I have several Windows Server 2016 VMs (hardware version 14) with VBS up and running properly :
For some reason after a proprer shutdown one of the VM hangs at the Windows flag during the next boot (several reset of the vm give the same result).
The only way to boot this VM is to disable VBS and the UEFI secure boot on the VM options.
Then if disable the Device Guard (Virtualization Based Security) policy inside Windows I'm able to boot the VM with VBS enable (on the VM options).
But if I again enable the Device Guard (Virtualization Based Security) policy inside Windows with VBS enable (on the VM options) the VM again hangs at the Windows flag and refuse to boot.
I also have tried to delete the VM nvram file before booting, but still the same issue.
The VM is a very basic file server with only File and Storage Service role enabled.
Im running vSphere 6.7.0 Update 1 (Build 10302608) on a standalone ESXi host.
Any help would be appreciated, thanks in advance!
Hello LabSA,
i had exactly the same issue. I did an upgrade from 6.7 to 6.7 U1. After that all my VMs with VBS enabled stopped working (6 VMs).
After some research i found out that the problem did not come from the ESXi, instead it comes from a Windows Update. The Windows Defender has a problem with secure boot.
I applied this "workaround" from Microsoft: https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform
After that, all my VMs started to work normally with VBS enabled.
I hope it also solves your problem.
Dear LabSA,
As you have already mentioned that once you disable Device Guard, windows is able to boot normally. It rules out the possibility of any interference from the hyper visor end. It would be good to involve Microsoft support to look at the OS itself what is actually getting stuck at the time of boot.
Hello LabSA,
i had exactly the same issue. I did an upgrade from 6.7 to 6.7 U1. After that all my VMs with VBS enabled stopped working (6 VMs).
After some research i found out that the problem did not come from the ESXi, instead it comes from a Windows Update. The Windows Defender has a problem with secure boot.
I applied this "workaround" from Microsoft: https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform
After that, all my VMs started to work normally with VBS enabled.
I hope it also solves your problem.
Hello TNCgrad,
Many thanks for your answer!
I tried the Microsoft "workaround" and now the VM is booting with Device Guard and VBS enabled!
I just had to edit the path of the MpCmdRun.exe like this:
"%programdata%\Microsoft\Windows Defender\Platform\4.18.1901.7-0\MpCmdRun.exe" -revertplatform