With version 6.7, VMware added support for the Windows 10 virtualization-based security (VBS) feature to the vSphere suite. Microsoft's VBS is also available for Windows Server 2016 operating systems (OSes).

What is Virtualization-based Security (VBS)? ^

VBS uses hardware and software virtualization features to enhance Windows system security by creating an isolated, hypervisor-restricted, specialized subsystem.

Basically, Microsoft is using a Windows role (or component) called the Hyper-V role, which boots the OS. This hypervisor allows Microsoft to isolate some sensitive information in places that would normally be accessible to the OS. Here we can think of cached credentials and such things.

Most modern systems have a Trusted Platform Module (TPM) 2.0 device built into the hardware. However, someone had to do it in software. And this is the goal. To give you an idea, here is a screenshot from a VMware blog post.

Microsoft VBS

Microsoft VBS

As you can see, the Windows 10 virtual machine (VM) has a hypervisor role active and has the credentials stored elsewhere.

What are the restrictions on VBS-enabled VMs? ^

VBS is only usable on Windows 10 and Windows Server 2016, and vSphere features exist that are not compatible with VBS:

  • VMware Fault Tolerance (FT)
  • vSphere PCI passthrough
  • vSphere hot add for CPU or memory

What are the vSphere requirements for VBS? ^

As mentioned above, VBS is only available as of vSphere 6.7. The requirements for working with VBS are:

  • A VM with virtual hardware 14
  • Hardware virtualization and an input/output memory management unit (IOMMU) exposed to the VM
  • Secure boot enabled
  • EFI firmware
  • 64-bit CPU
  • Intel VT-d or AMD-Vi ARM64 system memory management units (SMMUs)
  • TPM 2.0

How do you enable VBS? ^

In the VMware vSphere client, first connect to vSphere and select the VM for which you want to enable VBS.

  1. Shut down the VM and tick the Enable box next to Virtualization Based Security under VM Options.
Enabling VBS

Enabling VBS

Note: The VM has to be booting EFI (not BIOS) to satisfy the requirements. If you are creating new Windows 10 or Windows 2016 VMs, you should make sure you are selecting UEFI firmware before installing. After installing the system, it is pretty difficult to switch.

And once the VM is up and running, we'll need to activate the Hyper-V role. You can do this through a simple command appwiz.cpl, which automatically brings up the window where we select Add/Remove Turn Windows features on and off. Once there, we can look for the Hyper-V section and check the box Hyper-V Hypervisor.

Enabling the Hyper V Hypervisor

Enabling the Hyper V Hypervisor

If you want to add a Hyper-V role on Windows Server 2016, you'll use the Add roles and features wizard within your Server Manager.

Once you're done, it'll ask you to reboot the system.

Let's continue after the VM comes up.

  1. In the VM, open gpedit.msc and browse to:

Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security. Set it to Enable and configure the options as follows:

  • Select Platform Security Level: Secure Boot and DMA Protection
  • Virtualization Based Protection of Code Integrity: Enabled with UEFI lock
  • Credential Guard Configuration: Enabled with UEFI lock

If you want to be able to turn off Windows Defender Credential Guard remotely, choose Enabled without lock.

Credential Guard configuration

Credential Guard configuration

If you want to activate VBS for multiple systems, you can do this via Group Policy in your domain.

Final words ^

I think there will be further expansion of VBS in Windows Server 2019. It is a great feature that helps protect Windows against malware and all kinds of attacks where credentials are involved.

Subscribe to 4sysops newsletter!

VMware vSphere 6.7 has brought this feature in collaboration with Microsoft. It is great to see that these two giants now work hand in hand on features that improve security.

0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account