As we all know VMware has released their latest version vSphere 6.7 recently and there are many enhancements and new features .Now a days security is very import in all the platform and VMware has fantastic improvements in the security side. There are really big security features with vSphere 6.7 and one of the really cool security features is the support for Microsoft Virtualization Based Security (VBS).
In this post I will sharing information about Microsoft Virtualization Based Security (VBS) and to enable this on Windows 2016 Hyper-V in vSphere 6.7 virtual machine.
Virtualization-based security ( VBS ) is a feature of the Windows 10 and Windows Server 2016 operating systems. It uses hardware and software virtualization to enhance Windows system security by creating an isolated, hypervisor-restricted, specialized subsystem. Microsoft Virtualization Based Security (VBS) uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. VBS uses the underlying hypervisor to create this virtual secure mode, and to enforce restrictions which protect vital system and operating system resources, or to protect security assets such as authenticated user credentials. Microsoft is using the hypervisor as a restricted memory space where sensitive information like credentials can be stored instead of on the operating system itself. With the increased protections offered by VBS, even if malware gains access to the OS kernel the possible exploits can be greatly limited and contained, because the hypervisor can prevent the malware from executing code or accessing platform secrets.
Option | Required Setting |
Firmware type | UEFI |
Enable UEFI Secure Boot | Enabled |
Enable hypervisor applications in this virtual machine | Enabled |
Enable IOMMU in this virtual machine | Enabled |
-
Create a virtual machine that uses hardware version 14 or later and one of the following supported guest operating systems.
-
Windows 10 Enterprise, 64-bit
-
Windows Server 2016
-
-
To use Windows 2016 as the guest operating system, apply all Microsoft updates to the guest.
Note:- VBS might not function in a Windows 2016 guest without the most current updates.
Enabling Virtualization Based Security in Windows 2016 with vSphere 6.7
I am creating a 2016 virtual machine in a nested ESXi 6.7 vSphere environment for configure VBS , you have two options to enable VBS and VM compatibility Level should be ESXi 6.7
- While creating the Virtual machine
- After Creating the Virtual Machine
After booting the Windows 2016 Server VM follow below steps to enable Virtualization Based Security .
- Enable the group policy setting first for VBS
- Enable Hyper-V in Windows 2016 Server
Navigate to Group Policy setting where VBS has to be enabled
Open up the local group policy editor by typing gpedit.msc using RUN menu or Search Local Security Policy from Start Menu
Navigate to Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security
Set the policy to Enabled and below options from drop down menu and click OK – > Reboot the Server
- Select Platform Security level : Secure Boot and DMA Protection
- Virtualization Based Protection of Code Integrity: Enabled with UEFI lock
- Credential Guard Configuration : Enabled with UEFI lock
Note:- Enabled without UEFI lock option will allow you enable or disable this setting remotely
Enable Hyper-v on Windows 2016 Server
Navigate to Server Manager – > Add roles and features
Click Next with default options and from Server Roles Select Hyper-V & Include Management tools and Click OK
Continue with default options and Click Finish
After enabling the Hyper-V feature Restart Windows.
How to Verify VBS Enabled
Run the msinfo32.exe command from run menu and under the System Summary You can find the entries related device guard
More about VBS can found here
Check more vSphere 6.7 Posts
Thank you for reading this post , Share the knowledge if you feel worth sharing it.