question

Elliot-9434 avatar image
0 Votes"
Elliot-9434 asked Elliot-9434 answered

Disable Virtualization Based Security for Nested Virtualization

Hi!

I'm trying to disable Virtualization Based Security in my Windows 10 (up-to-date) machine so I can achieve nested virtualization. However, it seems to be in "Locked" mode because secure boot is enabled in the UEFI. How can i disable secure boot or just change the EFI config to disable VBS? Usually you need BIOS/UEFI access to do this stuff but according to some people on the internet it is indeed possible however I'm having trouble disabling VBS.

I tried using group policy, registry keys and editing the BCD with no success.

I ran this script here to see if nested virtualization was possible:
https://github.com/MicrosoftDocs/Virtualization-Documentation/blob/1d4fdaefa39ea4f3f25cce3c349753bee2c88181/hyperv-tools/Nested/Get-NestedVirtStatus.ps1
It's from Microsoft and it says "NO" because "Virtualization Based Security is running". So is there any way i can manipulate those BIOS/UEFI settings?

Here is what Group Policy says about the "Disabled" option for VBS:
"The "Disabled" option turns off Virtualization Based Protection of Code Integrity remotely if it was previously turned on with the "Enabled without lock" option.


The "Enabled with UEFI lock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI."

Thank you.

EDIT:

These docs should also probably be updated to account for VBS (e.g. the "GitHub" link should point to the Microsoft script which more up-to-date and for me actually works to detect if nested virtualization is possible on Windows 10):
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/nested-virtualization

I tried running that script in that GitHub link and it says "success" but when I use the Microsoft script it says no VBS is still running. Maybe it works on Windows Server 2016?

Also note that I'm trying to use VirtualBox not Hyper-V. I tried following this guide to no avail because of VBS:
https://e-apostolidis.gr/microsoft/azure/virtualbox-on-azure-vm-for-testing-or-run-old-apps/
Related StackOverflow issue:
https://stackoverflow.com/questions/59968891/can-i-run-a-virtualbox-inside-a-azure-vm

I also tried adding/removing certain Windows features.

I get this error in VirtualBox when starting a VM:
"WHvCapabilityCodeHypervisorPresent is FALSE! Make sure you have enabled the 'Windows Hypervisor Platform' feature. (VERR_NEM_NOT_AVAILABLE).
VT-x is not available (VERR_VMX_NO_VMX)."

Maybe I should just do this on an earlier version of Windows before VBS/VBS locking came out...

azure-virtual-machineswindows-10-hyperv
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Elliot-9434 Thank you for your query!!! Can you please help me understand your requirement so I can help you better?

Thanks

0 Votes 0 ·

@prmanhas-MSFT In order to get nested virtualization working, Virtualization Based Security needs to be disabled. However, normal methods do not seem to be working due to it being in "Locked" mode for security reasons. Please see my comment on the answer below. Thanks.

0 Votes 0 ·
Elliot-9434 avatar image
0 Votes"
Elliot-9434 answered

Fixed! Disabled VBS and VMs in VirtualBox work now!

The last step of the solution for me was to simply disable the Windows features described in this issue:

https://docs.microsoft.com/en-us/answers/questions/20853/how-do-i-disable-virtualization-based-security-in.html?childToView=149740#comment-149740

I think I may have manually enabled them prior because there names are misleading. But, if you want nested virtualization (with VirtualBox anyway) you must disable them.

After that check if VBS is disabled with:
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

VirtualizationBasedSecurityStatus should equal 0 which indicates it is off.

If you are still experiencing issues then follow along with this post and you should be able to disable VBS for nested virtualization:

https://docs.microsoft.com/en-us/answers/questions/245071/disable-virtualization-based-security-without-disb.html

BTW, I think I was may have been incorrect about the "Locked" setting being enabled in my Azure VM. I just assumed it was on when disabling VBS with Group Policy didn't work.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JennyFeng-MSFT avatar image
0 Votes"
JennyFeng-MSFT answered Elliot-9434 commented

Hi,
Here are some posts with the similar issue with yours, just for your reference, you can try the method mentioned in them:
https://superuser.com/questions/1489224/windows-10-permanently-disable-vbs-virtualization-based-security
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Hope above information can help you.

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, I tried various methods such as in the registry and group policy but it does not work because VBS is in "Locked" mode. Description of "Locked" VBS mode in gpedit.msc:

"The "Disabled" option turns off Virtualization Based Protection of Code Integrity remotely if it was previously turned on with the "Enabled without lock" option.


The "Enabled with UEFI lock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI."

0 Votes 0 ·