Follow best practices for virtualization-based security (VBS) to maximize security and manageability of your Windows guest operating system environment.

Avoid problems by following these best practices.

VBS Hardware

Use the following Intel hardware for VBS:

  • Haswell CPU or later. For best performance, use the Skylake-EP CPU or later.
  • The Ivy Bridge CPU is acceptable.
  • The Sandy Bridge CPU might cause some slow performance.

Not all VBS functionality is available on AMD CPUs. For more information, see the VMware KB article at

Windows Guest OS Compatibility

VBS is supported for Windows 10 and Windows Server 2016 and later virtual machines, although Windows Server 2016 versions 1607 and 1703 require patches. Check the Microsoft documentation for ESXi host hardware compatibility.

VBS in Windows guest OSs RS1, RS2, and RS3 requires HyperV to be enabled in the guest OS. See VMware vSphere Release Notes for more information.

Unsupported VMware Features on VBS

The following features are not supported in a virtual machine when VBS is enabled:

  • Fault tolerance
  • PCI passthrough
  • Hot add of CPU or memory

Installation and Upgrade Caveats with VBS

Before you configure VBS, understand the following installation and upgrade caveats:

  • New virtual machines configured for Windows 10 and Windows Server 2016 and later on hardware versions less than version 14 are created using Legacy BIOS by default. You must reinstall the guest operating system after changing the virtual machine's firmware type from Legacy BIOS to UEFI.
  • If you plan to migrate your virtual machines from previous vSphere releases to vSphere 6.7 or later, and enable VBS on your virtual machines, use UEFI to avoid having to reinstall the operating system.