Published: April 4th 2025

Virtualization Issues with VMware Workstation Pro on Windows 11 version 24H2

 

What is the case?

After a Windows 11 upgrade to version 24H2 of after a fresh Windows 11 24H2 installation, VMware Workstation Pro is not able to launch virtual machines with nested virtualization. You can enable nested virtualization in VMware Workstation by enabling Intel VT-x/EPT or AMD V/RVI. However, because of  Microsoft Virtual Based Security, the following error pops up:

Intel: Virtualized Intel VT-x/EPT is not supported on this platform.

AMD: Virtualized AMD V/RVI is not supported on this platform.

Virtualized Intel VT-x/EPT or AMD-V/RVI is not supported on this platform

Known impacted systems on VMware Workstation are Cisco CML and GNS3 virtual labs. Other Windows hypervisor alternatives like VirtualBox are also impacted.

 

What is the cause?

Windows 24H2 introduced new virtual device security feature: Virtualization Based Security (VBS) with UEFI lock. This will break the VMware Workstation nested virtualization functionality because the settings are persisted in EFI (firmware).

In earlier Windows versions, VBS could relatively easily be disabled. Since Windows 24H2 the UEFI lock should also be disabled at startup.

 

Methods to solve the issue

There are a few work-arounds to solve this issue:

  • Downgrade Windows to an earlier version
  • Use Hyper-V instead of VMware for virtualization

 

Unfortunately downgrading is not a simple process and Hyper-V does not have the same functionality as VMware Workstation.

There is another way but this is a risky way:

  • Security will be lowered.
  • Hyper-V cannot be used on the PC anymore.
  • There is a chance that Windows Hello should be reconfigured afterwards.
  • There is a chance that the BitLocker Encryption Key is needed to unlock the system drive.

 

If you want to proceed, take precautions in case something goes wrong.

Precautions

Disclaimer

This manual and the corresponding script involve actions that could lead to lower security. Metis IT is not responsible for security breaches that are caused by lowering security.

The mentioned modifications have been tested on multiple systems but Metis IT is not responsible for any damage that is caused by this manual or the corresponding script.

Create a Restore Point

Search for “Create a restore point” or run SystemPropertiesProtection.exe .

When you see system properties, click “Create”.

Now you have a restore point of your system drive in case you want to revert the changes.

Check if your user account is able to logon with a password.

This is important because Windows Hello could be disabled after the modifications. In that case you must have the ability to logon with a username and password.

Go to Windows Settings => Accounts => Sign-In options => Additional settings

Verify that the option “For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device (recommended) is disabled (Off). If the option is enabled (On) then disable it.

Create a local user that is a member of the local admins group.

If you already have a local backup administrator account without Windows Hello authentication, you can skip this step.

Else you could follow the steps in  this article  on our website.

 

Print your BitLocker recovery key in case of emergency.

If you don’t have an encrypted system drive in Windows, you can skip this step. If you don’t know if your system drive is encrypted, please verify this before you continue.

Run (without quotes)  “control /name Microsoft.BitLockerDriveEncryption”

Or Search for Control Panel and open it. After that, go to System and Security => BitLocker Drive Encryption

Check if BitLocker is enabled (on) for the Windows C: operating system drive.

A BitLocker recovery key is needed when BitLocker can’t automatically unlock an encrypted drive in Windows. This key, which is a 48-digit number, is used to regain access to the drive.

You might be prompted for the BitLocker recovery key during startup, due to a security risk or hardware change. That’s why it is important to find your BitLocker recovery key ID and the key itself. Print it out or write it down.

This article describes where you can find your BitLocker recovery key.

 

Temporarily turn off Tamper Protection via Windows Security.

Windows Tamper Protection is used to protect the Windows security features. Temporarily disable it before you make any changes to the system because this feature can revert the changes.

Open Settings by pressing Win + I (i).

Go to Privacy & Security.

select Windows Security.

Go to Virus & threat protection

Under Virus & threat protection, scroll down and click “Manage settings”.

Scroll down and find “Tamper Protection” .

Toggle it Off (temporarily).

The warning message can safely be ignored because you will enable Tamper Protection again at the end.

Maybe a reboot is required.

Check if you have a recent backup copy of your data.

In the rare case that you cannot access your data anymore after the modifications, please check that you have a recent online and/or offline backup copy of your data. Off course this should always be the case.

You are ready to go now!

 

Disable VBS and Credential Guard completely

 

What should be disabled?

The following should be done to completely disable Virtualization Based Security and Credential Guard:

  • Disable Virtualization Based Security (VBS) and Credential Guard.
  • Disable Windows Features that rely on Virtualization Based Security.
  • Disable the startup of Virtualization Based Security and Credential Guard.
  • Disable the Hyper-V host service

 

After a reboot Virtualization Based Security and Credential Guard should be disabled.

 

Script to disable Virtualization Based Security and Credential Guard

The steps mentioned above can be done by running a script as administrator. You can also do it manually. In that case you can skip this part. In both cases, you must have a user account with administrative privileges.

Create a text file Disable-VBS.CMD . Check the extension of the file because Windows can automatically add the .txt extension to the file. In that case the script will not run and you should rename the file by removing the .txt exension (Disable-VBS.cmd.txt => Disable-VBS.cmd). Copy the following text to the file and save it.

@Echo off
cls
Color 04
Echo ##############################################################################
Echo Script to disable Virtualization Based Security and Credential Guard
Echo Version 20250404 by Metis IT
Echo Script started at %date% %time%
Echo .
Echo DISCLAIMER:
Echo .
Echo This script has been made available by Metis IT! 
Echo You should only run this script if you know what you are doing.
Echo You also have taken the following precautions:
Echo - You have made a restore point.
Echo - You checked that you can logon with username and password.
Echo - A local administrator account without Windows Hello authentication is available.
Echo - You have printed out the Bitlocker Recovery Key of your system drive.
Echo - You have a recent backup copy of all your data.
Echo - You know that despite all measures taken, you can damage your pc.
Echo ##############################################################################
Echo .
choice /C YN /M "I have taken precautions and I know the risks! Press N (No) to cancel."
If errorlevel 2 Exit
If errorlevel 1 Echo .
Color
Echo Disable VBS and Credential Guard in the Windows registry
Echo ------------------------------------------------------------------------------
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 00000000 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /t REG_DWORD /d 00000000 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 00000000 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v LsaCfgFlags /t REG_DWORD /d 00000000 /f
Echo ##############################################################################
Echo .
Echo Disable Windows Features that rely on Virtualization Based Security (VBS) 
Echo ------------------------------------------------------------------------------
Dism /online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All
Dism /online /Disable-Feature /FeatureName:Microsoft-Hyper-V
Dism /online /Disable-Feature /FeatureName:VirtualMachinePlatform
Dism /online /Disable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux
Echo ##############################################################################
Echo .
Echo Stop and disable the Hyper-V host service 
Echo ------------------------------------------------------------------------------
sc config HvHost start= disabled
net stop HvHost /y
timeout /t 5 /nobreak
Echo Kill the Hyper-V host service if the service is still running.
taskkill /F /FI "SERVICES eq HvHost"
Echo ##############################################################################
Echo .
Echo disable Virtualization Based Security and Credential Guard at startup (UEFI lock)
Echo ------------------------------------------------------------------------------
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set vsmlaunchtype off
bcdedit /set hypervisorlaunchtype off
bcdedit /set {current} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
Echo ##############################################################################
Echo .
Echo Script ended at %date% %time%
Echo ##############################################################################
Pause

Right-click on the script in the Windows explorer and choose the option “Run as Administrator”.

If you have run the script you can skip the rest of this chapter and go to “Reboot the PC”.

Disable Virtualization Based Security (VBS)

To disable Virtualization Based Security (VBS) do the following:

  • Open regedit.exe
  • Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
  • Look for the DWORD EnableVirtualizationBasedSecurity.

Double-click on it and set its value to 0 to disable VBS.

  • Navigate to:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  • Look for the DWORD LsaCfgFlags.
  • Double-click on it and set its value to 0 to disable Credential Guard.
  • Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
  • Look for the DWORD EnableVirtualizationBasedSecurity (if available).
  • Double-click on it and set its value to 0 to disable VBS by policy.
  • Look for the DWORD LsaCfgFlags (if available).
  • Double-click on it and set its value to 0 to disable Credential Guard.

 

Disable the startup of Credential Guard and VBS (UEFI lock)

To disable Virtualization Based Security and Credential Guard with UEFI lock at startup, open CMD.EXE as administrator and run the following commands:

mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set vsmlaunchtype off
bcdedit /set hypervisorlaunchtype off

Disable Windows Features

To disable Windows Features that rely on Virtualization Based Security (VBS) do the following:

Open Control Panel.

Go to “Programs” and click on “Turn Windows Features on or off”.

Turn off the following features:

  • Virtual Machine Platform
  • Windows Hypervisor Platform
  • Windows Subsystem for Linux

Disable the Hyper-V host service

To disable the Hyper-V services at startup, do the following:

  • Open services.msc and heck the “HV Host Service”
  • Right-click on the service and select Properties

Change the Startup type from “Automatic” to “Disabled”.

Click “Apply”

Click “Stop”

Click “OK”

After this, check if the service is disabled and has been stopped.

You may disable all Hyper-V services but that is not necessary

Reboot the pc and check if VBS is disabled

 

Reboot the pc

  • Reboot the pc.
  • When prompted, accept the changes with credential guard and device guard by pressing F3.
  • It is possible that your pc asks for your BitLocker recovery key.
  • In that case enter the key that you have printed out or wrote down.
  • It is possible that logon with Windows Hello is broken.
  • In that case, logon with username and password or (if that is not possible) with the backup local admin account.

 

Check if VBS is disabled

  • Start MSINFO32.exe and check if Virtualization Based Security is disabled.
  • If it is disabled check if VMs that are using nested virtualization in VMware Workstation will start normally.

If Virtualization Based Security has been disabled, reboot the pc again. This is because this change can be reverted by other processes or services.

 

Post modifications

If Virtualization Based Security is still disabled after the second reboot, do the following:

Repair Windows Hello (if necessary)

  • Go to the Windows settings =>Accounts => Sign-in options
  • Repair the Windows hello settings if necessary

Enable Tamper Protection again

To Enable Tamper Protection again do the following:

  • Open Settings by pressing Win + I (i).
  • Go to Privacy & Security and select Windows Security.
  • Under Virus & threat protection, scroll down and click Manage settings.
  • Find Tamper Protection and toggle it On.

 

 

If VBS is still enabled after the reboots ?

If Virtualization Based Security is still enabled after the reboot, advanced troubleshooting is needed.

Disable VBS and Credential Guard with a Microsoft script

Microsoft has made a PowerShell script available that can check Virtualization Based Security and Credential Guard readiness. This script can also disable and enable it.

  • Download the Microsoft Device Guard and Credential Guard hardware readiness tool from this URL.
  • Unpack the zip file in a folder.
  • Start PowerShell or PowerShell ISE as an administrator.
  • Go to the folder and run the following commands:
    • Set-ExecutionPolicy Unrestricted
    • .\DG_Readiness_Tool_v3.6.ps1 -disable
  • The PowerShell script shows errors when registry keys are not available. You can safely ignore those errors.
  • Reboot the pc again and confirm Virtualization Based Security and Credential Guard modifications.
  • Check again if VBS is disabled and if so, check if the VM will start without errors.
  • Don’t forget to reboot the pc again and check again.

 

Disable Full System Access to Virtualization Based Security

Maybe another process or service is reverting the modifications. In that case you could change the System Account permissions to the VBS registry configuration.

  • Open the registry editor (regedit.exe)
  • Navigate to the following key
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
  • Open the advanced permissions. Change the ownership from system to local administrators and remove the full control from the system account. Be sure that the system account has only Read permissions.

 

 

Roll-back the modifications

If you want to roll-back the modifications you could do the following

Enable VBS and Credential Guard with a Microsoft script

Microsoft has made a PowerShell script available that can check Virtualization Based Security and Credential Guard readiness. This script can also disable and enable it.

  • Download the Microsoft Device Guard and Credential Guard hardware readiness tool from this URL.
  • Unpack the zipfile in a folder.
  • Start PowerShell or PowerShell ISE as administrator.
  • Go to the folder and run the following commands:
    • Set-ExecutionPolicy Unrestricted
    • .\DG_Readiness_Tool_v3.6.ps1 -enable
  • The PowerShell script shows errors when registry keys are not available. You can safely ignore those errors.
  • Reboot the pc again and confirm Virtualization Based Security and Credential Guard are up and running again.

 

Revert the latest restore point of the system drive.

Because you made a restore point of the system drive you can revert this restore point.

Search for “Create a restore point”

or run SystemPropertiesProtection.exe

When you see system properties, click on System Restore.

Check that the recommended restore is selected and click “Next”

Confirm your restore point and click Finish.

Reboot the pc afterwards and check if your pc still functions as normal.

Maybe your BitLocker key is needed after the reboot.

Conclusion

Normally Virtualization Based Security has been disabled without issues. Else please contact Microsoft Support.

Beware that this is a work-around and that you lowered the security of your pc. When a solution is available, roll-back the modifications as soon as possible.

 

Sources

https://community.broadcom.com/vmware-cloud-foundation/discussion/windows-11-24h2-update-and-workstation-pro-cannot-do-nested-virtualization

https://community.broadcom.com/vmware-cloud-foundation/discussion/windows-11-24h2-hsot-how-to-disable-virtual-based-security

https://learn.microsoft.com/en-sg/answers/questions/2113711/vbs-is-not-disabled-on-windows-11-version-24h2-os

https://answers.microsoft.com/en-us/windows/forum/all/virtualization-based-security-wont-disable/93bce5e9-1353-46ca-8b9b-3b274e67187e

https://www.microsoft.com/en-us/download/details.aspx?id=53337

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/

https://www.reddit.com/r/vmware/comments/1gltwyd/unable_to_run_my_virtual_machines_after_upgrade/?rdt=42949

https://williamlam.com/2024/12/quick-tip-virtualized-intel-vt-x-ept-or-amd-v-rvi-is-not-supported-on-this-platform-for-vmware-workstation.html

https://borncity.com/win/2025/02/25/windows-11-24h2-vmware-workstation-pro-17-x-extremely-slow/

https://borncity.com/win/2025/01/18/windows-11-virtualbox-collides-with-hyper-v/

https://gns3.com/virtualized-intel-vt-x-ept-is-not-supported-on-this-platform

https://learningnetwork.cisco.com/s/question/0D56e0000E3OYtfCQG/i-have-attemped-all-of-the-solutions-in-the-discussion-threads-to-fix-the-following-error-virtualized-intel-vtxept-is-not-supported-on-this-platform-continue-without-virtualized-intel-vtxept

https://superuser.com/questions/1864128/cannot-run-virtualbox-becasue-a-hypervisor-has-been-detected

Delen