Forum Discussion

Shrikant Joshi's avatar
Aug 30, 2018

Virtualization Based Security (VBS) and Hypervisor Enforced Code Integrity (HVCI) for Olympia Users!

Tryout the Virtualization Based Security (VBS) and Hypervisor Enforced Code Integrity (HVCI) using Windows Insider Lab for Enterprise (Olympia Corp).

 

What is Virtualization Based Security (VBS) and Hypervisor Enforced Code Integrity (HVCI)?

Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016.

Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity (CI), while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). Please click here for reference and more details.

Virtualization Based Security (VBS) and Hypervisor Enforced Code Integrity (HVCI) protect Windows from compromise by bad drivers and malicious system files.  Windows devices everywhere will soon be protected by VBS and HVCI.  In this quest, Windows users can enable HVCI on desktop devices to protect them from malicious apps and files, and provide feedback about any impact HVCI has on Windows’ function and performance.

 

How to Enable (HVCI)?

 

  1. Launch the "Windows Security" app.
    1. Search for Windows Security
  2. Navigate to "Device Security"
  3. Click on "Core isolation details"
  4. Enable HVCI - Click to toggle "Memory integrity" to "On"
    1. If the toggle is Off and reads "This setting is managed by your administrator" then this quest will not work for you.
  5. There will be prompt from Device Security to Restart. Restart to apply these protection changes.

 

Note: Alternatively you can download Device guard readiness tool to if your hardware is ready for Device Guard and to enable feature from here https://www.microsoft.com/en-us/download/details.aspx?id=53337

 

How to Check HVCI - Verification:

 

In order to check the state of your device,  Open System Information

    1. Search for System Information
    2. You should see the following settings and feature statuses :
  • Secure Boot State: ON
  • Virtualization-based security: RUNNING
  • Virtualization-based security Required Security Properties: BASE VIRTUALIZATION SUPPORT, SECURE BOOT
  • Virtualization-based security Available Security Properties: BASE VIRTUALIZATION SUPPORT, SECURE BOOT, DMA PROTECTION
  • Virtualization-based security Services Configured: HYPERVISOR ENFORCED CODE INTEGRITY

Virtualization-based security Services Running: HYPERVISOR ENFORCED CODE INTEGRITY

 

Windows Insider Lab for Enterprise has Quests published that you can use to follow the steps to tryout and assess HVCI as well as many other new Windows 10 Enterprise and Security features. Are you a Windows Insider Interested in joining Windows Insider Lab for Enterprise? It's easy - just fill out the survey at https://aka.ms/RegisterOlympia

  • ahmriyas's avatar
    ahmriyas
    Copper Contributor
    Which windows version is very suitable for WDAC ( Hyper-V and VMs) Windows server 2022?
  • ArildNedreberg's avatar
    ArildNedreberg
    Copper Contributor

    Important to know that HVCI requires Intel Core 7th gen processor or newer and all drivers must be HVCI compliant. 
    If you use an older processor, the performance will be very bad because they dont have the MBEC extension.
    And if the driver is not compliant with HVCI, the device might not work when HVCI is enabled or the PC might get bluesceens. Shrikant Joshi 

Resources