🔐 How to Enable Virtualization-Based Security (VBS) for Windows Workloads in VMware Cloud Foundation and vSphere

Posted on September 20, 2025

In today’s threat landscape, securing your Windows workloads is more critical than ever. One powerful way to harden your virtual machines is by enabling Virtualization-Based Security (VBS)—a Microsoft technology that uses hardware virtualization to isolate sensitive parts of the operating system.

If you’re running Windows workloads in VMware Cloud Foundation (VCF) or vSphere, this guide will walk you through everything you need to know to enable VBS, including prerequisites, configuration steps, and post-deployment verification.

🧰 Prerequisites: What You Need Before You Start

Before enabling VBS, ensure your virtual machine meets these requirements:

✅ UEFI Firmware

  • Your VM must use UEFI instead of BIOS.
  • In vSphere:
    VM Options > Boot Options > Firmware > UEFI

✅ Secure Boot

  • Ensures only signed bootloaders and drivers are loaded.
  • Enable under:
    VM Options > Boot Options > Secure Boot

✅ Virtual TPM (vTPM)

  • Required for storing cryptographic keys securely.
  • Add via:
    VM Options > Add New Device > Trusted Platform Module
  • Note: VM encryption must be enabled to use vTPM.

🛠️ Step-by-Step: Enabling VBS in vSphere

  1. Power off the VM.
  2. Go to Edit Settings in vSphere.
  3. Under VM Options:
    • Set Firmware to UEFI
    • Enable Secure Boot
  4. Under Virtual Hardware:
    • Add a Trusted Platform Module
  5. Under CPU Settings:
    • Check Expose hardware-assisted virtualization to the guest OS

🧩 Configure Group Policy for Device Guard & Credential Guard

Once your VM is configured, enable VBS features inside Windows:

  1. Open Group Policy Editor (gpedit.msc)
  2. Navigate to:
    Computer Configuration > Administrative Templates > System > Device Guard
  3. Enable:
    • Turn On Virtualization Based Security
      • Set Credential Guard to Enabled with UEFI lock
      • Enable Secure Launch if supported
    • Deploy Windows Defender Credential Guard
  4. Reboot the VM.

🔐 Secure Launch & Memory Integrity

To further harden your VM:

Secure Launch

  • Ensures the OS boots securely from a trusted state.
  • Requires Windows 10 1903+ or Server 2019+.
  • Enable via Group Policy or registry.

Memory Integrity (HVCI)

  • Protects against kernel-level exploits.
  • Enable via:
    Windows Security > Device Security > Core Isolation > Memory Integrity

🧠 Special Considerations for Domain Controllers

If you’re enabling VBS on Active Directory Domain Controllers:

  • Test first in a non-production environment.
  • Ensure Credential Guard doesn’t interfere with Kerberos delegation or third-party auth.
  • Monitor for replication or authentication issues after deployment.

✅ How to Verify VBS is Running

🖥️ System Information

  • Run msinfo32
  • Look for:
    • Virtualization-based Security: Running
    • Credential Guard: Running

💻 PowerShell

Get-CimInstance -ClassName Win32_DeviceGuard
  • VirtualizationBasedSecurityStatus = 2 means VBS is active.
  • SecurityServicesRunning should list Credential Guard and HVCI.

🎯 Final Thoughts

Enabling VBS in VMware environments is a strategic move to protect your Windows workloads from advanced threats. With the right configuration and validation, you can take full advantage of Microsoft’s security features—without compromising performance or compatibility.