3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
When Microsoft released Windows 11, VBS or Virtualization-based Security was a major talking point about it. While the feature itself was not new, it was enabled by default on Windows 11 to provide an additional layer of protection. When Windows 11 was made generally available, Microsoft explained in some detail why VBS, alongside TPM version 2.0, which was another key security feature and a requirement for the OS, was so important.
Today, in a Tech Community blog post, the company has published details on a new feature based on VBS called VBS Enclaves which is a Trust Execution Environment (TEE) meant to make third-party apps secure using the power of isolated user mode Virtual Trust Levels (VTLs).
VBS enclaves are essentially a type of DLL file which means Windows can use them across various programs. Microsoft explains:
.. a VBS enclave is a software-based TEE inside the address space of a host application. It is a Dynamic Link Library (DLL) loaded by a standard Windows application. VBS enclaves can help secure secrets and sensitive operations in memory. The basic premise is that a VBS enclave can isolate a portion of your application that you want to secure while it is in memory
.. .VBS uses the Windows Hyper-V hypervisor to create an isolated, privileged virtual environment known as Virtual Trust Level 1 (or VTL1) that becomes the root of trust of the OS. The traditional Windows environment is called VTL0. VTL1 is further split into isolated user mode and the secure kernel.
..
The isolation provided by VBS is the core technology that allows a VBS enclave to isolate a portion of an application in higher-privilege VTL1, inaccessible to VTL0.
The graphic below explains how Enclave works by creating an isolated secure environment inside the VTL1 that is not accessible to VTL0.
Microsoft also published system requirements for VBS Enclaves:
Device requirements
The following are required to run VBS Enclaves:
- VBS/HVCI must be enabled. This should be enabled on Windows 11 or later by default.
- Windows 11 or later or Windows Server 2019 or later.
Developers can find details about creating a VBS enclave in this support document here on Microsoft's website.
Hope you enjoyed this news post.
Thank you for appreciating my time and effort posting news every single day for many years.
2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.