Notes to myself and to the community :
WMWare Workstation requires to have access to Intel VT-x and VT-x/EPT for Nested Virtualisation
(The same must be true for other type 2 hypervisors ; Ex: VirtualBox, QEMU, etc ...)
Hardware > Windows > WMWare Workstation (type 2 hypervisor) > ESXi VM > vCenter VM or whatever_VM
- With Windows Virtual Secure Mode (VSM) and DeviceGuard enabled, Hyper-V starts first, then starts a "guest" Windows 10/11 OS
- The CPU VT-x instructions are not accessible to that guest Windows OS or any further processes running in that OS
- When starting the ESXi VM, WMWare Workstation can't use VT-x instructions, disabling Nested Virtualisation capacity
- ESXi runs but can't start any (nested) VM
Many posts describe how to disable / uninstall Hyper-V, DeviceGuard, Credential Guard, Hypervisor Enforced Code Integrity (HVCI), ... but none of them worked for me :
- https://www.nakivo.com/blog/virtualization-applications-with-hyper-v-device-guard-and-credential-guard/
- https://www.anoopcnair.com/disable-virtualization-based-security-windows/
DeviceGuard always shows as running (VirtualizationBasedSecurityStatus == 2) :
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
AvailableSecurityProperties : {1, 2, 3, 4...}
CodeIntegrityPolicyEnforcementStatus : 0
InstanceIdentifier : 4ff40742-2649-41b8-bdd1-e80fad1cce80
RequiredSecurityProperties : {0}
SecurityServicesConfigured : {0}
SecurityServicesRunning : {0}
UsermodeCodeIntegrityPolicyEnforcementStatus : 0
Version : 1.0
VirtualizationBasedSecurityStatus : 2
PSComputerName
The Intel VT-x en VT-x/EPT were still reported as unavailable / unchecked when using the "Intel® Processor Identification Utility" :
This other post, describes exactly that same issue, ... and a solution :
- Download dgreadiness util : https://www.microsoft.com/en-us/download/details.aspx?id=53337
- Disable DeviceGuard and CredentialGuard for next reboot only :
.\DG_Readiness_Tool_v3.6.ps1 -Disable
# Some Errors are logged but next reboot shows "VirtualizationBasedSecurityStatus" is disabled
- I had an UEFI prompt at boot, asking to confirm the "disabling" : Said "yes"
- Check DeviceGuard is off (VirtualizationBasedSecurityStatus == 0) :
Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard
AvailableSecurityProperties : {1, 2, 3, 4...}
CodeIntegrityPolicyEnforcementStatus : 0
InstanceIdentifier : 4ff40742-2649-41b8-bdd1-e80fad1cce80
RequiredSecurityProperties : {0}
SecurityServicesConfigured : {0}
SecurityServicesRunning : {0}
UsermodeCodeIntegrityPolicyEnforcementStatus : 0
Version : 1.0
VirtualizationBasedSecurityStatus : 0
PSComputerName :
DeviceGuard seams to be disabled even after several reboots
See dgreadiness README to re enable :
To enable only HVCI
Usage: DG_Readiness.ps1 -Enable -HVCI
To enable only CG
Usage: DG_Readiness.ps1 -Enable -CG
To Verify if DG/CG is enabled
Usage: DG_Readiness.ps1 -Ready
To Disable DG/CG.
Usage: DG_Readiness.ps1 -Disable
To Verify if DG/CG is disabled
Usage: DG_Readiness.ps1 -Ready
To Verify if this device is DG/CG Capable
Usage: DG_Readiness.ps1 -Capable
To Verify if this device is HVCI Capable
Usage: DG_Readiness.ps1 -Capable -HVCI