VDI Security in Windows 11

 

When using Windows 11 “Virtualization based Security” is enabled by default. For VDI environments like Omnissa Horizon it is a feature which might not be necessary as the Hypervisor layer of VMware or other systems has its own protection mechanisms.

This blog outlines benefits of and performance penalties of VBS.

 

Core Benefits of VBS

Credential Protection

With Credential Guard, VBS stores sensitive credentials such as NTLM hashes and Kerberos tickets in a secure container. This strategy effectively blocks tools like Mimikatz from extracting credentials, significantly reducing the risk of lateral movement attacks.

Kernel-Level Code Integrity

Hypervisor-Enforced Code Integrity (HVCI) ensures that only approved, digitally signed drivers and binaries can execute at the kernel level. This defends against rootkits and kernel-level malware.

Zero-Day Exploit Mitigation

By isolating mission-critical processes, VBS minimizes the attack surface and lessens the impact of previously unknown vulnerabilities.

Secure Boot Synergy

VBS complements Secure Boot, ensuring the device loads only trusted software at startup and preventing bootkits and early-stage malware.

 

Windows 11 Security: Prerequisites VBS

CPU

·        Needs to support Mode Based Execution Control (MBEC)

·        AMD Zen2 or Intel Skylake / Kaby Lake

·        CPU Virtualization Features: Intel VT, AMD V

UEFI + Drivers

·        Secure Boot

·        Memory Integrity compatible device drivers

VDI on VMware vSphere / VCF

·        VM Hardware Version 14+ (ESXi 6.7) Intel

·        VM Hardware Version 19+ (ESXi 7.0 U2) AMD

·        EVC Level according to CPU requirements

 

 

Check VBS Status

Systeminfo command to check status



Configuration options:

Windows
bcdedit /set vsmlaunchtype on/off

bcdedit /set hypervisorlaunchtype on/off

VMware: VM Options

Policies: GPOs, Intune Device Guard

 

Check the Memory Integrity status

 




Benchmarks of VBS

The following Benchmarks show the performance impacts of VBS.

 







Summarizing the Benchmarks result are no gamechanger for turning VBS on or off. But in performance critical platform every percent count. So this is important help to define a Design decision.

Windows 11 Security: VBS On or Off Best Practices

VDI

Public cloud à Enable VBS

Private cloud à Possibility to disable VBS if the Hypervisor is up2date and hardened

Physical Endpoint

VBS should be turned on to maximize security

Multi User RDSH

VBS enabled

reduces the risk of other users in the same system


Comments

Post a Comment