Disable Virtualization Based Security for Nested Virtualization

Elliot 96 Reputation points
2021-02-15T20:35:32.4+00:00

Hi!

I'm trying to disable Virtualization Based Security in my Windows 10 (up-to-date) machine so I can achieve nested virtualization. However, it seems to be in "Locked" mode because secure boot is enabled in the UEFI. How can i disable secure boot or just change the EFI config to disable VBS? Usually you need BIOS/UEFI access to do this stuff but according to some people on the internet it is indeed possible however I'm having trouble disabling VBS.

I tried using group policy, registry keys and editing the BCD with no success.

I ran this script here to see if nested virtualization was possible:
https://github.com/MicrosoftDocs/Virtualization-Documentation/blob/1d4fdaefa39ea4f3f25cce3c349753bee2c88181/hyperv-tools/Nested/Get-NestedVirtStatus.ps1
It's from Microsoft and it says "NO" because "Virtualization Based Security is running". So is there any way i can manipulate those BIOS/UEFI settings?

Here is what Group Policy says about the "Disabled" option for VBS:
"The "Disabled" option turns off Virtualization Based Protection of Code Integrity remotely if it was previously turned on with the "Enabled without lock" option.

The "Enabled with UEFI lock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI."

Thank you.

EDIT:

These docs should also probably be updated to account for VBS (e.g. the "GitHub" link should point to the Microsoft script which more up-to-date and for me actually works to detect if nested virtualization is possible on Windows 10):
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/nested-virtualization

I tried running that script in that GitHub link and it says "success" but when I use the Microsoft script it says no VBS is still running. Maybe it works on Windows Server 2016?

Also note that I'm trying to use VirtualBox not Hyper-V. I tried following this guide to no avail because of VBS:
https://e-apostolidis.gr/microsoft/azure/virtualbox-on-azure-vm-for-testing-or-run-old-apps/
Related StackOverflow issue:
https://stackoverflow.com/questions/59968891/can-i-run-a-virtualbox-inside-a-azure-vm

I also tried adding/removing certain Windows features.

I get this error in VirtualBox when starting a VM:
"WHvCapabilityCodeHypervisorPresent is FALSE! Make sure you have enabled the 'Windows Hypervisor Platform' feature. (VERR_NEM_NOT_AVAILABLE).
VT-x is not available (VERR_VMX_NO_VMX)."

Maybe I should just do this on an earlier version of Windows before VBS/VBS locking came out...

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,123 questions
Hyper-V
Hyper-V
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,538 questions
Accepted answer
  1. Elliot 96 Reputation points
    2021-02-20T03:33:35.603+00:00

    Fixed! Disabled VBS and VMs in VirtualBox work now!

    The last step of the solution for me was to simply disable the Windows features described in this issue:

    https://learn.microsoft.com/en-us/answers/questions/20853/how-do-i-disable-virtualization-based-security-in.html?childToView=149740#comment-149740

    I think I may have manually enabled them prior because there names are misleading. But, if you want nested virtualization (with VirtualBox anyway) you must disable them.

    After that check if VBS is disabled with:
    Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

    VirtualizationBasedSecurityStatus should equal 0 which indicates it is off.

    If you are still experiencing issues then follow along with this post and you should be able to disable VBS for nested virtualization:

    https://learn.microsoft.com/en-us/answers/questions/245071/disable-virtualization-based-security-without-disb.html

    BTW, I think I was may have been incorrect about the "Locked" setting being enabled in my Azure VM. I just assumed it was on when disabling VBS with Group Policy didn't work.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jenny Feng 14,076 Reputation points
    2021-02-16T07:45:45.55+00:00

    Hi,
    Here are some posts with the similar issue with yours, just for your reference, you can try the method mentioned in them:
    https://superuser.com/questions/1489224/windows-10-permanently-disable-vbs-virtualization-based-security
    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Hope above information can help you.

    ============================================
    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.