Create a Virtual Machine with Virtualization-Based Security

You can create a virtual machine in vSphere to use Virtualization-based security (VBS). Using a virtual machine enabled with VBS provides better protection from vulnerabilities within and malicious exploits to the operating system.

Prerequisites

Microsoft Windows 10 (64-bit) or Windows Server 2016 (64-bit) operating system.
Familiarize yourself with the custom configuration parameters for virtual machines. See Virtual Machine Custom Configuration Parameters.

Note: When you enable a virtual machine to use VBS, you can only deploy automated desktop pools that contain full virtual machines or instant clones. VBS is not supported for vGPU enabled virtual machines. URL redirection and scanner redirection might not work properly with VBS enabled.

Procedure

Log in to vSphere Client.
Right-click any inventory object that is a valid main object of a virtual machine, such as a data center, folder, cluster, resource pool, or host, and select New Virtual Machine.
Select Create a new virtual machine and click Next.
Follow the prompts to specify the virtual machine custom options.
On the Select a guest OS page, select Windows as the guest OS and select Microsoft Windows 10 (64-bit) as the guest OS version. Then, select Enable Windows Virtualization Based Security.
To deploy automated desktop pools that contain full virtual machines or instant clones, on the Customize hardware page, verify that you do not add any Trusted Platform Module (vTPM) device. Connection Server adds a vTPM device to each virtual machine during the desktop pool creation process.
Follow the prompts to complete the virtual machine setup and click Finish to create the virtual machine.

What to do next

Install the Windows 10 (64-bit) or Windows Server 2016 (64-bit) operating system on the virtual machine.
On Windows 10 1803 builds, enable the VBS group policy. For more information, consult the article "Enable virtualization-based protection of code integrity" in the Microsoft documentation. Then reboot the virtual machine.
Windows 10 versions earlier than 1803 and Windows Server 2016 require Hyper-V features to be enabled for VBS. To enable Hyper-V features, navigate to Windows Features and enable Hyper-V > Hyper-V-Platform > Hyper-V-Hypervisor. Then enable the VBS group policy. Hyper-V adds a virtual switch to the virtual machine so that the virtual machine can acquire additional IP from a different IP range. When Horizon Agent is installed on a virtual machine that has more than one NIC, you must configure the subnet that Horizon Agent uses. The subnet determines which network address Horizon Agent provides to the Connection Server instance for client protocol connections. See Configure a Virtual Machine with Multiple NICs for Horizon Agent
On Windows Server 2016, enable the VBS group policy, install the Hyper-V role and reboot the virtual machine.