyper-V and Related Features:
   • Open the Windows Features control panel and turn off Hyper-V and its sub features (Hypervisor Platform, Virtual Machine Platform, Windows Sandbox).
   • Restart the system.

Phase 2: Advanced Steps (If Phase 1 is Insufficient)

1. Disable Hypervisor Launch:
   • Open Command Prompt as Administrator and run: bcdedit /set hypervisorlaunchtype off.
2. Edit Registry for Virtualization-Based Security:
   • Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
   • Set EnableVirtualizationBasedSecurity to 0.
3. Disable VBS in Local Group Policy Editor:
   • Open Group Policy Editor (gpedit.msc) and disable "Turn On Virtualization Based Security" under Computer Configuration -> Administrative Templates -> System -> Device Guard.
   • Restart the system and check if VBS is disabled. (check System Information to see if the VBS value has become "disabled.")

If it still not disabled, please follow the below method

Phase 3: Final Step Using Microsoft's Tool

1. Download and Use the Microsoft Script:
   • Download the "Device Guard and Credential Guard readiness tool" from Microsoft. (https://www.microsoft.com/en-us/download/details.aspx?id=53337)
   • Run the PowerShell script (DG_Readiness_Tool_v3.6.ps1 -Disable) to opt out of Device Guard and Credential Guard.
   • Restart the system and confirm the changes.
2. Check System Information:
   • Check the System Information tool to ensure VBS is disabled.
   • VMware should now show "CPL0" in Monitor Mode for optimal performance.
3. Revert Script Execution Policy (Optional):
   • After completing the steps, you can revert the PowerShell script execution policy to the default with: Set-ExecutionPolicy Default.

Later try to power on with Virtualized Inter VT-x/EPT feature enabled.