- #Vmware esxi 6.7 free hardware requirements install
- #Vmware esxi 6.7 free hardware requirements windows 10
- #Vmware esxi 6.7 free hardware requirements software
Notice how “virtual TPM” is not enabled by default when you select VBS. The VM now has CPU virtualization extensions exposed to it, IOMMU is turned on and EFI firmware and Secure Boot are enabled.
When you check that box all of the necessary changes are made. You can see in the image below that there is a new “Enable” checkbox for Virtualization Based Security. Switching after the fact introduces additional steps.
#Vmware esxi 6.7 free hardware requirements windows 10
Note: If you are creating new Windows 10 or Windows 2016 VMs make sure you are selecting UEFI firmware before installing! Switching from traditional BIOS to UEFI (“EFI” in VM options) is “painful”. Why do we need to run a Windows VM “nested”? Because the Microsoft’s hypervisor will be booting first so that it can provide to Windows the necessary capabilities for VBS.Īdditionally, The VM needs to have Secure Boot enabled and be booting from the EFI firmware. This is more popularly known as “Nested Virtualization”. The VM needs hardware virtualization and IOMMU to be exposed/granted to the VM. New versions of Virtual Hardware expose newer functionality and support for VBS comes with version 14. In order to enable VBS the VM must be running at Virtual Hardware version 14.
Only in this case, the VM has no access to the bare metal so functionality will be virtualized. In order to support Windows 10 with VBS you have to present to the Windows 10 VM the same level of BIOS/Firmware/Hardware. In a vSphere world, ESXi is the bare metal installation. Here’s an example of a standard VM running Windows 10 on an ESXi server.
#Vmware esxi 6.7 free hardware requirements install
For some time now you have been able to install Windows 10 or Server 2016 as a virtual machine. Ok, so now let’s introduce vSphere into the mix. This mitigates the Pass the Hash exploit according to Microsoft.Īll communication between Windows and the additional Windows components are via RPC calls run through a Microsoft hypervisor-based communications channel. Enablement of a VBS feature called Credential Guard will keep account hash information outside the scope/memory of the Windows instance. That was known as the Pass the Hash exploit. In a traditional Windows installation hashed credentials, including Active Directory credentials, were available to almost anyone with enough local OS privileges because they lived in the same memory as Windows. If the hardware TPM is not enabled in the BIOS or not in the hardware, then Windows will still use VBS and you can still enable Credential Guard but the credentials won’t be as secure. (represented in the graphic above) If enabled then Windows will use it to secure credentials stored in the credentials subsystem. Most modern systems have a TPM 2.0 device built in to the hardware. credential management subsystem) in a separate memory space. The hypervisor will also leverage virtualization to bring up additional Windows components (e.g. The following graphic represents how Windows 10 is installed on the hardware and the components at play when you enable VBS.Īfter you have configured VBS in Windows the system will reboot and the Microsoft hypervisor will load and then Windows.
Only then can you enable VBS within the Microsoft Windows OS. Windows installed with all the above settings enabled.Hardware virtualization (Intel VT/AMD-V settings) and IOMMU.A brief list of things to be set include: To enable VBS on a laptop or desktop you need to ensure certain bios/firmware settings have been enabled and Windows is installed based on some of these settings. In order to set the stage and help you better understand what is necessary to enable VBS on a hypervisor-based platform, let’s start by talking about enabling VBS on a laptop or desktop, where Windows is the bare metal installation. What follows is my interpretation of the Microsoft technologies based on publicly available documentation and websites I have been following since the features became public.Īs always, because we are talking about Microsoft features in their OS, you should consult their documentation for exact wording and guidance. In order to level set the conversation in this blog I will go over the features as they related to a bare metal installation of Windows and then a Windows VM on ESXi. Based on conversations I have with security teams, you might want to become familiar! What you will hear first and foremost is the requirement for “Credential Guard” which is why I added that to the title. You may or may not be familiar with these new Windows features. Starting with vSphere 6.7, you can now enable Microsoft (VBS) on supported Windows guest operating systems.
#Vmware esxi 6.7 free hardware requirements software
It uses hardware and software virtualization to enhance Windows system security by creating an isolated, hypervisor-restricted, specialized subsystem. Microsoft virtualization-based security, also known as “VBS”, is a feature of the Windows 10 and Windows Server 2016 operating systems.
0 kommentar(er)
