Guidance on Domain Controller Virtualization Based Security and Defender Antivirus Baselines

%3CLINGO-SUB%20id%3D%22lingo-sub-1424199%22%20slang%3D%22en-US%22%3EGuidance%20on%20Domain%20Controller%20Virtualization%20Based%20Security%20and%20Defender%20Antivirus%20Baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1424199%22%20slang%3D%22en-US%22%3E%3CP%3EAm%20I%20correct%20in%20assuming%20the%201909%20-%20Domain%20Controller%20Virtualization%20Based%20Security%20should%20be%20targeting%20%3CONLY%3E%20my%20Domain%20Controllers%20running%20as%20Virtual%20Machines%3F%3C%2FONLY%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%201909%20Defender%20Antivirus%20baseline%20only%20applicable%20for%20those%20companies%20using%20Windows%2FMicrosoft%20Defender%20(and%20not%20a%20third%20party%20AV%2FEndpoint%20solution)%20or%20does%20it%20apply%20and%20play%20nicely%20with%20third%20party%20AV%2FEndpoint%20solutions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1470027%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20Domain%20Controller%20Virtualization%20Based%20Security%20and%20Defender%20Antivirus%20Baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470027%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F212279%22%20target%3D%22_blank%22%3E%40Brian%20Steingraber%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20'%3CFONT%3EDomain%20Controller%20Virtualization%20Based%20Security'%3C%2FFONT%3E%20baseline%20should%20be%20applied%20to%20physical%20and%20virtual%20domain%20controllers.%20It%20relates%20to%20virtualising%20security%20features%20within%20the%20OS%20rather%20than%20the%20virtualisation%20of%20the%20OS%20itself%2C%20e.g.%20HVCI.%20The%20reason%20there%20is%20a%20difference%20in%20the%20DC%20baseline%20is%20because%20'credential%20in%20memory'%20protection%20is%20of%20no%20value%20on%20a%20DC%20when%20the%20entire%20Active%20Directory%20database%20is%20sat%20right%20there%20on%20the%20file%20system.%3C%2FP%3E%3CP%3EI%20can't%20comment%20on%203rd%20party%20AV%2FEndpoint%20solutions%20but%20I%20will%20recommend%20using%20Defender%20as%20your%20antimalware%20solution%20as%20part%20of%20your%20defence%20in%20depth.%20Used%20with%20other%20protections%20like%20VBS%2C%20ATP%2C%20ISG%20and%20HVCI%20will%20provide%20you%20with%20the%20strongest%20and%20most%20reliable%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ESteve%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1483721%22%20slang%3D%22en-US%22%3ERE%3A%20Guidance%20on%20Domain%20Controller%20Virtualization%20Based%20Security%20and%20Defender%20Antivirus%20Baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1483721%22%20slang%3D%22en-US%22%3EI%20am%20noticing%20an%20issue%20when%20applying%20the%20Domain%20Controller%20Virtualization%20Based%20Security%20policy%20to%20my%20vDC.%20Once%20applied%2C%20on%20the%20next%20reboot%20they%20fail%20and%20boot.%20Hypervisor%20reports%20a%20Triple%20Fault%20error.%20I%20can%20get%20to%20recovery%20and%20safe%20mode%2Fsafe%20mode%20with%20networking.%20I'm%20probably%20doing%20something%20wrong%2C%20but%20even%20with%20a%20new%20VM%20config%20on%20Server%202019%20Hypervisor%20with%20clean%20Windows%202019%20Server%20OS%20vm%20it's%20repeatable.%20I've%20not%20dug%20into%20it%20beyond%20that%20at%20this%20time.%20Maybe%20there's%20another%20resource%20I'm%20overlooking%20when%20setting%20this%20up%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1483732%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20Domain%20Controller%20Virtualization%20Based%20Security%20and%20Defender%20Antivirus%20Baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1483732%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F128508%22%20target%3D%22_blank%22%3E%40Steve%20Norton%3C%2FA%3E%26nbsp%3BI%20am%20noticing%20an%20issue%20when%20applying%20the%20Domain%20Controller%20Virtualization%20Based%20Security%20policy%20to%20my%20vDC.%20Once%20applied%2C%20on%20the%20next%20reboot%20they%20fail%20to%20boot.%20Hypervisor%20reports%20a%20Triple%20Fault%20error.%20I%20can%20get%20to%20recovery%20and%20safe%20mode%2Fsafe%20mode%20with%20networking.%20I'm%20probably%20doing%20something%20wrong%2C%20but%20even%20with%20a%20new%20VM%20config%20on%20Server%202019%20Hypervisor%20with%20clean%20Windows%202019%20Server%20OS%20vm%20it's%20repeatable.%20I've%20not%20dug%20into%20it%20beyond%20that%20at%20this%20time.%20Maybe%20there's%20another%20resource%20I'm%20overlooking%20when%20setting%20this%20up%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1483892%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20Domain%20Controller%20Virtualization%20Based%20Security%20and%20Defender%20Antivirus%20Baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1483892%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F707888%22%20target%3D%22_blank%22%3E%40awolf13%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EDoes%20your%20vDC%20boot%20successfully%20with%20'Enable%20Secure%20Boot'%20and%20'Enable%20Trusted%20Platform%20Module'%20enabled%20on%20the%20host%3F%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ESteve%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1483931%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20Domain%20Controller%20Virtualization%20Based%20Security%20and%20Defender%20Antivirus%20Baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1483931%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F128508%22%20target%3D%22_blank%22%3E%40Steve%20Norton%3C%2FA%3ESecure%20Boot%20is%20enabled%20and%20working.%20I've%20not%20attempted%20to%20enable%20TPM.%20Is%20that%20most%20likely%20the%20culprit%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1484287%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20Domain%20Controller%20Virtualization%20Based%20Security%20and%20Defender%20Antivirus%20Baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1484287%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F128508%22%20target%3D%22_blank%22%3E%40Steve%20Norton%3C%2FA%3EOriginally%2C%20I%20thought%20that%20appeared%20to%20have%20fixed%20the%20issue%2C%20however%2C%20I%20just%20did%20another%20reboot%20test%20and%20it%20failed.%20Disabling%20the%20Virtualization%20Based%20Security%20GPO%20allowed%20my%20vDC%20to%20boot%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20this%20isn't%20the%20proper%20forum%20for%20this.%20I'll%20keep%20searching.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1484196%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20Domain%20Controller%20Virtualization%20Based%20Security%20and%20Defender%20Antivirus%20Baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1484196%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F707888%22%20target%3D%22_blank%22%3E%40awolf13%3C%2FA%3E%3C%2FP%3E%3CP%3ELet%20me%20know%20the%20results%20after%20enabling%20TPM.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1485290%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20Domain%20Controller%20Virtualization%20Based%20Security%20and%20Defender%20Antivirus%20Baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1485290%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F707888%22%20target%3D%22_blank%22%3E%40awolf13%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20you%20tried%20it%20without%20'Secure%20Launch'%20enabled%20in%20the%20policy%3F%3C%2FP%3E%3CP%3EWhat%20do%20you%20get%20from%20the%20following%20in%20PowerShell%3F%3CBR%20%2F%3E%3CFONT%3EGet-ComputerInfo%20-Property%20%22DeviceGuardAvailableSecurityProperties%22%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1487854%22%20slang%3D%22en-US%22%3ERe%3A%20Guidance%20on%20Domain%20Controller%20Virtualization%20Based%20Security%20and%20Defender%20Antivirus%20Baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1487854%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F128508%22%20target%3D%22_blank%22%3E%40Steve%20Norton%3C%2FA%3Eon%20one%20vDC%20it%20reported%20BaseVirtualizationSupport%2C%20SecureBoot%2C%20DMAProtection%2C%205.%20On%20the%20other%20vDC%20it%20reported%20nothing.%20In%20the%20System%20Information%20VBA%20was%20disabled%20on%20one%20and%20enabled%20on%20the%20other.%20I%20did%20some%20more%20testing%20today.%20When%20applying%20the%20Baseline%20Security%20for%20Virtualization%20Based%20Security%20on%20the%20vDCs%20with%20VMA%20enabled%20I%20get%20the%20boot%20loop.%20The%20only%20way%20for%20me%20to%20resolve%20the%20issue%20and%20boot%20normally%20is%20to%20run%20Set-VMSecurity%20-VMName%20%3CVM%3E%20-VirtualizationBasedSecurityOptOut%20%24true%20from%20the%20hypervisor.%20I've%20tried%20with%20a%20vTPM%2C%20Secure%20Boot%2C%20different%20combinations%20of%20Secure%20Launch%2C%20etc.%20All%20same%20results.%3C%2FVM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20thing%20I%20read%20a%20while%20back%20was%20that%20these%20should%20be%20for%20physical%20machines%20and%20not%20VMs%20but%20the%20things%20I've%20read%20recently%20say%20it%20can%20be%20applied%20to%20VMs.%20However%2C%20the%20only%20way%20I%20have%20been%20able%20to%20get%20the%20VBA%20to%20work%20in%20my%20domain%20(either%20on%20vDCs%20or%20other%20member%20servers)%20is%20to%20run%20Set-VMProcessor%20-VMName%20%3CVM%3E%20ExposeVirtualizationExtensions%20%24true%20and%20pass%20through%20my%20physical%20host%20processor%20security%20features.%3C%2FVM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20this%20is%20understood%2C%20or%20written%20somewhere%2C%20but%20I%20stumbled%20onto%20these%20solutions%20after%20you%20inquiring%20about%20the%20%22DeviceGuardAvailableSecurityProperties%22.%20Right%20now%2C%20I'm%20not%20wanting%20to%20pass%20through%20my%20host%20Virtualization%20Extensions%2C%20so%20I've%20disabled%20the%20VBS%20Security%20Baselines%20and%20Opted%20Out%20of%20Virtualization%20Based%20Security%20throughout%20my%20domain%20on%20all%20my%20VMs%20for%20the%20time%20being%20until%20I%20can%20do%20more%20testing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEverything%20is%20stable%20now%20and%20I'm%20considering%20my%20issue%20resolved.%20Thanks%20for%20your%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Am I correct in assuming the 1909 - Domain Controller Virtualization Based Security should be targeting <only> my Domain Controllers running as Virtual Machines?

 

Is the 1909 Defender Antivirus baseline only applicable for those companies using Windows/Microsoft Defender (and not a third party AV/Endpoint solution) or does it apply and play nicely with third party AV/Endpoint solutions?

8 Replies
Highlighted

Hi @Brian Steingraber 

The 'Domain Controller Virtualization Based Security' baseline should be applied to physical and virtual domain controllers. It relates to virtualising security features within the OS rather than the virtualisation of the OS itself, e.g. HVCI. The reason there is a difference in the DC baseline is because 'credential in memory' protection is of no value on a DC when the entire Active Directory database is sat right there on the file system.

I can't comment on 3rd party AV/Endpoint solutions but I will recommend using Defender as your antimalware solution as part of your defence in depth. Used with other protections like VBS, ATP, ISG and HVCI will provide you with the strongest and most reliable solution.

 

Regards,

Steve

Highlighted

@Steve Norton I am noticing an issue when applying the Domain Controller Virtualization Based Security policy to my vDC. Once applied, on the next reboot they fail to boot. Hypervisor reports a Triple Fault error. I can get to recovery and safe mode/safe mode with networking. I'm probably doing something wrong, but even with a new VM config on Server 2019 Hypervisor with clean Windows 2019 Server OS vm it's repeatable. I've not dug into it beyond that at this time. Maybe there's another resource I'm overlooking when setting this up? 

Highlighted

Hi @awolf13,

Does your vDC boot successfully with 'Enable Secure Boot' and 'Enable Trusted Platform Module' enabled on the host?

Regards,

Steve

Highlighted

@Steve NortonSecure Boot is enabled and working. I've not attempted to enable TPM. Is that most likely the culprit?

Highlighted

@awolf13

Let me know the results after enabling TPM.

Highlighted

@Steve NortonOriginally, I thought that appeared to have fixed the issue, however, I just did another reboot test and it failed. Disabling the Virtualization Based Security GPO allowed my vDC to boot again.

 

Maybe this isn't the proper forum for this. I'll keep searching.

Highlighted

@awolf13 

Have you tried it without 'Secure Launch' enabled in the policy?

What do you get from the following in PowerShell?
Get-ComputerInfo -Property "DeviceGuardAvailableSecurityProperties"

Highlighted

@Steve Nortonon one vDC it reported BaseVirtualizationSupport, SecureBoot, DMAProtection, 5. On the other vDC it reported nothing. In the System Information VBA was disabled on one and enabled on the other. I did some more testing today. When applying the Baseline Security for Virtualization Based Security on the vDCs with VMA enabled I get the boot loop. The only way for me to resolve the issue and boot normally is to run Set-VMSecurity -VMName <vm> -VirtualizationBasedSecurityOptOut $true from the hypervisor. I've tried with a vTPM, Secure Boot, different combinations of Secure Launch, etc. All same results.

 

One thing I read a while back was that these should be for physical machines and not VMs but the things I've read recently say it can be applied to VMs. However, the only way I have been able to get the VBA to work in my domain (either on vDCs or other member servers) is to run Set-VMProcessor -VMName <vm> ExposeVirtualizationExtensions $true and pass through my physical host processor security features.

 

Maybe this is understood, or written somewhere, but I stumbled onto these solutions after you inquiring about the "DeviceGuardAvailableSecurityProperties". Right now, I'm not wanting to pass through my host Virtualization Extensions, so I've disabled the VBS Security Baselines and Opted Out of Virtualization Based Security throughout my domain on all my VMs for the time being until I can do more testing.

 

Everything is stable now and I'm considering my issue resolved. Thanks for your help!