VMware Communities
ralish
Enthusiast
Enthusiast
Jump to solution

Coexistence with new Windows 10 security features

Hi all,

The release of Windows 10 has introduced several new security features that are of particular interest to those of us who operate on secured networks. In particular, Device Guard and Credential Guard (Isolated User Mode). Together, these features provide what Microsoft refers to as Virtualisation Based Security. It's worth taking the time to read up on both of these features for the technical details, but at a high-level, they provide code integrity and credential theft protection respectively by virtualising the bulk of the OS with a small "secure kernel" and "secure user-mode" being responsible for enforcing the relevant security controls across the rest of the system. The idea is that compromise of the underlying OS, even up to and including kernel-mode privileges, shouldn't undermine the protections these features can provide short of a hypervisor exploit as the secure system runs at a higher privilege level than the rest of the operating system, including the NT kernel itself.

The problem is that both of these features require Hyper-V to be enabled, as they're built on top of the virtualisation technology it provides. This is a problem for VMware Workstation as it refuses to run when Hyper-V is enabled. Does VMware have any plans to support coexistence with Hyper-V in certain contexts? Particularly wrt. support for systems where Device and/or Credential Guard are enabled? Are there any unofficial/unsupported workarounds for being able to use VMware Workstation without having to remove these features?

Thanks in advance,

-SDL

Reply
0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal
Jump to solution

If Hyper-V virtualizes the hardware-assisted virtualization features of the underlying CPU, it will be possible to run VMware Workstation VMs nested under Hyper-V, but performance probably won't be very good.

View solution in original post

Reply
0 Kudos
6 Replies
ralish
Enthusiast
Enthusiast
Jump to solution

Any chance of getting a reply to this from anyone at VMware? It'd be really great to get some visibility into how VMware intends to co-exist with these features, if at all, and a timeline for such a capability to be supported.

Reply
0 Kudos
wila
Immortal
Immortal
Jump to solution

Hello,

Please read the replies of jmattson‌ in the following thread:

VMWare Workstation and Hyper-V at the same time

You can't run Workstation and Hyper-V because Hyper-V doesn't support nested virtualisation, at least not at this moment in one of the current versions of Hyper-V AFAIK.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
ralish
Enthusiast
Enthusiast
Jump to solution

Thanks for the reply & info. That's interesting and makes a lot of sense re: lack of support for nested virtualisation in Hyper-V. The good news is that this appears to be changing:

I've emailed their virtualisation team to see if we can get some insight on plans for supporting 3rd-party hypervisors w/ nested Hyper-V, co-existence w/ Windows 10 VBS features, and a combination of both of these.

I'll update this thread with the response (if I get one).

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

If Hyper-V virtualizes the hardware-assisted virtualization features of the underlying CPU, it will be possible to run VMware Workstation VMs nested under Hyper-V, but performance probably won't be very good.

Reply
0 Kudos
ralish
Enthusiast
Enthusiast
Jump to solution

Just belatedly updating this thread to note that I did get a response from Ben Armstrong & Theo Thompson of the Hyper-V virtualisation team confirming that interoperability with 3rd-party virtualisation solutions via nested virtualisation is definitely on the roadmap.

Reply
0 Kudos
NoSpamPleaze
Contributor
Contributor
Jump to solution

In Windows 10 RS1 builds with Credential Guard enabled, VMware vmx86.sys causes BSOD when attempting binary translation through "vmx.allowNested = TRUE" in VMX file. Similar issue happens also with VirtualBox.

Tried to "disable" Hyper-V at bcdedit level (Switch easily between VirtualBox and Hyper-V with a BCDEdit boot Entry in Windows 8.1 - Scott Hansel...) with same results.

Reply
0 Kudos