Forum Discussion
Guidance on Domain Controller Virtualization Based Security and Defender Antivirus Baselines
The 'Domain Controller Virtualization Based Security' baseline should be applied to physical and virtual domain controllers. It relates to virtualising security features within the OS rather than the virtualisation of the OS itself, e.g. HVCI. The reason there is a difference in the DC baseline is because 'credential in memory' protection is of no value on a DC when the entire Active Directory database is sat right there on the file system.
I can't comment on 3rd party AV/Endpoint solutions but I will recommend using Defender as your antimalware solution as part of your defence in depth. Used with other protections like VBS, ATP, ISG and HVCI will provide you with the strongest and most reliable solution.
Regards,
Steve
Steve Norton I am noticing an issue when applying the Domain Controller Virtualization Based Security policy to my vDC. Once applied, on the next reboot they fail to boot. Hypervisor reports a Triple Fault error. I can get to recovery and safe mode/safe mode with networking. I'm probably doing something wrong, but even with a new VM config on Server 2019 Hypervisor with clean Windows 2019 Server OS vm it's repeatable. I've not dug into it beyond that at this time. Maybe there's another resource I'm overlooking when setting this up?
Hi awolf13,
Does your vDC boot successfully with 'Enable Secure Boot' and 'Enable Trusted Platform Module' enabled on the host?
Regards,
Steve
Steve NortonSecure Boot is enabled and working. I've not attempted to enable TPM. Is that most likely the culprit?
