VBS, a.k.a. Isolated User Mode (IUM) provides a new trust boundary for system software. VBS is included with the Enterprise (including LTSB), Education, and IoT Enterprise editions of Windows 10. It leverages platform virtualization to enhance platform security by limiting access to high-value security assets, even from supervisor mode code (CPL). VBS provides a secure execution environment and protects several Windows 10 services such as LSA credential isolation and Kernel Mode Code Integrity (KMCI). On the server OS, it additionally provides a virtual TPM (vTPM). VBS uses the hypervisor to protect a mini kernel and other important parts/services of the OS by enforcing read, write, and execute permissions across system memory.
By separating these services, it enhances the OS protection against kernel-mode attacks and other attacks. Even if malware gains access to the kernel, effects are limited because the hypervisor prevents the malware from executing code.
The new security features--Credential Guard, Device Guard, and Application Guard--use this VBS mode. So to use any of these three security features, you need to activate VBS first.
Here is a high-level schema of Windows 10 with VBS activated:
Even if malware gains access to the Windows kernel, critical isolated services inside the VBS-secured OS stay safe. The attack surface with VBS is further limited by having only a minimal set of functionality, no driver support, and many security features, such as Code Integrity and Control Flow Guard (CFG).
To be able to use VBS, you have to use x64 architecture (for Hyper-V support) and your hardware needs to have some features available and activated.
The most up-to-date requirements for VBS can always be found at https://docs.microsoft.com/en-US/windows-hardware/design/minimum/device-guard-and-credential-guard. As you can see, new hardware requirements are added with each iteration of Windows 10 to secure against all possibilities. The following are needed at minimum to enable VBS:
- 64 bit CPU
- 64 bit OS
- UEFI 2.3.1c or higher firmware
- No Legacy/BIOS mode activated
- Secure Boot activated
- Hyper-V hypervisor feature activated
- Virtualization support:
- Virtualization extensions (Intel VT-x or AMD-V)
- Second Level Address Translation (SLAT) (Intel EPT or AMD RVI)
- Input Output Memory Management Unit (IOMMU) (Intel VT-d or AMD Vi)
- TPM 1.2 or (recommended) 2.0
As you can see, Secure Boot activation is mandatory. Secure boot itself needs UEFI mode. All hardware with a Windows 8 or Windows modern hardware logo needs to support UEFI 2.3.1 and Secure Boot. So you should look for this logo or ask your hardware vendor for compatibility. All systems meeting these requirements should be installed in UEFI mode or converted with the MBR2GPT tool from legacy to UEFI mode to substantially increase security. If all requirements are met, you can activate the VBS feature.
In Windows 10 version 1511, VBS needs to be activated by installing the Hyper-V Hypervisor and the Isolated User Mode features on demand. Since Windows 10 version 1607, the Isolated User Mode feature is no longer present, and VBS is automatically activated as soon as the Hyper-V Hypervisor feature is installed and hardware prerequisites are fulfilled. As long as you only install Hyper-V Hypervisor and not Hyper-V Services, the user is not able to do harm to your environment by creating extra VMs or virtual switches.
The feature can be installed by GUI, PowerShell, DISM, or an Unattend.xml file when deploying the image. A restart is needed after adding the feature.
VBS contains several security mechanisms to protect itself against any known attack. These security mechanisms, such as the absence of device driver support inside VBS and enforced Code Integrity will be described in more detail in the Credential Guard and Device Guard sections.