VBS provides two major improvements in Windows 10 security: a new trust boundary between key Windows system components and a secure execution environment within which they run. A trust boundary between key Windows system components is enabled though the VBS environment’s use of platform virtualization to isolate the VBS environment from the Windows operating system. Running the VBS environment and Windows operating system as guests on top of Hyper-V and the processor’s virtualization extensions inherently prevents the guests from interacting with each other outside the limited and highly structured communication channels between the trustlets within the VBS environment and Windows operating system.VBS acts as a secure execution environment because the architecture inherently prevents processes that run within the Windows environment – even those that have full system privileges – from accessing the kernel, trustlets, or any allocated memory within the VBS environment. In addition, the VBS environment uses TPM 2.0 to protect any data that is persisted to disk. Similarly, a user who has access to the physical disk is unable to access the data in an unencrypted form.VBS requires a system that includes:
The BIOS Mode should state “UEFI”.Secure Boot State should be On.
Note: Support for Virtual TPM is only included in Generation 2 VMs running Windows 10.To enable this on your Windows 10 generation 2 VM. Open up the VM settings and review the configuration under the Hardware, Security section. Enable Secure Boot and Enable Trusted Platform Module should both be selected.
Next we’ll create a virtual Smart Card on the Virtual Machine by using the Tpmvscmgr.exe command-line tool.1. On the Windows 10 Gen 2 Hyper-V VM guest, open an Administrative Command Prompt and run the following command: tpmvsmgr.exe create /name myVSC /pin default /adminkey random /generate You will be prompted for a pin. Enter at least eight characters and confirm the entry. (You will need this pin in later steps)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.