I've just upgraded to vSphere 6.7 Update 1 and one of the first things I wanted to start experimenting with is Virtualization Based Security (VBS) in my VMs. I have a Win2016 and Win2019 VM I have installed with hardware version 14 and VMware Tools 10338. Windows is patched with October 2018's updates.
I've read a few articles on enabling VBS but there are some discrepencies so I wanted to list the steps I followed to see if I am installing/configuring VBS correctly:
- Shut down VM and tick the "Enable" box next to Virtualization Based Security under VM options
- Power VM on
- In VM open gpedit.msc and browse to:
Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security - Set to Enable and configure options as follows:
| Select Platform Security level | : Secure Boot and DMA Protection |
| Virtualization Based Protection of Code Integrity | : Enabled with UEFI lock |
| Credential Guard Configuration | : Enabled with UEFI lock |
4. Reboot server
5. This is where I am confused. Some articles say you have to enable/install the Hyper-V feature and reboot (others don't mention enabling Hyper-V). On my one test VM I haven't installed Hyper-V yet but after completing up to step 4. above VBS appears to be working/running:
So my questions are, do I need to install/enable Hyper-V for VBS to work? On my second test VM I did install the Hyper-V feature and VBS looked identical to the screenshot above that shows VBS running.
So I'm confused, do I need to install/enable Hyper-V or can I just follow the first 4 steps above to get VBS installed and working correctly?
Thanks! After you posted your reply I found this:
Manage Windows Defender Credential Guard (Windows 10) | Microsoft Docs
The section that caught my eye:
So it looks like anything after build 1607 and later or Win2016 and later (like I am) then you DON'T have to enable/install the Hyper-V feature to get VBS working.