Follow best practices for virtualization-based security (VBS) to maximize security and manageability of your Windows guest operating system environment.

Avoid problems by following these best practices.

VBS Hardware

Use the following hardware for VBS:

  • Intel
    • Haswell CPU or later. For best performance, use the Skylake-EP CPU or later.
    • The Ivy Bridge CPU is acceptable.
    • The Sandy Bridge CPU might cause some slow performance.
  • AMD
    • Zen 2 series CPUs (Rome) or later.
    • Older CPUs might cause some slow performance.

The mitigations for the Machine Check Exception on Page Size Change Intel CPU vulnerability can impact guest OS performance negatively when VBS is in use. For more information, see the VMware KB article at https://kb.vmware.com/kb/76050.

Windows Guest OS Compatibility

On Intel, VBS is supported for Windows 10 and Windows Server 2016 and later virtual machines, although Windows Server 2016 versions 1607 and 1703 require patches. Check the Microsoft documentation for ESXi host hardware compatibility. Using Intel CPUs for VBS requires vSphere 6.7 or later and hardware version 14.

On AMD, VBS is supported on Windows 10, version 1809, and Windows 2019 and later virtual machines. Using AMD CPUs for VBS requires vSphere 7.0 Update 2 or later and hardware version 19.

Initially, Windows 10 required that you enable Hyper-V for VBS. Enabling Hyper-V is not required for Windows 10. The same applies to Windows Server 2016 and later. Consult the current Microsoft documentation and the VMware vSphere Release Notes for more information.

Unsupported VMware Features on VBS

The following features are not supported in a virtual machine when VBS is enabled:

  • Fault tolerance
  • PCI passthrough
  • Hot add of CPU or memory

Installation and Upgrade Caveats with VBS

Before you configure VBS, understand the following installation and upgrade caveats:

  • New virtual machines configured for Windows 10 and Windows Server 2016 and later on virtual hardware versions less than version 14 are created using Legacy BIOS by default. You must reinstall the guest operating system after changing the virtual machine's firmware type from Legacy BIOS to UEFI.
  • If you plan to migrate your virtual machines from previous vSphere releases to vSphere 6.7 or greater, and enable VBS on your virtual machines, use UEFI to avoid having to reinstall the operating system.