How To Enable Guest Virtual Secure Mode in Windows Server 2016 #HyperV #WS2016

5 min read


In Windows 10 and Windows Server 2016, Microsoft introduced a new feature called Virtual Secure Mode (VSM). VSM is what enables feature like Device Guard and Credential Guard.

Credential Guard and Device Guard delivers unparalleled levels of operating system security. If you are new to these technologies or still have confusion around the security features of the modern operating system, then I highly recommend to read Windows 10 Device Guard and Credential Guard Demystified.

One of the feature that I see people missing in Windows Server 2016 Hyper-V is Guest Virtual Secure Mode. Credential Guard and Device Guard are enabled by Hyper-V virtualization and they are now available inside virtual machines as well! This is so powerful.

Credential Guard is a Hypervisor based technology, what it does actually is, rather than storing the credentials in memory in a location where malicious software can get to it, the credentials are stored in a secure location in the Hypervisor (See Figure 1). So even if you have malware or malicious software running with elevated privileges on your computer they cannot get to your credentials.

Figure 1. Credential Guard rely upon Hyper-V hypervisor and store credentials in Isolated User Mode LSA (Image Credit – Microsoft)

Credential Guard is not enabled by default, because first you need to enable Hyper-V on your physical machine (workstation/server), and second it requires some sort of infrastructure that you need to set it up as highlighted in this article. However, what about if you running Credential Guard in a virtual machine?

In Windows Server 2016, Microsoft did a bunch of work to enable you to use Credential Guard and Device Guard inside virtual machines. And genuinely if you have Windows 10 or Windows Server 2016 running on top of Windows Server 2016 Hyper-V, you can enable this incredible level of security.

In this blog post, I will show you how to enable Credential Guard in a virtual machine running either Windows 10 or Windows Server 2016.

Enable Guest Virtual Secure Mode

Credential Guard and Device Guard can protect a Hyper-V virtual machine, just as it would on a physical machine. But before you enable Virtual Secure Mode in a virtual machine, there are certain requirements that you have to be aware of:

  • The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
  • The Hyper-V virtual machine must be Generation 2 with secure boot enabled, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
  • Please note that Device Guard and nested virtualization cannot be enabled at the same time.
  • The Virtualization Based Security (VBS) option for the Hyper-V virtual machine must be set to $False. The default is always False. However, the following PowerShell commands will help you to check the curent settings and set it to False if needed. The parameter name -VirtualizationBasedSecurityOptOut is a bit confusing here, the word (Out) at the end means, do you want to disable VBS? The VM must be in Off state before you change these settings. In this example, VBS is enabled by default.
$VMName = "WS2016"

Get-VMSecurity -VMName $VMName | Select-Object VirtualizationBasedSecurityOptOut
Stop-VM $VMName
Set-VMSecurity -VMName $VMName -VirtualizationBasedSecurityOptOut $False
Start-VM $VMName

So how to enable Credential Guard and Device Guard in a virtual machine?

Well, we have two options, you can use either Group Policy or configure manually the registry keys.

Personally, I prefer the registry option since not all virtual machines are domain joined.

If you are interested in the group policy option, here is the path to enable it.

Open the Group Policy Management Editor, create a new GPO, and then click Edit. Navigate to Computer Configuration\Policies\Administrative Templates\System\Device Guard. Right-click Turn on Virtualization Based Security, and then click Edit. (See Figure 2).

Figure 2. Configure VBS without Lock setting in Windows 10, and Windows Server 2016

Finally, you need to restart the virtual machine, and the settings will take effect upon restart.

As a side note, what is the difference between Enabled with lock and Enabled without lock. When your deployment is stable in your environment, Microsoft recommend changing to Enabled with lock. This option helps protect the registry from tampering, either through malware or by an unauthorized person. Moreover, if you want to be able to turn off Credential Guard and Device Guard remotely, then choose Enabled without lock.

The second option is, how to enable Credential Guard using registry keys on dozens of virtual machines?

PowerShell Direct to the rescue ;)

But before we enable VBS inside the virtual machine, we need to check the current status. From an elevated PowerShell session run msinfo32.exe. When you run this program, the Device Guard Virtualization based security properties are displayed at the bottom of the System Summary section (See Figure 3):

Figure 3. Device Guard properties in the System Summary section (Not enabled)

The following registry keys provides exactly the same set of configuration options provided by Group Policy as described above.

Invoke-Command -VMName (Get-VM).Name -Credential (Get-Credential ~\Administrator) -ScriptBlock {

    #Enable VirtualizationBasedSecurity (VBS)
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

    #Enable VBS and require Secure boot only without DMA Protections
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f

    #Enable Credential Guard without lock
    reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" /v "LsaCfgFlags" /t REG_DWORD /d 2 /f

    Restart-Computer -Force


The script above will enable Device Guard and Credential Guard on all virtual machines running on top of Windows Server 2016 or Windows 10 Hyper-V host. This assumes that all VMs are running Windows 10 and Windows Server 2016 as well.

Once this is done and the VM is rebooted, you can easily check if Credential Guard is enabled by launching msinfo32.exe and viewing the following information (See Figure 4):

Figure 4. Device Guard and Credential Guard properties in the System Summary section

You can also check for the presence of the LsaIso process which stands for (LSA Isolated) is created in Task Manager (See Figure 5):

Figure 5. LsaIso process running in Virtual Secure Mode (VSM) inside the virtual machine

That’s All Folks… I hope this information helps in your journey to protect your virtual machines credentials.

P.S. Do you want to know more about Windows Server 2016 Hyper-V and discover all the new features? I strongly recommend to check my recent published book Windows Server 2016 Hyper-V Cookbook – Second Edition!

[email protected]

About Charbel Nemnom 569 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.