The guest operating system that runs in the virtual machine is vulnerable to the same security risks as any physical system.

To boost security in your virtual environment, you can add a virtual Trusted Platform Module (vTPM) to your ESXi hosts. You can also enable virtualization-based security (VBS) for the virtual machines that run the latest Windows 10 and Windows Server 2016 operating systems. You can provide additional security to your workloads by using Virtual Intel® Software Guard Extensions (vSGX) for virtual machines.

Activate vSGX on a Virtual Machine in the VMware Host Client

To protect the enclave contents from disclosure and modifications, you can activate vSGX on a virtual machine in the VMware Host Client.

Secure Virtual Machines with vSGX
vSphere enables you to configure vSGX for virtual machines. Some modern Intel CPUs implement a security extension called Intel ® Software Guard Extension (Intel ® SGX). Intel SGX allows user-level code to define private regions of memory, called enclaves. Intel SGX protects the enclave contents from disclosure or modification in such a way that code running outside the enclave cannot access them.
vSGX enables virtual machines to use Intel SGX technology if available on the hardware. To use vSGX, the ESXi host must be installed on an SGX-capable CPU and SGX must be enabled in the BIOS of the ESXi host. You can use the vSphere Client to enable SGX for a virtual machine. For more information, see the vSphere Security documentation.

Some operations and features are not compatible with SGX.

  • Migration with Storage vMotion
  • Suspending or resuming the virtual machine
  • Taking a snapshot of the virtual machine
  • Fault Tolerance
  • Enabling Guest Integrity (GI, platform foundation for VMware AppDefense 1.0)

Prerequisites

  • Power off the virtual machine.

  • Verify that the virtual machine uses EFI firmware.
  • Verify that the ESXi host is version 7.0 or later.
  • Verify that the guest operating system in the virtual machine is Linux, Windows 10 (64-bit) or later, or Windows Server 2016 (64-bit) or later.
  • Verify that you have the Virtual machine.Configuration.Modify device settings privilege on the virtual machine.
  • Verify that the ESXi host is installed on an SGX-capable CPU, and SGX is enabled in the BIOS of the ESXi host. For information about the supported CPUs, see https://kb.vmware.com/s/article/71367.

Procedure

  1. In the VMware Host Client inventory, click Virtual Machines.
  2. Right-click a virtual machine in the list and select Edit settings from the pop-up menu.
  3. On the Virtual Hardware tab, expand Security devices.
  4. Select the Enable check box.
  5. Under Enclave page cache size, enter a new value in the text box and select the size in MB or GB from the drop-down menu.
    Note: The enclave page cache size must be a multiple of 2.
  6. From the Launch control configuration drop-down menu, select the appropriate mode.
    Option Action
    Locked Activates the launch enclave configuration.

    Under Launch enclave public key hash, enter a valid SHA256 hash.

    The SHA256 hash key must contain 64 characters.
    Unlocked Activates the launch enclave configuration of the guest operating system.
  7. Click Save.

Deactivate vSGX on a Virtual Machine in the VMware Host Client

To deactivate vSGX on a virtual machine, you can use the VMware Host Client.

Procedure

  1. In the VMware Host Client inventory, click Virtual Machines.
  2. Right-click a virtual machine in the list and select Edit settings from the pop-up menu.
  3. On the Virtual Hardware tab, expand Security devices.
  4. Deselect the Enable check box and click Save.

Results

vSGX is deactivated on the virtual machine.

Remove a vTPM device from a VM in the VMware Host Client

The Trusted Platform Module (TPM) is a specialized chip that stores host-specific sensitive information, for example private keys and OS secrets. The TPM chip is also used to perform cryptographic tasks and attest the integrity of the platform. In the VMware Host Client, you can only remove the vTPM device from a virtual machine.

The virtual TPM device is a software emulation of the TPM functionality. You can add a virtual TPM (vTPM) device to the virtual machines in your environment. The vTPM implementation does not require a physical TPM chip on the host. ESXi uses the vTPM device to exert the TPM functionality in your vSphere environment.

vTPM is available to virtual machines that have Windows 10 and Windows Server 2016 operating systems. The virtual machine must be of hardware version 14 or later.

You can add a virtual TPM device to a virtual machine only in the vCenter Server instance. For more information, see the vSphere Security documentation.

In the VMware Host Client, you can only remove the virtual TPM device from a virtual machine.

Prerequisites

  • The virtual machine must be of hardware version 14 or later.
  • The guest OS must be Windows 10 or Windows Server 2016 and later.
  • The virtual machine must be powered off.

Procedure

  1. Click Virtual Machines in the VMware Host Client inventory.
  2. Right-click a virtual machine in the list and select Edit settings from the pop-up menu.
  3. On the Virtual Hardware tab, find the TPM device and click the Remove icon.
    The virtual TPM device is removed from the virtual machine.
  4. Click Save to close the wizard.

Activate or Deactivate Virtualization-based Security on an Existing VM in the VMware Host Client

Virtualization-based security (VBS) uses the Microsoft Hyper-V based virtualization technology to isolate core Windows OS services in a separate virtualized environment. Such isolation provides an additional level of protection, because it makes it impossible for the key services in your environment to be manipulated.

You can change the level of security of a virtual machine by enabling or disabling Microsoft virtualization-based security (VBS) on existing virtual machines for supported Windows guest operating systems.

Activating VBS on a virtual machine automatically activates the virtual hardware that Windows requires for the VBS feature. By enabling VBS, a variant of Hyper-V starts in the virtual machine and Windows starts running inside the Hyper-V root partition.

VBS is available on the latest Windows OS versions, for example Windows 10 and Windows Server 2016. To use VBS on a virtual machine, the virtual machine compatibility must be ESXi 6.7 and later.

In the VMware Host Client, you can activate VBS during a virtual machine creation. Alternatively, you can activate or deactivate VBS for an existing virtual machine.

Prerequisites

Configuring VBS is a process that involves first activating VBS in the virtual machine then activating VBS in the guest operating system.
Note: New virtual machines configured for Windows 10, Windows Server 2016, and Windows Server 2019 on hardware versions less than version 14 are created using Legacy BIOS by default. If you change the firmware type of a virtual machine from Legacy BIOS to UEFI, you must reinstall the guest operating system.

You can activate VBS on a virtual machine only if the TPM validation of the host is successful.

Using Intel CPUs for VBS requires vSphere 6.7 or later. The virtual machine must have been created using hardware version 14 or later and one of the following supported guest operating systems:

  • Windows 10 (64 bit) or later releases
  • Windows Server 2016 (64 bit) or later releases

Using AMD CPUs for VBS requires vSphere 7.0 Update 2 or later. The virtual machine must have been created using hardware version 19 or later and one of the following supported guest operating systems:

  • Windows 10 (64 bit), version 1809 or later releases
  • Windows Server 2019 (64 bit) or later releases

Ensure that you install the latest patches for Windows 10, version 1809, and Windows Server 2019, before enabling VBS.

For more information about activating VBS on virtual machines on AMD platforms, see the VMware KB article at https://kb.vmware.com/s/article/89880.

Procedure

  1. Click Virtual Machines in the VMware Host Client inventory.
  2. Right-click a virtual machine in the list and select Edit settings from the pop-up menu.
  3. On the VM Options tab, activate or deactivate VBS for the virtual machine.
    • To activate VBS for the virtual machine, select the Enable Virtualization Based Security check box.
    • To deactivate VBS for the virtual machine, deselect the Enable Virtualization Based Security check box.
    When you activate VBS, several options are automatically selected and become dimmed in the wizard.
  4. Click Save to close the wizard.