Hardening Your Infrastructure: A Guide to VMware VBS and MS GPO Credential Guard in VBR v13
Veeam Data Platform v13 adopts a “security-first” architecture, actively protecting backup infrastructure against modern threats, and continues to support advanced security features for Windows-based components, including VMware Virtualisation-Based Security (VBS) and Microsoft Group Policy Object (GPO) Credential Guard. In this guide, we shall discuss “Hardening Your Infrastructure: A Guide to VMware VBS and MS GPO Credential Guard in VBR v13”. Please, see “Enable or Disable UEFI Secure Boot for a Virtual Machine, and “Protect Remote Desktop credentials with Windows Defender Remote Credential Guard or Restricted Admin Mode“.
VMware and Windows Prerequisite
Before deploying Veeam v13, your environment must meet certain VMware and Windows requirements to ensure full compatibility and security. These prerequisites ensure that the virtual infrastructure supports modern features like secure boot and hardware-based security modules. Below are the prerequisites:
- Version VMware vSphere ESXi 6.x7or superior
- EFI firmware
- Virtual hardware version 13 or later.
- vTPM module ( optional)
- An operating system that supports UEFI secure boot. Windows 2016 or superior.
You can install a new device on the Trusted Platform Module VM. Adding the vTPM module (optional but recommended). For complete security, it is best to add a virtual TPM chip:
1) Again, go to Edit Settings > Add New Device.
2) Select Trusted Platform Module.
Note: This requires your VMware cluster to have a ‘Key Provider’ configured (Native Key Provider is the easiest to activate).
Windows Secure Boot is supported on Windows 11, Windows 10, Windows 8.1/8, and Windows Server 2016 and later, generally requiring UEFI firmware, a GPT partition style, and a TPM 2.0 chip
FIX Security & Compliance ---- > Credential Guard
Please, see Enable or disable Windows Defender Credential Guard, how to “Fix VMware Workstation and Credential Guard are not compatible“, and Enable Secure Boot: Fix Secure Boot certificates expiration.
Preparing the VM (VMware side)
Before enabling EFI BIOS, you must convert the MBR boot partition to GPT.
Before activating the settings in Windows, you must modify the virtual machine configuration.
1. Shut down the VM (this cannot be done while it is running).
2. Right-click on the VM > Edit Settings.
3. Go to the VM Options tab.
4. Expand the General Options section and ensure that the Guest OS is set to Windows Server 2016 or higher (or Windows 10/11).
5. Expand the Boot Options section and verify that the Firmware is set to UEFI and that the Secure Boot box is checked.
6. Expand VBS (Virtualisation Based Security) and check the Enable box.
Note: This will automatically enable the IOMMU extension and hardware virtualisation exposed to the guest.
If the VM no longer boots, it is the classic EFI boot “black screen”. What you are seeing is because your Windows server was originally installed using the old BIOS (Legacy) system.
When you changed the setting to UEFI in the VMware options, the virtual machine stopped finding the boot sector on the disk, because BIOS disks use the MBR scheme, while UEFI looks for the GPT scheme.
Please, see What are the Differences between UEFI and BIOS, and The Silent War: What your Ransomware Recovery Strategy looks like when the clock starts ticking.
1) Roll back the VMware vHW configuration.
If you need to restart Veeam urgently, shut down the VM and reset the firmware to Legacy (BIOS). The server will restart immediately.
Cons: You will not be able to enable Credential Guard, because it is a fundamental requirement that the system runs in UEFI mode.
2) Convert the disk from MBR to GPT (the definitive solution)
Learn the difference between GPT and MBR and how to convert a disk to GPT or MBR in this section.
If you really want to enable Credential Guard, you must convert the system disk without losing data. Windows includes a tool called MBR2GPT. Return the VM to Legacy (BIOS) mode and start Windows normally.
Open the Command Prompt as Administrator. Run this command to validate the disk (assuming that disk C: is disk 0):
mbr2gpt /validate /allowFullOS
mbr2gpt /validate /disk:0 /allowFullOS
If the response is ‘Validation completed successfully’, proceed with the conversion:
mbr2gpt /convert /allowFullOS
Once successfully completed, shut down the VM. Now change the firmware to UEFI (and enable Secure Boot) in the VMware settings.
Restart the VM
Windows will now load correctly in UEFI mode.
Power On VM
Check EFI partition
Please, see How to set up Devolusion Remote Desktop Manager on Windows, and A-Z of XCP-ng and Xen Orchestra setup and VM Creation.
Configure Credential Guard
Please, follow the steps to configure Credential guard om Local Group Policy
Click on policy
Enable Virtualisation-Based Protection of Code Integrity
This setting enables virtualisation-based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualisation Based Security feature.
The “Disabled” option turns off Virtualisation Based Protection of Code Integrity remotely if it was previously turned on with the “Enabled without lock” option
The “Enabled with UEFI lock” option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to “Disabled” as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
The “Enabled without lock” option allows Virtualisation Based Protection of Code Integrity to be disabled remotely by using Group Policy.
Please, see Hacker Thinking in Ransomware Attacks: Backup Is the real Target, and Bypassing BitLocker Loop by Unlocking or Disabling or PC Reset.
Credential Guard
This setting lets users turn on Credential Guard with virtualisation-based security to help protect credentials.
The “Disabled” option turns off Credential Guard remotely if it was previously turned on with the “Enabled without lock” option.
The “Enabled with UEFI lock” option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to “Disabled” as well as remove the security functionality from each computer, with a physically present user, in order to clear the configuration persisted in UEFI.
The “Enabled without lock” option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).
Secure Launch
This setting sets the configuration of Secure Launch to secure the boot chain. The “Not Configured” setting is the default, and allows configuration of the feature by Administrative users.
The “Enabled” option turns on Secure Launch on supported hardware. The “Disabled” option turns off Secure Launch, regardless of hardware support.
Check by launching the command below.
msinfo32.exe
Reboot the server and check
I hope you found this guide on “Hardening Your Infrastructure: A Guide to VMware VBS and MS GPO Credential Guard in VBR v13”. Feel free to leave a comment below.
