Proxmox VE 8.4.14 and Virtualization-Based Security (VBS)

[jul43257]

Hello everyone,

has anyone managed to get a Windows VM (Windows 11, Windows Server 2022, or Windows Server 2025) running with Virtualization-Based Security (VBS) enabled?
I’ve tried various CPU versions and configuration combinations — as soon as VBS is enabled, the VM becomes practically unusable and constantly sits at around 100% CPU usage.
I’ve read through the forum but haven’t found any configuration that worked.
I’m aware of the “workaround” of using x86-64-v4 as the CPU type, but with that configuration, VBS cannot be enabled.
As far as I’m concerned, VBS is a standard security feature and should be enabled in a modern Windows setup.

 

[apoyen]

Hello,

Try with the "host" CPU type, VBS is based on virtualisation so you need the virtualisation flags that are not included in classic CPU types.

 

[jul43257]

Hello,

Try with the "host" CPU type, VBS is based on virtualisation so you need the virtualisation flags that are not included in classic CPU types.

Thanks for the suggestion - yes, I’m aware that VBS requires a CPU type with virtualization support. However, when I use such CPU type, for example, “host”, and enable VBS inside the VM, the VM becomes unusable, with CPU usage stuck at around 100%. I also tried a custom "host" CPU with various flags like "-md-clear", "-flush-l1d", and "+hv-tlbflush", but the behavior remained the same.

I mentioned classic CPU types like x86-64-v4 because, in other threads, people suggested using those. They reported that their VMs became usable again - which makes sense since VBS is disabled in that case.

 

[apoyen]

Actually I found this page in the Microsoft documentation that talks about pre-requesite : https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs

Maybe you have to check if IOMMU is activated on your hypervisor.

This part of the documentation is mentionning Guest VSM that need to be enabled in the windows VM, maybe you can also check if you can activate it.

 

[jul43257]

Thank you, I will look into IOMMU.
Isn’t Guest VSM a feature specific to Hyper-V?

Also, if anyone has a setup with working and usable VBS on Proxmox VE, it would be great if they could share it.

 

[_gabriel]

VBS ( = nested virtualization) require modern hardware.
What is your cpu model ?

 

[jul43257]

VBS ( = nested virtualization) require modern hardware.
What is your cpu model ?

I'm using a Intel Xeon Gold 6134

 

[_gabriel]

Not the oldest, but seems borderline.
try with mitigations=off
try with another hypervisor

 

[jul43257]

Not the oldest, but seems borderline.
try with mitigations=off
try with another hypervisor

According to the documentation, the CPU should be sufficient for VBS.
If anyone has managed to get VBS working with a newer CPU, that’s fine - but so far I haven’t seen anyone report success.

If I set mitigations=off, won’t that reduce the security of my host?

 

[_gabriel]

According to the documentation, the CPU should be sufficient for VBS

baremetal VBS, not nested VBS, that's the whole point.

 

[jul43257]

baremetal VBS, not nested VBS, that's the whole point.

Which CPU or CPU generation is sufficient for nested VBS?

 

[_gabriel]

I have no experience with VBS , as I disable it anywhere (VM and, even on baremetal to not feel the sluggish )