Immortal Blog∎

Introduction

If you’re encountering errors like “This host does not support AMD-V” or “Intel VT-x is unavailable” when using VMware Workstation, VirtualBox, or other virtualization software, you likely need to disable Windows 11’s VBS (Virtualization-Based Security).

Critical Update: Starting with Windows 11 24H2, disabling VBS has become more complex. Traditional methods are no longer sufficient - you must also disable the VBS dependency for Windows Hello.

What is VBS and Why Does It Interfere with Virtual Machines?

VBS (Virtualization-Based Security) is a Windows 11 security feature that creates an isolated security environment using the Hyper-V virtualization layer. While this sounds beneficial, there’s a problem:

• VBS monopolizes CPU hardware virtualization features (AMD-V or Intel VT-x)
• Third-party virtualization software like VMware needs direct access to these hardware features
• When VBS is running, VMware cannot gain control of hardware virtualization, causing errors

In simple terms: VBS and VMware cannot simultaneously use the same virtualization hardware.

The 24H2 Change: Windows Hello Now Requires VBS

Starting with Windows 11 24H2, Microsoft made a significant change: Windows Hello security mechanisms now depend on VBS.

This means that even if you disable VBS using traditional methods, as long as Windows Hello-related functionality remains enabled in the registry, VBS will automatically restart.

This is why many users found that:

• Turned off Memory Integrity ✅
• Ran bcdedit commands ✅
• Modified registry settings ✅
• After reboot, VBS still shows “Running” ❌

Complete Disabling Steps (For 24H2)

Prerequisites

• Windows 11 (any edition: Home/Pro/Enterprise)
• Administrator privileges
• Virtualization enabled in BIOS (AMD-V or Intel VT-x)

Step 1: Check Current VBS Status

1. Press Win + R, type msinfo32, press Enter
2. In the System Information window, scroll down
3. Find the “Virtualization-based security” row
   • If it shows “Running” → needs to be disabled
   • If it shows “Not enabled” → no action needed

Step 2: Disable Tamper Protection

1. Open Settings (Win + I)
2. Go to Privacy & security → Windows Security
3. Click Virus & threat protection
4. Click Manage settings
5. Toggle Tamper Protection to Off

Step 3: Disable Memory Integrity

1. Open Settings (Win + I)
2. Go to Privacy & security → Windows Security
3. Click Device security
4. Click Core isolation details
5. Toggle Memory integrity to Off

Step 4: Disable Hyper-V Related Features

Open Command Prompt as administrator (search for cmd, right-click and select Run as administrator), then run these commands sequentially:

1
2
3
4

bcdedit /set hypervisorlaunchtype off
dism /online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All /NoRestart
dism /online /Disable-Feature /FeatureName:HypervisorPlatform /NoRestart
dism /online /Disable-Feature /FeatureName:VirtualMachinePlatform /NoRestart

Step 5: Modify Registry (Critical!)

⚠️ This is the most crucial step for 24H2

5.1 Disable VBS Main Switch

1. Press Win + R, type regedit, press Enter
2. Navigate to:

   1	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard

3. Find or create EnableVirtualizationBasedSecurity (DWORD 32-bit value)
4. Double-click and set the value to 0

5.2 Disable Credential Guard (if exists)

Continue in the registry and navigate to:

1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard

If an Enabled key exists, set its value to 0

5.3 🔥 Disable Windows Hello VBS Dependency (24H2 Required!)

This is the critical step that most tutorials miss!

Navigate to:

1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\WindowsHello

Find Enabled (DWORD 32-bit value) and set its value to 0

Important Notes:

• After disabling this, you can still use Windows Hello normally (including PIN login)
• Windows Hello simply no longer uses VBS as its security backend
• This does not affect your daily usage experience

Step 6: Restart Your Computer

Close Registry Editor and restart your computer.

Step 7: Verify Results

After reboot:

1. Press Win + R, type msinfo32, press Enter
2. Check if “Virtualization-based security” shows “Not enabled”
3. Open VMware Workstation and try starting a virtual machine
4. The “AMD-V/VT-x not supported” error should no longer appear

FAQ

Q1: Why does VBS automatically re-enable after reboot?

A: Most likely because you didn’t disable the Windows Hello VBS dependency. This is a hidden mechanism added in 24H2 that must be manually disabled in the registry:

1

HKEY_LOCAL_MACHINE\...\DeviceGuard\Scenarios\WindowsHello\Enabled = 0

Q2: Can I still use Windows Hello and PIN login after disabling?

A: Yes! Disabling the Windows Hello VBS dependency doesn’t affect Windows Hello functionality itself - it just prevents it from using VBS as a security layer.

Q3: Do I need to disable virtualization in BIOS?

A: No! Absolutely not! Disabling virtualization in BIOS will make VMware completely unable to run. The correct approach is:

• ✅ Enable virtualization in BIOS (AMD-V or Intel VT-x)
• ❌ Disable VBS and Hyper-V in Windows

Q4: What are the security risks of disabling VBS?

A: VBS provides an additional security protection layer. After disabling:

• Some advanced security features will be disabled (like Credential Guard)
• Malware protection capabilities will be slightly reduced
• But for ordinary users with good security habits, the impact is minimal

If your computer is primarily used for development, virtualization testing, etc., the performance gains from disabling VBS usually outweigh the security loss.

Q5: What about games (like VALORANT) that require VBS?

A: Some games’ anti-cheat systems (like Riot Vanguard) do rely on VBS. You need to choose between:

• Enable VBS → Can play these games, but VMware won’t work
• Disable VBS → VMware works, but these games won’t run

There’s no perfect solution unless you use dual-boot.

Q6: I have Windows 11 Home, which doesn’t have Group Policy Editor. What should I do?

A: No problem. This tutorial’s methods are entirely based on command line and registry - no Group Policy Editor needed. Home edition works fine.

Registry Modification Summary (Quick Reference)

If you want to directly see the registry locations that need modification, here’s the complete list:

All value types are DWORD (32-bit) Value.

Understanding the 24H2 Documentation Gap

The Windows Hello VBS dependency introduced in 24H2 represents a significant architectural change. This specific registry setting (DeviceGuard\Scenarios\WindowsHello) is not prominently mentioned in the mainstream documentation, which has led to confusion among users following traditional VBS disabling methods.

Community forums and discussions (such as on Reddit and Microsoft Q&A) have been instrumental in identifying this requirement. This tutorial consolidates those findings to provide a complete solution.

Conclusion

The VBS disabling process in Windows 11 24H2 is more complex than before, but with the correct steps, it can be completely disabled.

Key Points Summary:

1. BIOS virtualization must remain enabled ✅
2. Windows VBS must be completely disabled ❌
3. Must disable Windows Hello VBS dependency (new in 24H2) ❌
4. Verify results after reboot

If you have any questions, feel free to discuss in the comments. Happy virtualizing!

References:

• Microsoft Learn - Configure Credential Guard
• Reddit Discussion - VBS Not Disabled on Windows 11 24H2
• Microsoft Q&A - VBS Is Not Disabled on Windows 11 Version 24H2
• Tom’s Hardware - How to Disable VBS and Speed Up Windows 11

Close the VM.
Edit the .vmx file and add this config:

1
2
3

mouse.vusb.enable = "TRUE"
mouse.vusb.useBasicMouse = "FALSE"
usb.generic.allowHID = "TRUE"

Save the .vmx file.
Start the VM and you can see that you can use the mouse side buttons to move forward and backward on the web page.

Widgets are a new feature introduced by Microsoft in Windows 11.
Currently, the news and interest modules that are enabled by default in widgets provide various kinds of information.

1

winget uninstall MicrosoftWindows.Client.WebExperience_cw5n1h2txyewy

For each new Windows 11 computer, I strongly recommend this command to improve the performance a lot.

Personal note editing needs

Core requirements:

• Edit and save content in markdown format, which makes the format simple, easy to use, open, and easy to migrate
• Support WYSIWYG mode when editing, similar to Typora
• Open source, thus keeping content safe and free
• Support offline use, data can be stored locally, or stored in third-party channels such as Google Drive, Github repository
• Support direct copying of pictures and text on web pages and paste them directly
• Open the folder and display the file directory structure, which is convenient for placing and organizing notes according to the file directory from the sidebar
• Supports the creation of internal links between markdown files, which can be easily jumped
• Supports relationship graphs showing internal links in documents

Optional Requirements

• Supports loading plugins to extend functionality
• Open the online version editor directly from the web browser, call the file API to open the local folder for editing, therefore even chromebook can use it

Software solutions

• ✅Logseq : Not perfect, but currently the most recommended
• Advantages:
  • Open source, most functions are as easy to use as Obsidian, such as beautiful appearance, local data storage, support for bidirectional links and relationship graphs
  • There is a web version, you can directly open the local folder
• Shortcomings:
  • The directory structure browsing is not supported, and all the notes are mixed together and it is not easy to classify. Solution: If you find a way to write a “navigation document”, similar to the Yellow Pages, and then bookmark it, and add a link to the Yellow Pages every time you add a sub-document, it may also be a convenient way to find files by category. This is still not convenient like a directory, but it can be adapted.
  • Does not support the rendering the md standard checkbox.
• ❗Notion: It is basically free and easy to use, but there is no offline version, you cannot save data locally and synchronize data in your own way, which brings hidden dangers in data security and privacy, so you cannot use it with confidence. However, it supports the use of online real-time collaboration scenarios and can be used on projects, but is not suitable for storing personal core data.
• ❗Obsidian: It is completely free, easy to use, and supports all requirements except open source, but it is not open source. There is currently no better option for personal use.
• ❗VSCode+Office Viewer plugin (based on vditor): open source, md editing function is very powerful, and there is a toolbar. But bidirectional links and relational graphs are not supported. It can be said to be a good md editor, but not a very good note editor. And this plugin does not support running in the VSCode web.

Today I wanted to practice on LeetCode, and then I opened https://github.com/phodal/2md to save the problem to local.
Because I found that there were some small problems with this tool, I forked a copy and fixed some errors that it would generate when converting the content of the LeetCode problem.
In this way, copy the problem of LeetCode and paste it into my 2md, and then copy the converted markdown to save it locally.
Repo: https://github.com/immortalt/2md
The displayed format is correct, and the effect is much better.
The online address of my 2md: https://immortal-blog.github.io/tomd/

Sometimes the shared folder function of VMware Workstation may suddenly not work after rebooting.
There are several ways to fix it.

mount by a command

1

sudo vmhgfs-fuse .host:/ /mnt/hgfs -o subtype=vmhgfs,allow_other -o nonempty

This command means to mount all host shared folders to /mnt/hgfs, which is the default operation that VMware should have done automatically.
However, the folder would disappear after rebooting.

mount automatically

1

sudo nano /etc/fstab

We can edit the fstab file to write the auto-mount configuration. Just add one line:

1

.host:/ /mnt/hgfs fuse.vmhgfs-fuse allow_other,defaults 0 0

When dividing, be careful with large numbers

Sample: they should be different, but due to the float format, they become the same.

1
2
3
4

a = (1 - 500000000) / (1 - 499999999)
b = (500000000 - 1000000000) / (499999999 - 999999998)
print(a, b, a == b)
# 1.000000002 1.000000002 True

In this situation, we can just simply use Decimal.

1
2
3
4
5

from decimal import Decimal
a = Decimal(1 - 500000000) / Decimal(1 - 499999999)
b = Decimal(500000000 - 1000000000) / Decimal(499999999 - 999999998)
print(a, b, a == b)
# 1.000000002000000008000000032 1.000000002000000004000000008 False

Currently (2022-05-16), we cannot install and run VMware Workstation 16.2.3 on Ubuntu Desktop 22.04 LTS.
You can installed it and see the icon, but when you try to open it, it would ask you to install some modules and would fail.

Solution

Here is a script that are verified by me that can solve the problem.

1
2
3
4
5

git clone https://github.com/mkubecek/vmware-host-modules
cd vmware-host-modules
git checkout workstation-16.2.3
sudo make ; sudo make install
sudo modprobe -a vmw_vmci vmmon vmnet

Then you may need to reboot the host system to make VM networks working.

Conclusion

Although Ubuntu 22.04 is a LTS version, it is not stable and compatible enough to deal with daily works currently. My advice is to use Ubuntu 20.04.

What are font ligatures？

It’s an interesting feature in fonts like JetBrains Mono.

I have enabled JetBrains Mono, but why not see font ligatures？

I think VSCode or Word disables this feature by default, and we need to change font options to enable this feature.

VSCode

Open “Menu”-“Setting”, open “setting.json”, and change this option:

1

"editor.fontLigatures": true

Symmetric encryption communication

The most straightforward way is that you can decide on an encryption key in reality and use symmetric encryption such as AES-256 to encrypt and decrypt all messages.
But it’s not convenient to exchange the key online. Because if you send the key using an unsafe channel that is being monitored, the attacker can also get the key and decrypt all your messages. The attacker can directly use passive attack (read-only, without any modification) to monitor the messages.
One way is to use asymmetric encryption communication.

Asymmetric encryption communication

The mechanism of asymmetric encryption can be that A and B each generate a set of public keys and private keys and then use the other one’s public key to encrypt the content and send it, and the other one can decrypt it with its private key after receiving it.
Therefore, even if the attacker gets A and B’s public keys, he cannot decrypt the messages because he needs to know the private key.
But it’s still not perfect.

MITM attack in asymmetric encryption communication

MITM means man-in-the-middle attack. Suppose you generate a public key and a private key for two clients, A and B, and then exchange the public keys of the two through a server C, and the server C is not secure. It is useless to monitor the public keys because only obtaining the public key cannot decrypt messages with the private key, so it cannot be monitored. But suppose B’s public key is replaced by C, and A uses this replaced public key C to encrypt messages. In that case, server C decrypts it with C’s private key, encrypts it with B’s public key, and B decrypts it with its private key. A and B have no sense, and C succeeds in a man-in-the-middle attack. Even if a secure key exchange technology such as the D-H key exchange method is used, the key exchange process can still be relayed by server C as a middleman.
The attacker cannot directly use passive attack to monitor the messages in asymmetric encryption communication. The attacker needs to manipulate and change the communication flow.