In this article, we will show you how to enable guest Virtual Secure Mode in Windows Server Hyper-V.
Table of Contents
Introduction
Starting with Windows 10, Windows Server 2016, and later OS versions, Microsoft introduced a new feature called Virtual Secure Mode (VSM). VSM is what enables features like Device Guard and Credential Guard.
Credential Guard and Device Guard deliver unparalleled levels of operating system security. If you are new to these technologies or still have confusion about the security features of the modern operating system, then I highly recommend reading Windows 10 Device Guard and Credential Guard Demystified.
One of the features that I see people missing in Windows Server 2016 Hyper-V and later is Guest Virtual Secure Mode. Credential Guard and Device Guard are enabled by Hyper-V virtualization and they are now available inside virtual machines as well! This is so powerful.
Credential Guard is a Hypervisor-based technology, what it does actually is, that rather than storing the credentials in memory in a location where malicious software can get to it, the credentials are stored in a secure location in the Hypervisor (See Figure 1). So even if you have malware or malicious software running with elevated privileges on your computer they cannot access your credentials.
Credential Guard is not enabled by default, because first you need to enable Hyper-V on your physical machine (workstation/server), and second it requires some sort of infrastructure that you need to set it up as highlighted in this article. However, what about if you running Credential Guard on a virtual machine?
In Windows Server 2016, Microsoft did a bunch of work to enable you to use Credential Guard and Device Guard inside virtual machines. And genuinely if you have Windows 10 or Windows Server 2016 running on top of Windows Server 2016 Hyper-V, you can enable this incredible level of security.
In this blog post, I will show you how to enable Credential Guard in a virtual machine running either Windows 10 or Windows Server 2016.
Enable Guest Virtual Secure Mode
Credential Guard and Device Guard can protect a Hyper-V virtual machine, just as they would on a physical machine. But before you enable Virtual Secure Mode in a virtual machine, there are certain requirements that you have to be aware of:
- The Hyper-V host must run Windows Server 2016, Windows 10 version 1607, or later editions.
- The Hyper-V virtual machine must be Generation 2 with secure boot enabled, have an enabled virtual TPM, and run at least Windows Server 2016, Windows 10, and later.
- Please note that Device Guard and nested virtualization cannot be enabled at the same time.
- The Virtualization Based Security (VBS) option for the Hyper-V virtual machine must be set to $False. The default is always False. However, the following PowerShell commands will help you to check the current settings and set it to False if needed. The parameter name -VirtualizationBasedSecurityOptOut is a bit confusing here, the word (Out) at the end means, do you want to disable VBS? The VM must be in an Off state before you change these settings. In this example, VBS is enabled by default.
$VMName = "WS2016"
Get-VMSecurity -VMName $VMName | Select-Object VirtualizationBasedSecurityOptOut
Stop-VM $VMName
Set-VMSecurity -VMName $VMName -VirtualizationBasedSecurityOptOut $False
Start-VM $VMNameSo, how to enable Credential Guard and Device Guard in a virtual machine?
Well, we have two options, you can use either Group Policy or configure manually the registry keys.
Personally, I prefer the registry option since not all virtual machines are domain-joined.
If you are interested in the group policy option, here is the path to enable it.
Open the Group Policy Management Editor, create a new GPO, and then click Edit. Navigate to Computer Configuration\Policies\Administrative Templates\System\Device Guard. Right-click Turn on Virtualization Based Security, and then click Edit. (See Figure 2).
Finally, you need to restart the virtual machine, and the settings will take effect upon restart.
As a side note, what is the difference between “Enabled with lock” and “Enabled without lock“? When your deployment is stable in your environment, Microsoft recommends changing to Enabled with lock. This option helps protect the registry from tampering, either through malware or by an unauthorized person. Moreover, if you want to be able to turn off Credential Guard and Device Guard remotely, then choose “Enabled without lock“.
The second option is enabling Credential Guard using registry keys on dozens of virtual machines.
Enable Credential Guard and Device Guard
PowerShell Direct to the rescue ;)
But before we enable VBS inside the virtual machine, we need to check the current status. From an elevated PowerShell session run msinfo32.exe. When you run this program, the Device Guard Virtualization-based security properties are displayed at the bottom of the System Summary section (See Figure 3):
The following registry keys provide exactly the same set of configuration options provided by Group Policy as described above.
Invoke-Command -VMName (Get-VM).Name -Credential (Get-Credential ~\Administrator) -ScriptBlock {
#Enable VirtualizationBasedSecurity (VBS)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
#Enable VBS and require Secure boot only without DMA Protections
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
#Enable Credential Guard without lock
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" /v "LsaCfgFlags" /t REG_DWORD /d 2 /f
Restart-Computer -Force
}The script above will enable Device Guard and Credential Guard on all virtual machines running on top of Windows Server 2016 or Windows 10 Hyper-V host. This assumes that all VMs are running Windows 10 and Windows Server 2016 as well.
Once this is done and the VM is rebooted, you can easily check if Credential Guard is enabled by launching msinfo32.exe and viewing the following information (See Figure 4):
You can also check for the presence of the LsaIso process which stands for (LSA Isolated) is created in Task Manager (See Figure 5):
That’s All Folks… I hope this information helps in your journey to protect your virtual machine credentials.
P.S. Do you want to know more about Windows Server Hyper-V and discover all the new features? I strongly recommend checking my recently published book Windows Server Hyper-V Cookbook – Second Edition!
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
