In both Microsoft Windows 10 and 11, Virtualization Based Security (VBS) is enabled by default and this capability uses Hyper-V under the hood, which is a form of Nested Virtualization. If you are using VMware Workstation and you attempt to power on a Nested ESXi VM, you probably will see one of the following error messages based on the CPU vendor:
- Virtualized Intel VT-x/EPT is not supported on this platform
- Virtualized AMD-V/RVI is not supported on this platform
While VMware Workstation has been enhanced to co-exists with Hyper-V through a new Host VBS Mode introduced in VMware Workstation 17.x:
Workstation Pro uses a set of newly introduced Windows 10 features (Windows Hypervisor Platform) that permits the use of VT/AMD-V features, which enables Workstation Pro and Hyper-V to coexist. And because VBS is built on Hyper-V, Windows hosts with VBS enabled can now power on VM in Workstation Pro successfully
This are few limitations as mentioned in the VMware Workstation documentation.
With that said, if you do need to run Nested ESXi under VMware Workstation, you just need to disable Windows VBS, assuming you have administrative privileges on your system.
Step 1 - Go to your Device security and under Core isolation, toggle off the Memory integrity as shown in the screenshot below.
Step 2 - Reboot for the change to go into effect
Step 3 - To confirm VBS is actually disabled, open up the Microsoft System Information and look for the Virtualization-based security entry and ensure that it says Not enabled. Awhile back, I had heard from a colleague that corporate managed devices, may automatically re-enable that setting and this would be a way to confirm that the setting is actually on or off.
Step 4 - As you can see from the screenshot below, I now have my Nested ESXi 6.0 Update 3 successfully powered on running on latest VMware Workstation 17.6.2 on Windows 11 22H2.
While the incompatibly between VMware Workstation and VBS is not ideal for Nested Virtualization use cases under VMware Workstation, this is something the Workstation team is looking to improve in the future.
Christoph says
Hi,
setting up a Witness Appliance for 2-Node vSAN scenarios, i had to manually do the 2 following additional steps to make it work:
1) bcdedit /set hypervisorlaunchtype off
2) Disable "Turn On Virtualization Based Security" from gpedit.msc > Computer Configuration > Administrative Templates > System > Device Guard
Only disabling the core isolation/Memory Integrity via the Settings App did not do the trick for me.
i have been running Windows11 24H2 on HP and Dell Workstations ...
i did follow this conversation:
https://gns3.com/virtualized-intel-vt-x-ept-is-not-supported-on-this-platform
would be great if witness functionality is available without the need for a virtualized esxi system one day.
Thomas says
Looks like, if you are using login with fingerprint sensor on WIN11-24H2 you have to setup another registry key for "Windows Hello".
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\WindowsHello]
Enabled = 0
https://community.broadcom.com/vmware-cloud-foundation/discussion/windows-11-24h2-hsot-how-to-disable-virtual-based-security
Important:
If you follow all steps in this thread like me, you must have your Bitlocker recovery key available to unlock your system drive after setting change!!! Paper...
Group policy mentioned by Christoph is not valid for Windows 11, if I trust the description of the policy.