To protect VMs using a Guest Introspection security solution, you must install Guest Introspection thin agent, also called Guest Introspection drivers, on the VM. Guest Introspection drivers are included with VMware Tools for Windows, but are not part of the default installation. To install Guest Introspection on a Windows VM, you must perform a custom install and select the drivers or run complete install.

Windows virtual machines with the Guest Introspection drivers installed are automatically protected whenever they are started up on an ESXi host that has the security solution installed and VM protection policies configured. Protected virtual machines retain the security protection through shutdowns and restarts, and even after a vMotion move to another ESXi host with the security solution installed.

Prerequisites

Ensure that the guest virtual machine has a supported version of Windows installed. The following Windows operating systems are supported for NSX Guest Introspection:

  • Windows XP SP3 and above (32 bit)
  • Windows Vista (32 bit)
  • Windows 7 (32/64 bit)
  • Windows 8 (32/64 bit)
  • Windows 8.1 (32/64) (vSphere 6.0 and later)
  • Windows 10
  • Windows 2003 SP2 and above (32/64 bit)
  • Windows 2003 R2 (32/64 bit)
  • Windows 2008 (32/64 bit)
  • Windows 2008 R2 (64 bit)
  • Win2012 (64)
  • Win2012 R2 (64) (vSphere 6.0 and later)
  • Windows Server 2016
  • Windows Server 2019

Procedure

  1. Start the VMware Tools installation, following the instructions for your version of vSphere. Select Custom install.
  2. Expand the VMCI Driver section.

    The options available vary depending on the version of VMware Tools.

  3. Select the driver to be installed on the VM.

    Driver

    Description

    vShield Endpoint Drivers

    Installs Network Introspection (vnetflt) driver.

    Guest Introspection Drivers

    Installs Network Introspection (vnetflt) driver.

    NSX Network Introspection Driver

    Select NSX Network Introspection Driver to install vnetflt (vnetWFP on Windows 10 or later).

    Note: Select NSX Network Introspection Driver only if you are using the Identity Firewall or Endpoint Monitoring features.
  4. In the drop-down menu next to the drivers you want to add, select This feature is installed on the local hard drive.
  5. Follow the remaining steps in the procedure.

What to do next

Verify whether the thin agent is running using the sc query vnetwfp command with the administrative privileges. The Filter Name column in the output lists the thin agent with an entry vnetwfp.