I've just upgraded to vSphere 6.7 Update 1 and one of the first things I wanted to start experimenting with is Virtualization Based Security (VBS) in my VMs. I have a Win2016 and Win2019 VM I have installed with hardware version 14 and VMware Tools 10338. Windows is patched with October 2018's updates.
I've read a few articles on enabling VBS but there are some discrepencies so I wanted to list the steps I followed to see if I am installing/configuring VBS correctly:
Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security - Set to Enable and configure options as follows:
Select Platform Security level : Secure Boot and DMA Protection
Virtualization Based Protection of Code Integrity : Enabled with UEFI lock
Credential Guard Configuration : Enabled with UEFI lock
4. Reboot server
5. This is where I am confused. Some articles say you have to enable/install the Hyper-V feature and reboot (others don't mention enabling Hyper-V). On my one test VM I haven't installed Hyper-V yet but after completing up to step 4. above VBS appears to be working/running:
So my questions are, do I need to install/enable Hyper-V for VBS to work? On my second test VM I did install the Hyper-V feature and VBS looked identical to the screenshot above that shows VBS running.
So I'm confused, do I need to install/enable Hyper-V or can I just follow the first 4 steps above to get VBS installed and working correctly?
My goal is to enable VBS on all my VMs.
I've read a few articles on enabling VBS but there are some discrepencies so I wanted to list the steps I followed to see if I am installing/configuring VBS correctly:
- Shut down VM and tick the "Enable" box next to Virtualization Based Security under VM options
- Power VM on
- In VM open gpedit.msc and browse to:
Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security - Set to Enable and configure options as follows:
Select Platform Security level : Secure Boot and DMA Protection
Virtualization Based Protection of Code Integrity : Enabled with UEFI lock
Credential Guard Configuration : Enabled with UEFI lock
4. Reboot server
5. This is where I am confused. Some articles say you have to enable/install the Hyper-V feature and reboot (others don't mention enabling Hyper-V). On my one test VM I haven't installed Hyper-V yet but after completing up to step 4. above VBS appears to be working/running:
So my questions are, do I need to install/enable Hyper-V for VBS to work? On my second test VM I did install the Hyper-V feature and VBS looked identical to the screenshot above that shows VBS running.
So I'm confused, do I need to install/enable Hyper-V or can I just follow the first 4 steps above to get VBS installed and working correctly?
My goal is to enable VBS on all my VMs.