VMware Workstation

I had a very hard time getting rid of Hyper-V in my setup, on a Windows 11 Pro host. The "normal" steps I found all over the web weren't enough! Web sleuthing finally got me what I needed, and for posterity and future searchers I want to document what I did to achieve the coveted CPL0 monitor mode and improved VMWare virtualization performance under Win11.

So, what's going on with this OS that creates this new problem for Type 2 (hosted) hypervisors like VMWare Player/Workstation or VirtualBox? Windows 11 Pro, by default, doesn't have the Hyper-V features enabled (to actually run Hyper-V guests), but it (like Windows 11 Home, btw) does use the Hyper-V hypervisor for certain new "Virtualization-Based Security" (VBS) features. These include Device Guard, Credential Guard, and core (memory) isolation. Basically, with VBS the entire host operating system is actually not running as the host at all, it's running as a Hyper-V guest on top of the Hyper-V platform. This has some detrimental performance impact (mostly unnoticeable in normal use, except in gaming), but the advantage is that with the OS running as a "guest," with all hardware access having to cross the virtualization boundary, all kinds of additional security features become possible to prevent/mitigate modern attack vectors. Microsoft deems these protections to outweigh the performance hit, so as of 22H1 or 22H2 update, memory integrity protection, Device Guard, and Credential Guard are enabled by default on a new OS install, if the EFI settings have the CPU virtualization capabilities (VT-d, etc.) enabled. An existing install that's upgraded to 22H? will honor the existing settings btw.

OK, so what's the problem? It's actually not a problem at all, in a way, at least not since Workstation/Player 17 I believe, which introduces "play nice with Hyper-V" capability. If the Hyper-V hypervisor is active on the system, VMWare's product sets aside its own virtualization platform and uses the Hyper-V APIs to create the virtualized environment on which to run a guest. In a way, Hyper-V is running the virtual "hardware" for VMWare, while VMWare provides some of the value-added features like USB capture, 3D-accelerated graphics, etc. Same goes for VirtualBox's newer versions. The price to pay, though, is that this "referred" virtualization is slower than VMWare's own implementation would be, if only it could run in full-privilege mode, access VT-d directly, and operate its own virtualization stack.

The user/admin/operator of the Windows 11 host must make a decision as to which is more important: the new and enhanced bulletproofing against attacks provided by virtualization-based security features, plus the interoperability with Hyper-V (VMWare can coexist alongside Hyper-V features; one can run a Hyper-V guest and a VMWare guest at the same time!), and let's not forget that Hyper-V is necessary for the Sandbox/WSL feature...or ditching the Hyper-V platform altogether, and the extra security features, and the ability to run WSL, to get the best possible performance out of VMWare Player/Workstation.

If you're wondering for your Win11 host whether Workstation/Player 17 is running its own virtualization stack or not, first take a look at System Information app (search for it in Start menu). The System Summary page has an entry near the bottom of the list named "Virtualization-based Security". As long as that doesn't say "Not enabled", the Hyper-V hypervisor is pulling the strings, and the host OS you're looking at is actually a well-disguised guest OS. To see what VMWare has to say on the subject of current state, run any VM and take a look at the VMWare.log file that gets put alongside the VMX and other files for the VM. Search for "Monitor Mode:" and see the value after the colon. If the value is "CPL0", the VMWare engine is running. If the value is "UML", the slower Hyper-V API is in use.

OK, so let's say you've decided to go ahead and remove the hypervisor and let the host OS run without virtualization. Here is a sequence of actions to take. Some people seem to have luck with the first set, but if the first set is not enough, I've also got the final silver bullet that will definitely get that VBS value in System Information to change to "Not enabled," and VMWare (or VirtualBox) to be able to run with full hardware access and its own engine.

Phase 1:

1. In Start menu search for "core isolation" to find the Core isolation page in Settings app. Turn off the Memory integrity protection, which will also disable the Kernel-mode Hardware-enforced Stack Protection. If Windows wants to restart, tell it "not yet" because there're some features to turn off, first.
2. In Start menu search for "windows features" to find and open the Windows Features control panel. Turn off Hyper-V and all its subfeatures, and also Windows Hypervisor Platform, Virtual Machine Platform, and Windows Sandbox. The OS should ask to restart, let it.

Some people seem to succeed by doing just that. Check System Information. Is the VBS feature no longer in running stated? If not, let's try Phase 2, which throws several more kitchen sinks at the problem.

Phase 2:

1. In Start menu search for "command" to find Command Prompt, right-click it, and run as administrator (elevated). It has to be elevated, otherwise the command you're about to type/paste won't work.
2. Run command
   bcdedit /set hypervisorlaunchtype off
3. Close the command prompt window
4. Hit Win+R to get the Run dialog, and run:
   regedit
5. After a UAC/elevation prompt, the Registry Editor opens. Right below the menu bar there's a texbox where you can paste this path and hit Enter:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
6. The tree view below the textbox (on the left) should have taken you to the path you pasted, and the values in this registry node should be shown in the right pane. Find the value named "EnableVirtualizationBasedSecurity", double-click it to edit the value, and in the dialog box that appears type 0 in the "Value data" field, unless of course that's already the value that's set. Hit OK to save the change and close the Registry Editor.
7. Hit Win+R again to get the Run dialog, and run:
   gpedit.msc
8. The Local Group Policy Editor should open. There's no convenient textbox to paste a path into, so you'll have to painfully expand nodes to find this path:
   Computer Configuration -> Administrative Templates -> System -> Device Guard
9. Find and double-click a setting in the right pane named "Turn On Virtualization Based Security", and in the dialog that appears, select the "Disabled" radio button, then OK button, and close the Local Group Policy Editor.
10. Restart the OS and again check System Information to see if the VBS value has become "disabled."

Still not there? That's what happened to me, but there's one more thing to do, luckily assisted by a tool (script) provided by Microsoft, which in my experience finally takes that last step toward the nirvana of seeing the "disabled" value for VBS:

Phase 3:

There is a manual way to do this, and I found the instructions, but they're a bit scary. It involves using bcdedit to modify the boot configuration to apply a configuration change that sets a "DISABLE-LSA-ISO" option. Lots of opportunity for something to go wrong if the instructions I found are flawed, or if a mistake is made (typo, missed a command). So, I'm strongly recommending (and providing instructions for) the method that uses the Microsoft-provided script. I've tested it, it worked for me, and the same script provides a way to undo the whole thing later if desired, too. Power users are welcome to find the instructions I found on their own, or to simply open the script file and examine what it does for any manual implementation activities.

1. Go to Download Device Guard and Credential Guard hardware readiness tool, provided by Microsoft to check Device Guard and Credential Guard capability, and to turn on/off the features. There's no setting anywhere in Settings app or control panel for this, and this "tool" is actually a PowerShell script, but it provides the necessary functionality. Find the Download button and click it, and your browser will download a ZIP archive.
2. Find and extract the folder contained in the archive. Don't try to run the script from within the archive. If you're using Windows Explorer, it can make a ZIP archive look like just another folder, but it isn't. You need to drag out the "dgreadiness_v3.6" (version as of when I wrote this post) folder from the archive into a real folder, e.g. onto your Desktop.
3. Search for "powershell" in Start menu to find Windows PowerShell, right-click it, and run as administrator (elevated). You must run it elevated or the script won't work.
4. You need to change the current drive and directory to the one where the script is. If you're not command prompt savvy: type "C:" for example (no quotes) if the folder is on the C: drive, or "D:" if it's on the drive, etc., and hit Enter, which should change the active drive to the correct one; next, open the folder you extracted the script files into, copy the address from the address bar into the clipboard (highlight and Ctrl-C), then type the following command (replacing <path> with a Ctrl-V to paste the path you just copied), and hit Enter:
   cd "<path>"
5. The prompt in front of your blinking cursor should now match the folder where the script file is located, meaning your "current directory" is the correct one.
6. Unless you know that you've already set this policy (power user), run this command next, to allow the script to be run:
   Set-ExecutionPolicy Unrestricted
7. You'll have to respond to a security prompt by typing "y" (if I remember correctly), possibly followed by Enter. It should then say it has successfully changed the execution policy.
8. Now we can run the script. Type/paste (if the version number has changed since I posted this, adjust according to the filename of the .ps1 script file in the extracted folder):
   DG_Readiness_Tool_v3.6.ps1 -Disable
9. The script will do some stuff, and then you'll get to restart, and during restart you will get a full-screen prompt asking you to confirm you want to opt out of Device Guard and Credential Guard. Answer in the affirmative. I don't have precise instructions for the exact sequence of events and prompts/actions after running the script, because I ran it several days ago and didn't document what I saw.
10. Once Windows has restarted with these features "opted out of," fire up System Information and check that VBS value again. For me, this was the final step that did the job, and when I ran a VMWare Workstation VM, it gave me the coveted Monitor Mode value of "CPL0"!
11. By the way, for the sake of security, you might want to change the PowerShell script execution policy back to the more restrictive default one after these steps. If so, launch Windows PowerShell again, as administrator, and execute:
    Set-ExecutionPolicy Default

I hope somebody finds this long writeup useful, either while searching this forum, or maybe when finding this post via a web search someday. It's based on what I documented during 2 days of web searches and frustration, and maybe it will save someone some headaches and time.

I had a very hard time getting rid of Hyper-V in my setup, on a Windows 11 Pro host. The "normal" steps I found all over the web weren't enough! Web sleuthing finally got me what I needed, and for posterity and future searchers I want to document what I did to achieve the coveted CPL0 monitor mode and improved VMWare virtualization performance under Win11.

So, what's going on with this OS that creates this new problem for Type 2 (hosted) hypervisors like VMWare Player/Workstation or VirtualBox? Windows 11 Pro, by default, doesn't have the Hyper-V features enabled (to actually run Hyper-V guests), but it (like Windows 11 Home, btw) does use the Hyper-V hypervisor for certain new "Virtualization-Based Security" (VBS) features. These include Device Guard, Credential Guard, and core (memory) isolation. Basically, with VBS the entire host operating system is actually not running as the host at all, it's running as a Hyper-V guest on top of the Hyper-V platform. This has some detrimental performance impact (mostly unnoticeable in normal use, except in gaming), but the advantage is that with the OS running as a "guest," with all hardware access having to cross the virtualization boundary, all kinds of additional security features become possible to prevent/mitigate modern attack vectors. Microsoft deems these protections to outweigh the performance hit, so as of 22H1 or 22H2 update, memory integrity protection, Device Guard, and Credential Guard are enabled by default on a new OS install, if the EFI settings have the CPU virtualization capabilities (VT-d, etc.) enabled. An existing install that's upgraded to 22H? will honor the existing settings btw.

OK, so what's the problem? It's actually not a problem at all, in a way, at least not since Workstation/Player 17 I believe, which introduces "play nice with Hyper-V" capability. If the Hyper-V hypervisor is active on the system, VMWare's product sets aside its own virtualization platform and uses the Hyper-V APIs to create the virtualized environment on which to run a guest. In a way, Hyper-V is running the virtual "hardware" for VMWare, while VMWare provides some of the value-added features like USB capture, 3D-accelerated graphics, etc. Same goes for VirtualBox's newer versions. The price to pay, though, is that this "referred" virtualization is slower than VMWare's own implementation would be, if only it could run in full-privilege mode, access VT-d directly, and operate its own virtualization stack.

The user/admin/operator of the Windows 11 host must make a decision as to which is more important: the new and enhanced bulletproofing against attacks provided by virtualization-based security features, plus the interoperability with Hyper-V (VMWare can coexist alongside Hyper-V features; one can run a Hyper-V guest and a VMWare guest at the same time!), and let's not forget that Hyper-V is necessary for the Sandbox/WSL feature...or ditching the Hyper-V platform altogether, and the extra security features, and the ability to run WSL, to get the best possible performance out of VMWare Player/Workstation.

If you're wondering for your Win11 host whether Workstation/Player 17 is running its own virtualization stack or not, first take a look at System Information app (search for it in Start menu). The System Summary page has an entry near the bottom of the list named "Virtualization-based Security". As long as that doesn't say "Not enabled", the Hyper-V hypervisor is pulling the strings, and the host OS you're looking at is actually a well-disguised guest OS. To see what VMWare has to say on the subject of current state, run any VM and take a look at the VMWare.log file that gets put alongside the VMX and other files for the VM. Search for "Monitor Mode:" and see the value after the colon. If the value is "CPL0", the VMWare engine is running. If the value is "UML", the slower Hyper-V API is in use.

OK, so let's say you've decided to go ahead and remove the hypervisor and let the host OS run without virtualization. Here is a sequence of actions to take. Some people seem to have luck with the first set, but if the first set is not enough, I've also got the final silver bullet that will definitely get that VBS value in System Information to change to "Not enabled," and VMWare (or VirtualBox) to be able to run with full hardware access and its own engine.

Phase 1:

1. In Start menu search for "core isolation" to find the Core isolation page in Settings app. Turn off the Memory integrity protection, which will also disable the Kernel-mode Hardware-enforced Stack Protection. If Windows wants to restart, tell it "not yet" because there're some features to turn off, first.
2. In Start menu search for "windows features" to find and open the Windows Features control panel. Turn off Hyper-V and all its subfeatures, and also Windows Hypervisor Platform, Virtual Machine Platform, and Windows Sandbox. The OS should ask to restart, let it.

Some people seem to succeed by doing just that. Check System Information. Is the VBS feature no longer in running stated? If not, let's try Phase 2, which throws several more kitchen sinks at the problem.

Phase 2:

1. In Start menu search for "command" to find Command Prompt, right-click it, and run as administrator (elevated). It has to be elevated, otherwise the command you're about to type/paste won't work.
2. Run command
   bcdedit /set hypervisorlaunchtype off
3. Close the command prompt window
4. Hit Win+R to get the Run dialog, and run:
   regedit
5. After a UAC/elevation prompt, the Registry Editor opens. Right below the menu bar there's a texbox where you can paste this path and hit Enter:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
6. The tree view below the textbox (on the left) should have taken you to the path you pasted, and the values in this registry node should be shown in the right pane. Find the value named "EnableVirtualizationBasedSecurity", double-click it to edit the value, and in the dialog box that appears type 0 in the "Value data" field, unless of course that's already the value that's set. Hit OK to save the change and close the Registry Editor.
7. Hit Win+R again to get the Run dialog, and run:
   gpedit.msc
8. The Local Group Policy Editor should open. There's no convenient textbox to paste a path into, so you'll have to painfully expand nodes to find this path:
   Computer Configuration -> Administrative Templates -> System -> Device Guard
9. Find and double-click a setting in the right pane named "Turn On Virtualization Based Security", and in the dialog that appears, select the "Disabled" radio button, then OK button, and close the Local Group Policy Editor.
10. Restart the OS and again check System Information to see if the VBS value has become "disabled."

Still not there? That's what happened to me, but there's one more thing to do, luckily assisted by a tool (script) provided by Microsoft, which in my experience finally takes that last step toward the nirvana of seeing the "disabled" value for VBS:

Phase 3:

There is a manual way to do this, and I found the instructions, but they're a bit scary. It involves using bcdedit to modify the boot configuration to apply a configuration change that sets a "DISABLE-LSA-ISO" option. Lots of opportunity for something to go wrong if the instructions I found are flawed, or if a mistake is made (typo, missed a command). So, I'm strongly recommending (and providing instructions for) the method that uses the Microsoft-provided script. I've tested it, it worked for me, and the same script provides a way to undo the whole thing later if desired, too. Power users are welcome to find the instructions I found on their own, or to simply open the script file and examine what it does for any manual implementation activities.

1. Go to Download Device Guard and Credential Guard hardware readiness tool, provided by Microsoft to check Device Guard and Credential Guard capability, and to turn on/off the features. There's no setting anywhere in Settings app or control panel for this, and this "tool" is actually a PowerShell script, but it provides the necessary functionality. Find the Download button and click it, and your browser will download a ZIP archive.
2. Find and extract the folder contained in the archive. Don't try to run the script from within the archive. If you're using Windows Explorer, it can make a ZIP archive look like just another folder, but it isn't. You need to drag out the "dgreadiness_v3.6" (version as of when I wrote this post) folder from the archive into a real folder, e.g. onto your Desktop.
3. Search for "powershell" in Start menu to find Windows PowerShell, right-click it, and run as administrator (elevated). You must run it elevated or the script won't work.
4. You need to change the current drive and directory to the one where the script is. If you're not command prompt savvy: type "C:" for example (no quotes) if the folder is on the C: drive, or "D:" if it's on the drive, etc., and hit Enter, which should change the active drive to the correct one; next, open the folder you extracted the script files into, copy the address from the address bar into the clipboard (highlight and Ctrl-C), then type the following command (replacing <path> with a Ctrl-V to paste the path you just copied), and hit Enter:
   cd "<path>"
5. The prompt in front of your blinking cursor should now match the folder where the script file is located, meaning your "current directory" is the correct one.
6. Unless you know that you've already set this policy (power user), run this command next, to allow the script to be run:
   Set-ExecutionPolicy Unrestricted
7. You'll have to respond to a security prompt by typing "y" (if I remember correctly), possibly followed by Enter. It should then say it has successfully changed the execution policy.
8. Now we can run the script. Type/paste (if the version number has changed since I posted this, adjust according to the filename of the .ps1 script file in the extracted folder):
   DG_Readiness_Tool_v3.6.ps1 -Disable
9. The script will do some stuff, and then you'll get to restart, and during restart you will get a full-screen prompt asking you to confirm you want to opt out of Device Guard and Credential Guard. Answer in the affirmative. I don't have precise instructions for the exact sequence of events and prompts/actions after running the script, because I ran it several days ago and didn't document what I saw.
10. Once Windows has restarted with these features "opted out of," fire up System Information and check that VBS value again. For me, this was the final step that did the job, and when I ran a VMWare Workstation VM, it gave me the coveted Monitor Mode value of "CPL0"!
11. By the way, for the sake of security, you might want to change the PowerShell script execution policy back to the more restrictive default one after these steps. If so, launch Windows PowerShell again, as administrator, and execute:
    Set-ExecutionPolicy Default

I hope somebody finds this long writeup useful, either while searching this forum, or maybe when finding this post via a web search someday. It's based on what I documented during 2 days of web searches and frustration, and maybe it will save someone some headaches and time.

I had a very hard time getting rid of Hyper-V in my setup, on a Windows 11 Pro host. The "normal" steps I found all over the web weren't enough! Web sleuthing finally got me what I needed, and for posterity and future searchers I want to document what I did to achieve the coveted CPL0 monitor mode and improved VMWare virtualization performance under Win11.

So, what's going on with this OS that creates this new problem for Type 2 (hosted) hypervisors like VMWare Player/Workstation or VirtualBox? Windows 11 Pro, by default, doesn't have the Hyper-V features enabled (to actually run Hyper-V guests), but it (like Windows 11 Home, btw) does use the Hyper-V hypervisor for certain new "Virtualization-Based Security" (VBS) features. These include Device Guard, Credential Guard, and core (memory) isolation. Basically, with VBS the entire host operating system is actually not running as the host at all, it's running as a Hyper-V guest on top of the Hyper-V platform. This has some detrimental performance impact (mostly unnoticeable in normal use, except in gaming), but the advantage is that with the OS running as a "guest," with all hardware access having to cross the virtualization boundary, all kinds of additional security features become possible to prevent/mitigate modern attack vectors. Microsoft deems these protections to outweigh the performance hit, so as of 22H1 or 22H2 update, memory integrity protection, Device Guard, and Credential Guard are enabled by default on a new OS install, if the EFI settings have the CPU virtualization capabilities (VT-d, etc.) enabled. An existing install that's upgraded to 22H? will honor the existing settings btw.

OK, so what's the problem? It's actually not a problem at all, in a way, at least not since Workstation/Player 17 I believe, which introduces "play nice with Hyper-V" capability. If the Hyper-V hypervisor is active on the system, VMWare's product sets aside its own virtualization platform and uses the Hyper-V APIs to create the virtualized environment on which to run a guest. In a way, Hyper-V is running the virtual "hardware" for VMWare, while VMWare provides some of the value-added features like USB capture, 3D-accelerated graphics, etc. Same goes for VirtualBox's newer versions. The price to pay, though, is that this "referred" virtualization is slower than VMWare's own implementation would be, if only it could run in full-privilege mode, access VT-d directly, and operate its own virtualization stack.

The user/admin/operator of the Windows 11 host must make a decision as to which is more important: the new and enhanced bulletproofing against attacks provided by virtualization-based security features, plus the interoperability with Hyper-V (VMWare can coexist alongside Hyper-V features; one can run a Hyper-V guest and a VMWare guest at the same time!), and let's not forget that Hyper-V is necessary for the Sandbox/WSL feature...or ditching the Hyper-V platform altogether, and the extra security features, and the ability to run WSL, to get the best possible performance out of VMWare Player/Workstation.

If you're wondering for your Win11 host whether Workstation/Player 17 is running its own virtualization stack or not, first take a look at System Information app (search for it in Start menu). The System Summary page has an entry near the bottom of the list named "Virtualization-based Security". As long as that doesn't say "Not enabled", the Hyper-V hypervisor is pulling the strings, and the host OS you're looking at is actually a well-disguised guest OS. To see what VMWare has to say on the subject of current state, run any VM and take a look at the VMWare.log file that gets put alongside the VMX and other files for the VM. Search for "Monitor Mode:" and see the value after the colon. If the value is "CPL0", the VMWare engine is running. If the value is "UML", the slower Hyper-V API is in use.

OK, so let's say you've decided to go ahead and remove the hypervisor and let the host OS run without virtualization. Here is a sequence of actions to take. Some people seem to have luck with the first set, but if the first set is not enough, I've also got the final silver bullet that will definitely get that VBS value in System Information to change to "Not enabled," and VMWare (or VirtualBox) to be able to run with full hardware access and its own engine.

Phase 1:

1. In Start menu search for "core isolation" to find the Core isolation page in Settings app. Turn off the Memory integrity protection, which will also disable the Kernel-mode Hardware-enforced Stack Protection. If Windows wants to restart, tell it "not yet" because there're some features to turn off, first.
2. In Start menu search for "windows features" to find and open the Windows Features control panel. Turn off Hyper-V and all its subfeatures, and also Windows Hypervisor Platform, Virtual Machine Platform, and Windows Sandbox. The OS should ask to restart, let it.

Some people seem to succeed by doing just that. Check System Information. Is the VBS feature no longer in running stated? If not, let's try Phase 2, which throws several more kitchen sinks at the problem.

Phase 2:

1. In Start menu search for "command" to find Command Prompt, right-click it, and run as administrator (elevated). It has to be elevated, otherwise the command you're about to type/paste won't work.
2. Run command
   bcdedit /set hypervisorlaunchtype off
3. Close the command prompt window
4. Hit Win+R to get the Run dialog, and run:
   regedit
5. After a UAC/elevation prompt, the Registry Editor opens. Right below the menu bar there's a texbox where you can paste this path and hit Enter:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
6. The tree view below the textbox (on the left) should have taken you to the path you pasted, and the values in this registry node should be shown in the right pane. Find the value named "EnableVirtualizationBasedSecurity", double-click it to edit the value, and in the dialog box that appears type 0 in the "Value data" field, unless of course that's already the value that's set. Hit OK to save the change and close the Registry Editor.
7. Hit Win+R again to get the Run dialog, and run:
   gpedit.msc
8. The Local Group Policy Editor should open. There's no convenient textbox to paste a path into, so you'll have to painfully expand nodes to find this path:
   Computer Configuration -> Administrative Templates -> System -> Device Guard
9. Find and double-click a setting in the right pane named "Turn On Virtualization Based Security", and in the dialog that appears, select the "Disabled" radio button, then OK button, and close the Local Group Policy Editor.
10. Restart the OS and again check System Information to see if the VBS value has become "disabled."

Still not there? That's what happened to me, but there's one more thing to do, luckily assisted by a tool (script) provided by Microsoft, which in my experience finally takes that last step toward the nirvana of seeing the "disabled" value for VBS:

Phase 3:

There is a manual way to do this, and I found the instructions, but they're a bit scary. It involves using bcdedit to modify the boot configuration to apply a configuration change that sets a "DISABLE-LSA-ISO" option. Lots of opportunity for something to go wrong if the instructions I found are flawed, or if a mistake is made (typo, missed a command). So, I'm strongly recommending (and providing instructions for) the method that uses the Microsoft-provided script. I've tested it, it worked for me, and the same script provides a way to undo the whole thing later if desired, too. Power users are welcome to find the instructions I found on their own, or to simply open the script file and examine what it does for any manual implementation activities.

1. Go to Download Device Guard and Credential Guard hardware readiness tool, provided by Microsoft to check Device Guard and Credential Guard capability, and to turn on/off the features. There's no setting anywhere in Settings app or control panel for this, and this "tool" is actually a PowerShell script, but it provides the necessary functionality. Find the Download button and click it, and your browser will download a ZIP archive.
2. Find and extract the folder contained in the archive. Don't try to run the script from within the archive. If you're using Windows Explorer, it can make a ZIP archive look like just another folder, but it isn't. You need to drag out the "dgreadiness_v3.6" (version as of when I wrote this post) folder from the archive into a real folder, e.g. onto your Desktop.
3. Search for "powershell" in Start menu to find Windows PowerShell, right-click it, and run as administrator (elevated). You must run it elevated or the script won't work.
4. You need to change the current drive and directory to the one where the script is. If you're not command prompt savvy: type "C:" for example (no quotes) if the folder is on the C: drive, or "D:" if it's on the drive, etc., and hit Enter, which should change the active drive to the correct one; next, open the folder you extracted the script files into, copy the address from the address bar into the clipboard (highlight and Ctrl-C), then type the following command (replacing <path> with a Ctrl-V to paste the path you just copied), and hit Enter:
   cd "<path>"
5. The prompt in front of your blinking cursor should now match the folder where the script file is located, meaning your "current directory" is the correct one.
6. Unless you know that you've already set this policy (power user), run this command next, to allow the script to be run:
   Set-ExecutionPolicy Unrestricted
7. You'll have to respond to a security prompt by typing "y" (if I remember correctly), possibly followed by Enter. It should then say it has successfully changed the execution policy.
8. Now we can run the script. Type/paste (if the version number has changed since I posted this, adjust according to the filename of the .ps1 script file in the extracted folder):
   DG_Readiness_Tool_v3.6.ps1 -Disable
9. The script will do some stuff, and then you'll get to restart, and during restart you will get a full-screen prompt asking you to confirm you want to opt out of Device Guard and Credential Guard. Answer in the affirmative. I don't have precise instructions for the exact sequence of events and prompts/actions after running the script, because I ran it several days ago and didn't document what I saw.
10. Once Windows has restarted with these features "opted out of," fire up System Information and check that VBS value again. For me, this was the final step that did the job, and when I ran a VMWare Workstation VM, it gave me the coveted Monitor Mode value of "CPL0"!
11. By the way, for the sake of security, you might want to change the PowerShell script execution policy back to the more restrictive default one after these steps. If so, launch Windows PowerShell again, as administrator, and execute:
    Set-ExecutionPolicy Default

I hope somebody finds this long writeup useful, either while searching this forum, or maybe when finding this post via a web search someday. It's based on what I documented during 2 days of web searches and frustration, and maybe it will save someone some headaches and time.

I had a very hard time getting rid of Hyper-V in my setup, on a Windows 11 Pro host. The "normal" steps I found all over the web weren't enough! Web sleuthing finally got me what I needed, and for posterity and future searchers I want to document what I did to achieve the coveted CPL0 monitor mode and improved VMWare virtualization performance under Win11.

So, what's going on with this OS that creates this new problem for Type 2 (hosted) hypervisors like VMWare Player/Workstation or VirtualBox? Windows 11 Pro, by default, doesn't have the Hyper-V features enabled (to actually run Hyper-V guests), but it (like Windows 11 Home, btw) does use the Hyper-V hypervisor for certain new "Virtualization-Based Security" (VBS) features. These include Device Guard, Credential Guard, and core (memory) isolation. Basically, with VBS the entire host operating system is actually not running as the host at all, it's running as a Hyper-V guest on top of the Hyper-V platform. This has some detrimental performance impact (mostly unnoticeable in normal use, except in gaming), but the advantage is that with the OS running as a "guest," with all hardware access having to cross the virtualization boundary, all kinds of additional security features become possible to prevent/mitigate modern attack vectors. Microsoft deems these protections to outweigh the performance hit, so as of 22H1 or 22H2 update, memory integrity protection, Device Guard, and Credential Guard are enabled by default on a new OS install, if the EFI settings have the CPU virtualization capabilities (VT-d, etc.) enabled. An existing install that's upgraded to 22H? will honor the existing settings btw.

OK, so what's the problem? It's actually not a problem at all, in a way, at least not since Workstation/Player 17 I believe, which introduces "play nice with Hyper-V" capability. If the Hyper-V hypervisor is active on the system, VMWare's product sets aside its own virtualization platform and uses the Hyper-V APIs to create the virtualized environment on which to run a guest. In a way, Hyper-V is running the virtual "hardware" for VMWare, while VMWare provides some of the value-added features like USB capture, 3D-accelerated graphics, etc. Same goes for VirtualBox's newer versions. The price to pay, though, is that this "referred" virtualization is slower than VMWare's own implementation would be, if only it could run in full-privilege mode, access VT-d directly, and operate its own virtualization stack.

The user/admin/operator of the Windows 11 host must make a decision as to which is more important: the new and enhanced bulletproofing against attacks provided by virtualization-based security features, plus the interoperability with Hyper-V (VMWare can coexist alongside Hyper-V features; one can run a Hyper-V guest and a VMWare guest at the same time!), and let's not forget that Hyper-V is necessary for the Sandbox/WSL feature...or ditching the Hyper-V platform altogether, and the extra security features, and the ability to run WSL, to get the best possible performance out of VMWare Player/Workstation.

If you're wondering for your Win11 host whether Workstation/Player 17 is running its own virtualization stack or not, first take a look at System Information app (search for it in Start menu). The System Summary page has an entry near the bottom of the list named "Virtualization-based Security". As long as that doesn't say "Not enabled", the Hyper-V hypervisor is pulling the strings, and the host OS you're looking at is actually a well-disguised guest OS. To see what VMWare has to say on the subject of current state, run any VM and take a look at the VMWare.log file that gets put alongside the VMX and other files for the VM. Search for "Monitor Mode:" and see the value after the colon. If the value is "CPL0", the VMWare engine is running. If the value is "UML", the slower Hyper-V API is in use.

OK, so let's say you've decided to go ahead and remove the hypervisor and let the host OS run without virtualization. Here is a sequence of actions to take. Some people seem to have luck with the first set, but if the first set is not enough, I've also got the final silver bullet that will definitely get that VBS value in System Information to change to "Not enabled," and VMWare (or VirtualBox) to be able to run with full hardware access and its own engine.

Phase 1:

1. In Start menu search for "core isolation" to find the Core isolation page in Settings app. Turn off the Memory integrity protection, which will also disable the Kernel-mode Hardware-enforced Stack Protection. If Windows wants to restart, tell it "not yet" because there're some features to turn off, first.
2. In Start menu search for "windows features" to find and open the Windows Features control panel. Turn off Hyper-V and all its subfeatures, and also Windows Hypervisor Platform, Virtual Machine Platform, and Windows Sandbox. The OS should ask to restart, let it.

Some people seem to succeed by doing just that. Check System Information. Is the VBS feature no longer in running stated? If not, let's try Phase 2, which throws several more kitchen sinks at the problem.

Phase 2:

1. In Start menu search for "command" to find Command Prompt, right-click it, and run as administrator (elevated). It has to be elevated, otherwise the command you're about to type/paste won't work.
2. Run command
   bcdedit /set hypervisorlaunchtype off
3. Close the command prompt window
4. Hit Win+R to get the Run dialog, and run:
   regedit
5. After a UAC/elevation prompt, the Registry Editor opens. Right below the menu bar there's a texbox where you can paste this path and hit Enter:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
6. The tree view below the textbox (on the left) should have taken you to the path you pasted, and the values in this registry node should be shown in the right pane. Find the value named "EnableVirtualizationBasedSecurity", double-click it to edit the value, and in the dialog box that appears type 0 in the "Value data" field, unless of course that's already the value that's set. Hit OK to save the change and close the Registry Editor.
7. Hit Win+R again to get the Run dialog, and run:
   gpedit.msc
8. The Local Group Policy Editor should open. There's no convenient textbox to paste a path into, so you'll have to painfully expand nodes to find this path:
   Computer Configuration -> Administrative Templates -> System -> Device Guard
9. Find and double-click a setting in the right pane named "Turn On Virtualization Based Security", and in the dialog that appears, select the "Disabled" radio button, then OK button, and close the Local Group Policy Editor.
10. Restart the OS and again check System Information to see if the VBS value has become "disabled."

Still not there? That's what happened to me, but there's one more thing to do, luckily assisted by a tool (script) provided by Microsoft, which in my experience finally takes that last step toward the nirvana of seeing the "disabled" value for VBS:

Phase 3:

There is a manual way to do this, and I found the instructions, but they're a bit scary. It involves using bcdedit to modify the boot configuration to apply a configuration change that sets a "DISABLE-LSA-ISO" option. Lots of opportunity for something to go wrong if the instructions I found are flawed, or if a mistake is made (typo, missed a command). So, I'm strongly recommending (and providing instructions for) the method that uses the Microsoft-provided script. I've tested it, it worked for me, and the same script provides a way to undo the whole thing later if desired, too. Power users are welcome to find the instructions I found on their own, or to simply open the script file and examine what it does for any manual implementation activities.

1. Go to Download Device Guard and Credential Guard hardware readiness tool, provided by Microsoft to check Device Guard and Credential Guard capability, and to turn on/off the features. There's no setting anywhere in Settings app or control panel for this, and this "tool" is actually a PowerShell script, but it provides the necessary functionality. Find the Download button and click it, and your browser will download a ZIP archive.
2. Find and extract the folder contained in the archive. Don't try to run the script from within the archive. If you're using Windows Explorer, it can make a ZIP archive look like just another folder, but it isn't. You need to drag out the "dgreadiness_v3.6" (version as of when I wrote this post) folder from the archive into a real folder, e.g. onto your Desktop.
3. Search for "powershell" in Start menu to find Windows PowerShell, right-click it, and run as administrator (elevated). You must run it elevated or the script won't work.
4. You need to change the current drive and directory to the one where the script is. If you're not command prompt savvy: type "C:" for example (no quotes) if the folder is on the C: drive, or "D:" if it's on the drive, etc., and hit Enter, which should change the active drive to the correct one; next, open the folder you extracted the script files into, copy the address from the address bar into the clipboard (highlight and Ctrl-C), then type the following command (replacing <path> with a Ctrl-V to paste the path you just copied), and hit Enter:
   cd "<path>"
5. The prompt in front of your blinking cursor should now match the folder where the script file is located, meaning your "current directory" is the correct one.
6. Unless you know that you've already set this policy (power user), run this command next, to allow the script to be run:
   Set-ExecutionPolicy Unrestricted
7. You'll have to respond to a security prompt by typing "y" (if I remember correctly), possibly followed by Enter. It should then say it has successfully changed the execution policy.
8. Now we can run the script. Type/paste (if the version number has changed since I posted this, adjust according to the filename of the .ps1 script file in the extracted folder):
   DG_Readiness_Tool_v3.6.ps1 -Disable
9. The script will do some stuff, and then you'll get to restart, and during restart you will get a full-screen prompt asking you to confirm you want to opt out of Device Guard and Credential Guard. Answer in the affirmative. I don't have precise instructions for the exact sequence of events and prompts/actions after running the script, because I ran it several days ago and didn't document what I saw.
10. Once Windows has restarted with these features "opted out of," fire up System Information and check that VBS value again. For me, this was the final step that did the job, and when I ran a VMWare Workstation VM, it gave me the coveted Monitor Mode value of "CPL0"!
11. By the way, for the sake of security, you might want to change the PowerShell script execution policy back to the more restrictive default one after these steps. If so, launch Windows PowerShell again, as administrator, and execute:
    Set-ExecutionPolicy Default

I hope somebody finds this long writeup useful, either while searching this forum, or maybe when finding this post via a web search someday. It's based on what I documented during 2 days of web searches and frustration, and maybe it will save someone some headaches and time.

Arrgh .. Thank you for this enlightening post but it is driving me nuts...  I want to use full VMware workstation features and not rely on Windows Hypervisor platform etc.

I did the Phase 1 - but no change in "System Summary" -> "Virtualization-based Security"

Proceeded to Phase 2 - Added "EnableVirtualizationBasedSecurity" in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard- but no change in "System Summary" -> "Virtualization-based Security"

Optimistically, proceeded to Phase 3 and it worked for the 1st recommended reboot. But after further reboot/shutdown/startups, "System Summary" -> "Virtualization-based Security" is back to Running :(

I tried @SimonHF's suggestion by adding the ones below:

"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags" [2] and set it to "0" (zero).
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags" [2] and set it to "0" (zero).

But that did not help too - coz after redoing Ph 3, again, after 1st reboot, "System Summary" -> "Virtualization-based Security" is back to Running :(

Has anyone overcome this issue?

I had a very hard time getting rid of Hyper-V in my setup, on a Windows 11 Pro host. The "normal" steps I found all over the web weren't enough! Web sleuthing finally got me what I needed, and for posterity and future searchers I want to document what I did to achieve the coveted CPL0 monitor mode and improved VMWare virtualization performance under Win11.

So, what's going on with this OS that creates this new problem for Type 2 (hosted) hypervisors like VMWare Player/Workstation or VirtualBox? Windows 11 Pro, by default, doesn't have the Hyper-V features enabled (to actually run Hyper-V guests), but it (like Windows 11 Home, btw) does use the Hyper-V hypervisor for certain new "Virtualization-Based Security" (VBS) features. These include Device Guard, Credential Guard, and core (memory) isolation. Basically, with VBS the entire host operating system is actually not running as the host at all, it's running as a Hyper-V guest on top of the Hyper-V platform. This has some detrimental performance impact (mostly unnoticeable in normal use, except in gaming), but the advantage is that with the OS running as a "guest," with all hardware access having to cross the virtualization boundary, all kinds of additional security features become possible to prevent/mitigate modern attack vectors. Microsoft deems these protections to outweigh the performance hit, so as of 22H1 or 22H2 update, memory integrity protection, Device Guard, and Credential Guard are enabled by default on a new OS install, if the EFI settings have the CPU virtualization capabilities (VT-d, etc.) enabled. An existing install that's upgraded to 22H? will honor the existing settings btw.

OK, so what's the problem? It's actually not a problem at all, in a way, at least not since Workstation/Player 17 I believe, which introduces "play nice with Hyper-V" capability. If the Hyper-V hypervisor is active on the system, VMWare's product sets aside its own virtualization platform and uses the Hyper-V APIs to create the virtualized environment on which to run a guest. In a way, Hyper-V is running the virtual "hardware" for VMWare, while VMWare provides some of the value-added features like USB capture, 3D-accelerated graphics, etc. Same goes for VirtualBox's newer versions. The price to pay, though, is that this "referred" virtualization is slower than VMWare's own implementation would be, if only it could run in full-privilege mode, access VT-d directly, and operate its own virtualization stack.

The user/admin/operator of the Windows 11 host must make a decision as to which is more important: the new and enhanced bulletproofing against attacks provided by virtualization-based security features, plus the interoperability with Hyper-V (VMWare can coexist alongside Hyper-V features; one can run a Hyper-V guest and a VMWare guest at the same time!), and let's not forget that Hyper-V is necessary for the Sandbox/WSL feature...or ditching the Hyper-V platform altogether, and the extra security features, and the ability to run WSL, to get the best possible performance out of VMWare Player/Workstation.

If you're wondering for your Win11 host whether Workstation/Player 17 is running its own virtualization stack or not, first take a look at System Information app (search for it in Start menu). The System Summary page has an entry near the bottom of the list named "Virtualization-based Security". As long as that doesn't say "Not enabled", the Hyper-V hypervisor is pulling the strings, and the host OS you're looking at is actually a well-disguised guest OS. To see what VMWare has to say on the subject of current state, run any VM and take a look at the VMWare.log file that gets put alongside the VMX and other files for the VM. Search for "Monitor Mode:" and see the value after the colon. If the value is "CPL0", the VMWare engine is running. If the value is "UML", the slower Hyper-V API is in use.

OK, so let's say you've decided to go ahead and remove the hypervisor and let the host OS run without virtualization. Here is a sequence of actions to take. Some people seem to have luck with the first set, but if the first set is not enough, I've also got the final silver bullet that will definitely get that VBS value in System Information to change to "Not enabled," and VMWare (or VirtualBox) to be able to run with full hardware access and its own engine.

Phase 1:

1. In Start menu search for "core isolation" to find the Core isolation page in Settings app. Turn off the Memory integrity protection, which will also disable the Kernel-mode Hardware-enforced Stack Protection. If Windows wants to restart, tell it "not yet" because there're some features to turn off, first.
2. In Start menu search for "windows features" to find and open the Windows Features control panel. Turn off Hyper-V and all its subfeatures, and also Windows Hypervisor Platform, Virtual Machine Platform, and Windows Sandbox. The OS should ask to restart, let it.

Some people seem to succeed by doing just that. Check System Information. Is the VBS feature no longer in running stated? If not, let's try Phase 2, which throws several more kitchen sinks at the problem.

Phase 2:

1. In Start menu search for "command" to find Command Prompt, right-click it, and run as administrator (elevated). It has to be elevated, otherwise the command you're about to type/paste won't work.
2. Run command
   bcdedit /set hypervisorlaunchtype off
3. Close the command prompt window
4. Hit Win+R to get the Run dialog, and run:
   regedit
5. After a UAC/elevation prompt, the Registry Editor opens. Right below the menu bar there's a texbox where you can paste this path and hit Enter:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
6. The tree view below the textbox (on the left) should have taken you to the path you pasted, and the values in this registry node should be shown in the right pane. Find the value named "EnableVirtualizationBasedSecurity", double-click it to edit the value, and in the dialog box that appears type 0 in the "Value data" field, unless of course that's already the value that's set. Hit OK to save the change and close the Registry Editor.
7. Hit Win+R again to get the Run dialog, and run:
   gpedit.msc
8. The Local Group Policy Editor should open. There's no convenient textbox to paste a path into, so you'll have to painfully expand nodes to find this path:
   Computer Configuration -> Administrative Templates -> System -> Device Guard
9. Find and double-click a setting in the right pane named "Turn On Virtualization Based Security", and in the dialog that appears, select the "Disabled" radio button, then OK button, and close the Local Group Policy Editor.
10. Restart the OS and again check System Information to see if the VBS value has become "disabled."

Still not there? That's what happened to me, but there's one more thing to do, luckily assisted by a tool (script) provided by Microsoft, which in my experience finally takes that last step toward the nirvana of seeing the "disabled" value for VBS:

Phase 3:

There is a manual way to do this, and I found the instructions, but they're a bit scary. It involves using bcdedit to modify the boot configuration to apply a configuration change that sets a "DISABLE-LSA-ISO" option. Lots of opportunity for something to go wrong if the instructions I found are flawed, or if a mistake is made (typo, missed a command). So, I'm strongly recommending (and providing instructions for) the method that uses the Microsoft-provided script. I've tested it, it worked for me, and the same script provides a way to undo the whole thing later if desired, too. Power users are welcome to find the instructions I found on their own, or to simply open the script file and examine what it does for any manual implementation activities.

1. Go to Download Device Guard and Credential Guard hardware readiness tool, provided by Microsoft to check Device Guard and Credential Guard capability, and to turn on/off the features. There's no setting anywhere in Settings app or control panel for this, and this "tool" is actually a PowerShell script, but it provides the necessary functionality. Find the Download button and click it, and your browser will download a ZIP archive.
2. Find and extract the folder contained in the archive. Don't try to run the script from within the archive. If you're using Windows Explorer, it can make a ZIP archive look like just another folder, but it isn't. You need to drag out the "dgreadiness_v3.6" (version as of when I wrote this post) folder from the archive into a real folder, e.g. onto your Desktop.
3. Search for "powershell" in Start menu to find Windows PowerShell, right-click it, and run as administrator (elevated). You must run it elevated or the script won't work.
4. You need to change the current drive and directory to the one where the script is. If you're not command prompt savvy: type "C:" for example (no quotes) if the folder is on the C: drive, or "D:" if it's on the drive, etc., and hit Enter, which should change the active drive to the correct one; next, open the folder you extracted the script files into, copy the address from the address bar into the clipboard (highlight and Ctrl-C), then type the following command (replacing <path> with a Ctrl-V to paste the path you just copied), and hit Enter:
   cd "<path>"
5. The prompt in front of your blinking cursor should now match the folder where the script file is located, meaning your "current directory" is the correct one.
6. Unless you know that you've already set this policy (power user), run this command next, to allow the script to be run:
   Set-ExecutionPolicy Unrestricted
7. You'll have to respond to a security prompt by typing "y" (if I remember correctly), possibly followed by Enter. It should then say it has successfully changed the execution policy.
8. Now we can run the script. Type/paste (if the version number has changed since I posted this, adjust according to the filename of the .ps1 script file in the extracted folder):
   DG_Readiness_Tool_v3.6.ps1 -Disable
9. The script will do some stuff, and then you'll get to restart, and during restart you will get a full-screen prompt asking you to confirm you want to opt out of Device Guard and Credential Guard. Answer in the affirmative. I don't have precise instructions for the exact sequence of events and prompts/actions after running the script, because I ran it several days ago and didn't document what I saw.
10. Once Windows has restarted with these features "opted out of," fire up System Information and check that VBS value again. For me, this was the final step that did the job, and when I ran a VMWare Workstation VM, it gave me the coveted Monitor Mode value of "CPL0"!
11. By the way, for the sake of security, you might want to change the PowerShell script execution policy back to the more restrictive default one after these steps. If so, launch Windows PowerShell again, as administrator, and execute:
    Set-ExecutionPolicy Default

I hope somebody finds this long writeup useful, either while searching this forum, or maybe when finding this post via a web search someday. It's based on what I documented during 2 days of web searches and frustration, and maybe it will save someone some headaches and time.

I had a very hard time getting rid of Hyper-V in my setup, on a Windows 11 Pro host. The "normal" steps I found all over the web weren't enough! Web sleuthing finally got me what I needed, and for posterity and future searchers I want to document what I did to achieve the coveted CPL0 monitor mode and improved VMWare virtualization performance under Win11.

So, what's going on with this OS that creates this new problem for Type 2 (hosted) hypervisors like VMWare Player/Workstation or VirtualBox? Windows 11 Pro, by default, doesn't have the Hyper-V features enabled (to actually run Hyper-V guests), but it (like Windows 11 Home, btw) does use the Hyper-V hypervisor for certain new "Virtualization-Based Security" (VBS) features. These include Device Guard, Credential Guard, and core (memory) isolation. Basically, with VBS the entire host operating system is actually not running as the host at all, it's running as a Hyper-V guest on top of the Hyper-V platform. This has some detrimental performance impact (mostly unnoticeable in normal use, except in gaming), but the advantage is that with the OS running as a "guest," with all hardware access having to cross the virtualization boundary, all kinds of additional security features become possible to prevent/mitigate modern attack vectors. Microsoft deems these protections to outweigh the performance hit, so as of 22H1 or 22H2 update, memory integrity protection, Device Guard, and Credential Guard are enabled by default on a new OS install, if the EFI settings have the CPU virtualization capabilities (VT-d, etc.) enabled. An existing install that's upgraded to 22H? will honor the existing settings btw.

OK, so what's the problem? It's actually not a problem at all, in a way, at least not since Workstation/Player 17 I believe, which introduces "play nice with Hyper-V" capability. If the Hyper-V hypervisor is active on the system, VMWare's product sets aside its own virtualization platform and uses the Hyper-V APIs to create the virtualized environment on which to run a guest. In a way, Hyper-V is running the virtual "hardware" for VMWare, while VMWare provides some of the value-added features like USB capture, 3D-accelerated graphics, etc. Same goes for VirtualBox's newer versions. The price to pay, though, is that this "referred" virtualization is slower than VMWare's own implementation would be, if only it could run in full-privilege mode, access VT-d directly, and operate its own virtualization stack.

The user/admin/operator of the Windows 11 host must make a decision as to which is more important: the new and enhanced bulletproofing against attacks provided by virtualization-based security features, plus the interoperability with Hyper-V (VMWare can coexist alongside Hyper-V features; one can run a Hyper-V guest and a VMWare guest at the same time!), and let's not forget that Hyper-V is necessary for the Sandbox/WSL feature...or ditching the Hyper-V platform altogether, and the extra security features, and the ability to run WSL, to get the best possible performance out of VMWare Player/Workstation.

If you're wondering for your Win11 host whether Workstation/Player 17 is running its own virtualization stack or not, first take a look at System Information app (search for it in Start menu). The System Summary page has an entry near the bottom of the list named "Virtualization-based Security". As long as that doesn't say "Not enabled", the Hyper-V hypervisor is pulling the strings, and the host OS you're looking at is actually a well-disguised guest OS. To see what VMWare has to say on the subject of current state, run any VM and take a look at the VMWare.log file that gets put alongside the VMX and other files for the VM. Search for "Monitor Mode:" and see the value after the colon. If the value is "CPL0", the VMWare engine is running. If the value is "UML", the slower Hyper-V API is in use.

OK, so let's say you've decided to go ahead and remove the hypervisor and let the host OS run without virtualization. Here is a sequence of actions to take. Some people seem to have luck with the first set, but if the first set is not enough, I've also got the final silver bullet that will definitely get that VBS value in System Information to change to "Not enabled," and VMWare (or VirtualBox) to be able to run with full hardware access and its own engine.

Phase 1:

1. In Start menu search for "core isolation" to find the Core isolation page in Settings app. Turn off the Memory integrity protection, which will also disable the Kernel-mode Hardware-enforced Stack Protection. If Windows wants to restart, tell it "not yet" because there're some features to turn off, first.
2. In Start menu search for "windows features" to find and open the Windows Features control panel. Turn off Hyper-V and all its subfeatures, and also Windows Hypervisor Platform, Virtual Machine Platform, and Windows Sandbox. The OS should ask to restart, let it.

Some people seem to succeed by doing just that. Check System Information. Is the VBS feature no longer in running stated? If not, let's try Phase 2, which throws several more kitchen sinks at the problem.

Phase 2:

1. In Start menu search for "command" to find Command Prompt, right-click it, and run as administrator (elevated). It has to be elevated, otherwise the command you're about to type/paste won't work.
2. Run command
   bcdedit /set hypervisorlaunchtype off
3. Close the command prompt window
4. Hit Win+R to get the Run dialog, and run:
   regedit
5. After a UAC/elevation prompt, the Registry Editor opens. Right below the menu bar there's a texbox where you can paste this path and hit Enter:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
6. The tree view below the textbox (on the left) should have taken you to the path you pasted, and the values in this registry node should be shown in the right pane. Find the value named "EnableVirtualizationBasedSecurity", double-click it to edit the value, and in the dialog box that appears type 0 in the "Value data" field, unless of course that's already the value that's set. Hit OK to save the change and close the Registry Editor.
7. Hit Win+R again to get the Run dialog, and run:
   gpedit.msc
8. The Local Group Policy Editor should open. There's no convenient textbox to paste a path into, so you'll have to painfully expand nodes to find this path:
   Computer Configuration -> Administrative Templates -> System -> Device Guard
9. Find and double-click a setting in the right pane named "Turn On Virtualization Based Security", and in the dialog that appears, select the "Disabled" radio button, then OK button, and close the Local Group Policy Editor.
10. Restart the OS and again check System Information to see if the VBS value has become "disabled."

Still not there? That's what happened to me, but there's one more thing to do, luckily assisted by a tool (script) provided by Microsoft, which in my experience finally takes that last step toward the nirvana of seeing the "disabled" value for VBS:

Phase 3:

There is a manual way to do this, and I found the instructions, but they're a bit scary. It involves using bcdedit to modify the boot configuration to apply a configuration change that sets a "DISABLE-LSA-ISO" option. Lots of opportunity for something to go wrong if the instructions I found are flawed, or if a mistake is made (typo, missed a command). So, I'm strongly recommending (and providing instructions for) the method that uses the Microsoft-provided script. I've tested it, it worked for me, and the same script provides a way to undo the whole thing later if desired, too. Power users are welcome to find the instructions I found on their own, or to simply open the script file and examine what it does for any manual implementation activities.

1. Go to Download Device Guard and Credential Guard hardware readiness tool, provided by Microsoft to check Device Guard and Credential Guard capability, and to turn on/off the features. There's no setting anywhere in Settings app or control panel for this, and this "tool" is actually a PowerShell script, but it provides the necessary functionality. Find the Download button and click it, and your browser will download a ZIP archive.
2. Find and extract the folder contained in the archive. Don't try to run the script from within the archive. If you're using Windows Explorer, it can make a ZIP archive look like just another folder, but it isn't. You need to drag out the "dgreadiness_v3.6" (version as of when I wrote this post) folder from the archive into a real folder, e.g. onto your Desktop.
3. Search for "powershell" in Start menu to find Windows PowerShell, right-click it, and run as administrator (elevated). You must run it elevated or the script won't work.
4. You need to change the current drive and directory to the one where the script is. If you're not command prompt savvy: type "C:" for example (no quotes) if the folder is on the C: drive, or "D:" if it's on the drive, etc., and hit Enter, which should change the active drive to the correct one; next, open the folder you extracted the script files into, copy the address from the address bar into the clipboard (highlight and Ctrl-C), then type the following command (replacing <path> with a Ctrl-V to paste the path you just copied), and hit Enter:
   cd "<path>"
5. The prompt in front of your blinking cursor should now match the folder where the script file is located, meaning your "current directory" is the correct one.
6. Unless you know that you've already set this policy (power user), run this command next, to allow the script to be run:
   Set-ExecutionPolicy Unrestricted
7. You'll have to respond to a security prompt by typing "y" (if I remember correctly), possibly followed by Enter. It should then say it has successfully changed the execution policy.
8. Now we can run the script. Type/paste (if the version number has changed since I posted this, adjust according to the filename of the .ps1 script file in the extracted folder):
   DG_Readiness_Tool_v3.6.ps1 -Disable
9. The script will do some stuff, and then you'll get to restart, and during restart you will get a full-screen prompt asking you to confirm you want to opt out of Device Guard and Credential Guard. Answer in the affirmative. I don't have precise instructions for the exact sequence of events and prompts/actions after running the script, because I ran it several days ago and didn't document what I saw.
10. Once Windows has restarted with these features "opted out of," fire up System Information and check that VBS value again. For me, this was the final step that did the job, and when I ran a VMWare Workstation VM, it gave me the coveted Monitor Mode value of "CPL0"!
11. By the way, for the sake of security, you might want to change the PowerShell script execution policy back to the more restrictive default one after these steps. If so, launch Windows PowerShell again, as administrator, and execute:
    Set-ExecutionPolicy Default

I hope somebody finds this long writeup useful, either while searching this forum, or maybe when finding this post via a web search someday. It's based on what I documented during 2 days of web searches and frustration, and maybe it will save someone some headaches and time.

I had a very hard time getting rid of Hyper-V in my setup, on a Windows 11 Pro host. The "normal" steps I found all over the web weren't enough! Web sleuthing finally got me what I needed, and for posterity and future searchers I want to document what I did to achieve the coveted CPL0 monitor mode and improved VMWare virtualization performance under Win11.

So, what's going on with this OS that creates this new problem for Type 2 (hosted) hypervisors like VMWare Player/Workstation or VirtualBox? Windows 11 Pro, by default, doesn't have the Hyper-V features enabled (to actually run Hyper-V guests), but it (like Windows 11 Home, btw) does use the Hyper-V hypervisor for certain new "Virtualization-Based Security" (VBS) features. These include Device Guard, Credential Guard, and core (memory) isolation. Basically, with VBS the entire host operating system is actually not running as the host at all, it's running as a Hyper-V guest on top of the Hyper-V platform. This has some detrimental performance impact (mostly unnoticeable in normal use, except in gaming), but the advantage is that with the OS running as a "guest," with all hardware access having to cross the virtualization boundary, all kinds of additional security features become possible to prevent/mitigate modern attack vectors. Microsoft deems these protections to outweigh the performance hit, so as of 22H1 or 22H2 update, memory integrity protection, Device Guard, and Credential Guard are enabled by default on a new OS install, if the EFI settings have the CPU virtualization capabilities (VT-d, etc.) enabled. An existing install that's upgraded to 22H? will honor the existing settings btw.

OK, so what's the problem? It's actually not a problem at all, in a way, at least not since Workstation/Player 17 I believe, which introduces "play nice with Hyper-V" capability. If the Hyper-V hypervisor is active on the system, VMWare's product sets aside its own virtualization platform and uses the Hyper-V APIs to create the virtualized environment on which to run a guest. In a way, Hyper-V is running the virtual "hardware" for VMWare, while VMWare provides some of the value-added features like USB capture, 3D-accelerated graphics, etc. Same goes for VirtualBox's newer versions. The price to pay, though, is that this "referred" virtualization is slower than VMWare's own implementation would be, if only it could run in full-privilege mode, access VT-d directly, and operate its own virtualization stack.

The user/admin/operator of the Windows 11 host must make a decision as to which is more important: the new and enhanced bulletproofing against attacks provided by virtualization-based security features, plus the interoperability with Hyper-V (VMWare can coexist alongside Hyper-V features; one can run a Hyper-V guest and a VMWare guest at the same time!), and let's not forget that Hyper-V is necessary for the Sandbox/WSL feature...or ditching the Hyper-V platform altogether, and the extra security features, and the ability to run WSL, to get the best possible performance out of VMWare Player/Workstation.

If you're wondering for your Win11 host whether Workstation/Player 17 is running its own virtualization stack or not, first take a look at System Information app (search for it in Start menu). The System Summary page has an entry near the bottom of the list named "Virtualization-based Security". As long as that doesn't say "Not enabled", the Hyper-V hypervisor is pulling the strings, and the host OS you're looking at is actually a well-disguised guest OS. To see what VMWare has to say on the subject of current state, run any VM and take a look at the VMWare.log file that gets put alongside the VMX and other files for the VM. Search for "Monitor Mode:" and see the value after the colon. If the value is "CPL0", the VMWare engine is running. If the value is "UML", the slower Hyper-V API is in use.

OK, so let's say you've decided to go ahead and remove the hypervisor and let the host OS run without virtualization. Here is a sequence of actions to take. Some people seem to have luck with the first set, but if the first set is not enough, I've also got the final silver bullet that will definitely get that VBS value in System Information to change to "Not enabled," and VMWare (or VirtualBox) to be able to run with full hardware access and its own engine.

Phase 1:

1. In Start menu search for "core isolation" to find the Core isolation page in Settings app. Turn off the Memory integrity protection, which will also disable the Kernel-mode Hardware-enforced Stack Protection. If Windows wants to restart, tell it "not yet" because there're some features to turn off, first.
2. In Start menu search for "windows features" to find and open the Windows Features control panel. Turn off Hyper-V and all its subfeatures, and also Windows Hypervisor Platform, Virtual Machine Platform, and Windows Sandbox. The OS should ask to restart, let it.

Some people seem to succeed by doing just that. Check System Information. Is the VBS feature no longer in running stated? If not, let's try Phase 2, which throws several more kitchen sinks at the problem.

Phase 2:

1. In Start menu search for "command" to find Command Prompt, right-click it, and run as administrator (elevated). It has to be elevated, otherwise the command you're about to type/paste won't work.
2. Run command
   bcdedit /set hypervisorlaunchtype off
3. Close the command prompt window
4. Hit Win+R to get the Run dialog, and run:
   regedit
5. After a UAC/elevation prompt, the Registry Editor opens. Right below the menu bar there's a texbox where you can paste this path and hit Enter:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
6. The tree view below the textbox (on the left) should have taken you to the path you pasted, and the values in this registry node should be shown in the right pane. Find the value named "EnableVirtualizationBasedSecurity", double-click it to edit the value, and in the dialog box that appears type 0 in the "Value data" field, unless of course that's already the value that's set. Hit OK to save the change and close the Registry Editor.
7. Hit Win+R again to get the Run dialog, and run:
   gpedit.msc
8. The Local Group Policy Editor should open. There's no convenient textbox to paste a path into, so you'll have to painfully expand nodes to find this path:
   Computer Configuration -> Administrative Templates -> System -> Device Guard
9. Find and double-click a setting in the right pane named "Turn On Virtualization Based Security", and in the dialog that appears, select the "Disabled" radio button, then OK button, and close the Local Group Policy Editor.
10. Restart the OS and again check System Information to see if the VBS value has become "disabled."

Still not there? That's what happened to me, but there's one more thing to do, luckily assisted by a tool (script) provided by Microsoft, which in my experience finally takes that last step toward the nirvana of seeing the "disabled" value for VBS:

Phase 3:

There is a manual way to do this, and I found the instructions, but they're a bit scary. It involves using bcdedit to modify the boot configuration to apply a configuration change that sets a "DISABLE-LSA-ISO" option. Lots of opportunity for something to go wrong if the instructions I found are flawed, or if a mistake is made (typo, missed a command). So, I'm strongly recommending (and providing instructions for) the method that uses the Microsoft-provided script. I've tested it, it worked for me, and the same script provides a way to undo the whole thing later if desired, too. Power users are welcome to find the instructions I found on their own, or to simply open the script file and examine what it does for any manual implementation activities.

1. Go to Download Device Guard and Credential Guard hardware readiness tool, provided by Microsoft to check Device Guard and Credential Guard capability, and to turn on/off the features. There's no setting anywhere in Settings app or control panel for this, and this "tool" is actually a PowerShell script, but it provides the necessary functionality. Find the Download button and click it, and your browser will download a ZIP archive.
2. Find and extract the folder contained in the archive. Don't try to run the script from within the archive. If you're using Windows Explorer, it can make a ZIP archive look like just another folder, but it isn't. You need to drag out the "dgreadiness_v3.6" (version as of when I wrote this post) folder from the archive into a real folder, e.g. onto your Desktop.
3. Search for "powershell" in Start menu to find Windows PowerShell, right-click it, and run as administrator (elevated). You must run it elevated or the script won't work.
4. You need to change the current drive and directory to the one where the script is. If you're not command prompt savvy: type "C:" for example (no quotes) if the folder is on the C: drive, or "D:" if it's on the drive, etc., and hit Enter, which should change the active drive to the correct one; next, open the folder you extracted the script files into, copy the address from the address bar into the clipboard (highlight and Ctrl-C), then type the following command (replacing <path> with a Ctrl-V to paste the path you just copied), and hit Enter:
   cd "<path>"
5. The prompt in front of your blinking cursor should now match the folder where the script file is located, meaning your "current directory" is the correct one.
6. Unless you know that you've already set this policy (power user), run this command next, to allow the script to be run:
   Set-ExecutionPolicy Unrestricted
7. You'll have to respond to a security prompt by typing "y" (if I remember correctly), possibly followed by Enter. It should then say it has successfully changed the execution policy.
8. Now we can run the script. Type/paste (if the version number has changed since I posted this, adjust according to the filename of the .ps1 script file in the extracted folder):
   DG_Readiness_Tool_v3.6.ps1 -Disable
9. The script will do some stuff, and then you'll get to restart, and during restart you will get a full-screen prompt asking you to confirm you want to opt out of Device Guard and Credential Guard. Answer in the affirmative. I don't have precise instructions for the exact sequence of events and prompts/actions after running the script, because I ran it several days ago and didn't document what I saw.
10. Once Windows has restarted with these features "opted out of," fire up System Information and check that VBS value again. For me, this was the final step that did the job, and when I ran a VMWare Workstation VM, it gave me the coveted Monitor Mode value of "CPL0"!
11. By the way, for the sake of security, you might want to change the PowerShell script execution policy back to the more restrictive default one after these steps. If so, launch Windows PowerShell again, as administrator, and execute:
    Set-ExecutionPolicy Default

I hope somebody finds this long writeup useful, either while searching this forum, or maybe when finding this post via a web search someday. It's based on what I documented during 2 days of web searches and frustration, and maybe it will save someone some headaches and time.

I had a very hard time getting rid of Hyper-V in my setup, on a Windows 11 Pro host. The "normal" steps I found all over the web weren't enough! Web sleuthing finally got me what I needed, and for posterity and future searchers I want to document what I did to achieve the coveted CPL0 monitor mode and improved VMWare virtualization performance under Win11.

So, what's going on with this OS that creates this new problem for Type 2 (hosted) hypervisors like VMWare Player/Workstation or VirtualBox? Windows 11 Pro, by default, doesn't have the Hyper-V features enabled (to actually run Hyper-V guests), but it (like Windows 11 Home, btw) does use the Hyper-V hypervisor for certain new "Virtualization-Based Security" (VBS) features. These include Device Guard, Credential Guard, and core (memory) isolation. Basically, with VBS the entire host operating system is actually not running as the host at all, it's running as a Hyper-V guest on top of the Hyper-V platform. This has some detrimental performance impact (mostly unnoticeable in normal use, except in gaming), but the advantage is that with the OS running as a "guest," with all hardware access having to cross the virtualization boundary, all kinds of additional security features become possible to prevent/mitigate modern attack vectors. Microsoft deems these protections to outweigh the performance hit, so as of 22H1 or 22H2 update, memory integrity protection, Device Guard, and Credential Guard are enabled by default on a new OS install, if the EFI settings have the CPU virtualization capabilities (VT-d, etc.) enabled. An existing install that's upgraded to 22H? will honor the existing settings btw.

OK, so what's the problem? It's actually not a problem at all, in a way, at least not since Workstation/Player 17 I believe, which introduces "play nice with Hyper-V" capability. If the Hyper-V hypervisor is active on the system, VMWare's product sets aside its own virtualization platform and uses the Hyper-V APIs to create the virtualized environment on which to run a guest. In a way, Hyper-V is running the virtual "hardware" for VMWare, while VMWare provides some of the value-added features like USB capture, 3D-accelerated graphics, etc. Same goes for VirtualBox's newer versions. The price to pay, though, is that this "referred" virtualization is slower than VMWare's own implementation would be, if only it could run in full-privilege mode, access VT-d directly, and operate its own virtualization stack.

The user/admin/operator of the Windows 11 host must make a decision as to which is more important: the new and enhanced bulletproofing against attacks provided by virtualization-based security features, plus the interoperability with Hyper-V (VMWare can coexist alongside Hyper-V features; one can run a Hyper-V guest and a VMWare guest at the same time!), and let's not forget that Hyper-V is necessary for the Sandbox/WSL feature...or ditching the Hyper-V platform altogether, and the extra security features, and the ability to run WSL, to get the best possible performance out of VMWare Player/Workstation.

If you're wondering for your Win11 host whether Workstation/Player 17 is running its own virtualization stack or not, first take a look at System Information app (search for it in Start menu). The System Summary page has an entry near the bottom of the list named "Virtualization-based Security". As long as that doesn't say "Not enabled", the Hyper-V hypervisor is pulling the strings, and the host OS you're looking at is actually a well-disguised guest OS. To see what VMWare has to say on the subject of current state, run any VM and take a look at the VMWare.log file that gets put alongside the VMX and other files for the VM. Search for "Monitor Mode:" and see the value after the colon. If the value is "CPL0", the VMWare engine is running. If the value is "UML", the slower Hyper-V API is in use.

OK, so let's say you've decided to go ahead and remove the hypervisor and let the host OS run without virtualization. Here is a sequence of actions to take. Some people seem to have luck with the first set, but if the first set is not enough, I've also got the final silver bullet that will definitely get that VBS value in System Information to change to "Not enabled," and VMWare (or VirtualBox) to be able to run with full hardware access and its own engine.

Phase 1:

1. In Start menu search for "core isolation" to find the Core isolation page in Settings app. Turn off the Memory integrity protection, which will also disable the Kernel-mode Hardware-enforced Stack Protection. If Windows wants to restart, tell it "not yet" because there're some features to turn off, first.
2. In Start menu search for "windows features" to find and open the Windows Features control panel. Turn off Hyper-V and all its subfeatures, and also Windows Hypervisor Platform, Virtual Machine Platform, and Windows Sandbox. The OS should ask to restart, let it.

Some people seem to succeed by doing just that. Check System Information. Is the VBS feature no longer in running stated? If not, let's try Phase 2, which throws several more kitchen sinks at the problem.

Phase 2:

1. In Start menu search for "command" to find Command Prompt, right-click it, and run as administrator (elevated). It has to be elevated, otherwise the command you're about to type/paste won't work.
2. Run command
   bcdedit /set hypervisorlaunchtype off
3. Close the command prompt window
4. Hit Win+R to get the Run dialog, and run:
   regedit
5. After a UAC/elevation prompt, the Registry Editor opens. Right below the menu bar there's a texbox where you can paste this path and hit Enter:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
6. The tree view below the textbox (on the left) should have taken you to the path you pasted, and the values in this registry node should be shown in the right pane. Find the value named "EnableVirtualizationBasedSecurity", double-click it to edit the value, and in the dialog box that appears type 0 in the "Value data" field, unless of course that's already the value that's set. Hit OK to save the change and close the Registry Editor.
7. Hit Win+R again to get the Run dialog, and run:
   gpedit.msc
8. The Local Group Policy Editor should open. There's no convenient textbox to paste a path into, so you'll have to painfully expand nodes to find this path:
   Computer Configuration -> Administrative Templates -> System -> Device Guard
9. Find and double-click a setting in the right pane named "Turn On Virtualization Based Security", and in the dialog that appears, select the "Disabled" radio button, then OK button, and close the Local Group Policy Editor.
10. Restart the OS and again check System Information to see if the VBS value has become "disabled."

Still not there? That's what happened to me, but there's one more thing to do, luckily assisted by a tool (script) provided by Microsoft, which in my experience finally takes that last step toward the nirvana of seeing the "disabled" value for VBS:

Phase 3:

There is a manual way to do this, and I found the instructions, but they're a bit scary. It involves using bcdedit to modify the boot configuration to apply a configuration change that sets a "DISABLE-LSA-ISO" option. Lots of opportunity for something to go wrong if the instructions I found are flawed, or if a mistake is made (typo, missed a command). So, I'm strongly recommending (and providing instructions for) the method that uses the Microsoft-provided script. I've tested it, it worked for me, and the same script provides a way to undo the whole thing later if desired, too. Power users are welcome to find the instructions I found on their own, or to simply open the script file and examine what it does for any manual implementation activities.

1. Go to Download Device Guard and Credential Guard hardware readiness tool, provided by Microsoft to check Device Guard and Credential Guard capability, and to turn on/off the features. There's no setting anywhere in Settings app or control panel for this, and this "tool" is actually a PowerShell script, but it provides the necessary functionality. Find the Download button and click it, and your browser will download a ZIP archive.
2. Find and extract the folder contained in the archive. Don't try to run the script from within the archive. If you're using Windows Explorer, it can make a ZIP archive look like just another folder, but it isn't. You need to drag out the "dgreadiness_v3.6" (version as of when I wrote this post) folder from the archive into a real folder, e.g. onto your Desktop.
3. Search for "powershell" in Start menu to find Windows PowerShell, right-click it, and run as administrator (elevated). You must run it elevated or the script won't work.
4. You need to change the current drive and directory to the one where the script is. If you're not command prompt savvy: type "C:" for example (no quotes) if the folder is on the C: drive, or "D:" if it's on the drive, etc., and hit Enter, which should change the active drive to the correct one; next, open the folder you extracted the script files into, copy the address from the address bar into the clipboard (highlight and Ctrl-C), then type the following command (replacing <path> with a Ctrl-V to paste the path you just copied), and hit Enter:
   cd "<path>"
5. The prompt in front of your blinking cursor should now match the folder where the script file is located, meaning your "current directory" is the correct one.
6. Unless you know that you've already set this policy (power user), run this command next, to allow the script to be run:
   Set-ExecutionPolicy Unrestricted
7. You'll have to respond to a security prompt by typing "y" (if I remember correctly), possibly followed by Enter. It should then say it has successfully changed the execution policy.
8. Now we can run the script. Type/paste (if the version number has changed since I posted this, adjust according to the filename of the .ps1 script file in the extracted folder):
   DG_Readiness_Tool_v3.6.ps1 -Disable
9. The script will do some stuff, and then you'll get to restart, and during restart you will get a full-screen prompt asking you to confirm you want to opt out of Device Guard and Credential Guard. Answer in the affirmative. I don't have precise instructions for the exact sequence of events and prompts/actions after running the script, because I ran it several days ago and didn't document what I saw.
10. Once Windows has restarted with these features "opted out of," fire up System Information and check that VBS value again. For me, this was the final step that did the job, and when I ran a VMWare Workstation VM, it gave me the coveted Monitor Mode value of "CPL0"!
11. By the way, for the sake of security, you might want to change the PowerShell script execution policy back to the more restrictive default one after these steps. If so, launch Windows PowerShell again, as administrator, and execute:
    Set-ExecutionPolicy Default

I hope somebody finds this long writeup useful, either while searching this forum, or maybe when finding this post via a web search someday. It's based on what I documented during 2 days of web searches and frustration, and maybe it will save someone some headaches and time.