To verify that our configuration was functional, we installed Windows 10 on an USB key in Windows To Go mode and we installed the drivers for this PC.
Then, we went to the device manager.
As expected, Windows 10 does detect a "Trusted Platform Module 2.0" in the "Security devices" section.
This is only for testing, this step is not necessary.
Right click "Properties" on this "Trusted Platform Module 2.0", go to the "Details" tab and select the "Driver Description" option from the list.
You can also check your hardware's compatibility with TPM by looking for "tpm.msc" in the Windows 10 start menu.
As expected, it's stated that the version of the specification is : 2.0.
Otherwise, a message would appear telling you that the TPM was not found.
In this case, either your hardware doesn't have a TPM module, or the necessary option is not enabled in the BIOS of your motherboard.
Note that the TPM module is never enabled in your motherboard when it leaves the factory. It's up to you to enable it manually by enabling the correct option in the BIOS of your motherboard.
Note : in our case, Windows is telling us that our Trusted Platform Module (TPM) is not ready for use.
Nevertheless, you can ignore this status in this case, because it's simply due to the fact that we did not pre-prepare it for Windows 10.
If you click on "Prepare the TPM" (in the "Actions" menu on the right), you will see that it's now ready for use.
However, this is not necessary for its use with VMware ESXi.
To start, create a new virtual machine by clicking on : Virtual Machines -> Create / Register VM.
Then, select "Create a new virtual machine" and click Next.
Choose "Microsoft Windows 10 (64-bit)" or "Microsoft Windows Server 2016 (64-bit)" for the guest OS version.
Indeed, these are the only guest operating systems for which VMware ESXi supports the activation of this VBS option.
Then, check the box next to "Enable Windows Virtualization Based Security" which will appear just below and click Next.
Select the datastore where you want to store this new virtual machine.
In the "VM Options" tab, you will see that the VBS option is already enabled (since you checked the corresponding box in the previous step).
As you can see, VMware ESXi warns you that the EFI, Secure Boot, IOMMU, and hardware virtualization features that are required by this VBS option will be automatically enabled when the virtual machine is restarted.
If you want to enable the VBS option on a Windows 10 x64 and Windows Server 2016 x64 virtual machine that is already created, here is what will need to be changed in your virtual machine configuration.
To begin, in this "VM Options" tab, check the "Enable Virtualization Based Security" box.
In the "Boot Options" section, select "Firmware : EFI" and check the "Whether or not to enable UEFI secure boot for this VM" box.
For virtual hardware, deploy the "CPU" node and check the boxes :
To finish creating this virtual machine, don't forget to select the ISO of Windows 10 or Windows Server 2016 to install it in it.
A summary of the configuration appears.
Click on Finish.
At the bottom of the summary, you will see that VBS will be enabled on this Windows 10 virtual machine.
The "Virtual machine Win 10 v2004 x64 (with VBS) was successfully created" message appears.
If you look at the name of the "Guest OS" displayed by VMware ESXi, you will see that it says "VBS enabled" after its name (in our case : Microsoft Windows 10 (64 bit)).
For installing Windows 10 or Windows Server 2016, there is nothing special.
Start the virtual machine.
Install Windows normally in the virtual machine.
Then, install the VMware Tools inside the virtual machine as you normally would.
To protect your virtual machine, VBS uses Microsoft's hypervisor (Hyper-V) available in particular on Windows 10 and Windows Server 2016 to isolate the virtual machine.
You will therefore need to enable the "Hyper-V Hypervisor" feature available on Windows 10.
To do this, open the control panel, then go to : Programs : Uninstall a program -> Turn Windows features on or off.
Then, check the "Hyper-V Hypervisor" box available in : Hyper-V -> Hyper-V Platform.
Then, click on OK.
Windows applies the necessary changes.
Then, click on Close.
Open the Windows 10 start menu, type "group" and click on the "Edit group policy" result.
In the Local Group Policy Editor that appears, go to : Computer Configuration -> Administrative Templates -> System -> Device Guard.
In the "Device Guard" folder, double-click on the "Turn On Virtualization Based Security" policy.
Note : enabling this group policy enables the "Windows Defender Credential Guard" feature available on Windows 10, Windows Server 2016 and Windows Server 2019.
Enable this "Turn On Virtualization Based Security" policy and configure the available options according to your needs :
The "Turn On Virtualization Based Security" policy has been enabled.
Once this Group Policy is configured, remember to update the Group Policy by restarting the virtual machine or by using the command :
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.