VMware Cloud Community
LabSA
Contributor
Contributor
‎01-31-2019 12:14 AM
Jump to solution

Virtualization Based Security (VBS) - No Longer Working (vSphere 6.7U1) - Windows Server 2016 hangs on boot

I have several Windows Server 2016 VMs (hardware version 14) with VBS up and running properly :

VBS.PNG

For some reason after a proprer shutdown one of the VM hangs at the Windows flag during the next boot (several reset of the vm give the same result).

The only way to boot this VM is to disable VBS and the UEFI secure boot on the VM options.

Then if disable the Device Guard (Virtualization Based Security) policy inside Windows I'm able to boot the VM with VBS enable (on the VM options).

But if I again enable the Device Guard (Virtualization Based Security) policy inside Windows with VBS enable (on the VM options) the VM again hangs at the Windows flag and refuse to boot.

I also have tried to delete the VM nvram file before booting, but still the same issue.

The VM is a very basic file server with only File and Storage Service role enabled.

Im running vSphere 6.7.0 Update 1 (Build 10302608) on a standalone ESXi host.

Any help would be appreciated, thanks in advance!

0 Kudos
1 Solution

Accepted Solutions
TNCgrad
Contributor
Contributor
‎02-01-2019 05:58 AM
Jump to solution

Hello LabSA,

i had exactly the same issue. I did an upgrade from 6.7 to 6.7 U1. After that all my VMs with VBS enabled stopped working (6 VMs).
After some research i found out that the problem did not come from the ESXi, instead it comes from a Windows Update. The Windows Defender has a problem with secure boot.
I applied this "workaround" from Microsoft: https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform

After that, all my VMs started to work normally with VBS enabled.
I hope it also solves your problem.

View solution in original post

0 Kudos
3 Replies
Beingnsxpaddy
Enthusiast
Enthusiast
‎01-31-2019 12:46 AM
Jump to solution

Dear LabSA​,

As you have already mentioned that once you disable Device Guard, windows is able to boot normally. It rules out the possibility of any interference from the hyper visor end. It would be good to involve Microsoft support to look at the OS itself what is actually getting stuck at the time of boot.

Regards Pradhuman VCIX-NV, VCAP-NV, vExpert, VCP2X-DCVNV If my Answer resolved your query don't forget to mark it as "Correct Answer".
0 Kudos
TNCgrad
Contributor
Contributor
‎02-01-2019 05:58 AM
Jump to solution

Hello LabSA,

i had exactly the same issue. I did an upgrade from 6.7 to 6.7 U1. After that all my VMs with VBS enabled stopped working (6 VMs).
After some research i found out that the problem did not come from the ESXi, instead it comes from a Windows Update. The Windows Defender has a problem with secure boot.
I applied this "workaround" from Microsoft: https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform

After that, all my VMs started to work normally with VBS enabled.
I hope it also solves your problem.

0 Kudos
LabSA
Contributor
Contributor
‎02-01-2019 06:44 AM
Jump to solution

Hello TNCgrad,

Many thanks for your answer!

I tried the Microsoft "workaround" and now the VM is booting with Device Guard and VBS enabled!

I just had to edit the path of the MpCmdRun.exe like this:

"%programdata%\Microsoft\Windows Defender\Platform\4.18.1901.7-0\MpCmdRun.exe" -revertplatform

0 Kudos