When Microsoft released Windows 11, Virtualization-based Security (VBS) was a key feature that provided an additional layer of protection. Now, the company has introduced VBS Enclaves, a Trust Execution Environment (TEE) designed to enhance security for third-party apps using isolated user mode Virtual Trust Levels (VTLs).
Enhanced Security with VBS Enclaves
According to Microsoft, a VBS enclave is a software-based TEE inside the address space of a host application, functioning as a Dynamic Link Library (DLL) that can be used across various programs. VBS enclaves help secure secrets and sensitive operations in memory by isolating a portion of the application within a higher-privilege Virtual Trust Level 1 (VTL1).
VTL1, created by the Windows Hyper-V hypervisor, serves as the root of trust for the OS, with VTL0 representing the traditional Windows environment. VTL1 is further divided into isolated user mode and the secure kernel, ensuring enhanced security for sensitive data and operations.
Microsoft has also outlined the system requirements for VBS Enclaves, including enabling VBS/HVCI on Windows 11 or later, as well as running Windows 11 or later or Windows Server 2019 or later.
Developers interested in creating a VBS enclave can access detailed information in a support document on Microsoft’s website.