Proxmox VE 8.4.14 and Virtualization-Based Security (VBS)

[jul43257]

Hello everyone,

has anyone managed to get a Windows VM (Windows 11, Windows Server 2022, or Windows Server 2025) running with Virtualization-Based Security (VBS) enabled?
I’ve tried various CPU versions and configuration combinations — as soon as VBS is enabled, the VM becomes practically unusable and constantly sits at around 100% CPU usage.
I’ve read through the forum but haven’t found any configuration that worked.
I’m aware of the “workaround” of using x86-64-v4 as the CPU type, but with that configuration, VBS cannot be enabled.
As far as I’m concerned, VBS is a standard security feature and should be enabled in a modern Windows setup.

 

[apoyen]

Hello,

Try with the "host" CPU type, VBS is based on virtualisation so you need the virtualisation flags that are not included in classic CPU types.

 

[jul43257]

Hello,

Try with the "host" CPU type, VBS is based on virtualisation so you need the virtualisation flags that are not included in classic CPU types.

Thanks for the suggestion - yes, I’m aware that VBS requires a CPU type with virtualization support. However, when I use such CPU type, for example, “host”, and enable VBS inside the VM, the VM becomes unusable, with CPU usage stuck at around 100%. I also tried a custom "host" CPU with various flags like "-md-clear", "-flush-l1d", and "+hv-tlbflush", but the behavior remained the same.

I mentioned classic CPU types like x86-64-v4 because, in other threads, people suggested using those. They reported that their VMs became usable again - which makes sense since VBS is disabled in that case.

 

[apoyen]

Actually I found this page in the Microsoft documentation that talks about pre-requesite : https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs

Maybe you have to check if IOMMU is activated on your hypervisor.

This part of the documentation is mentionning Guest VSM that need to be enabled in the windows VM, maybe you can also check if you can activate it.

 

[jul43257]

Thank you, I will look into IOMMU.
Isn’t Guest VSM a feature specific to Hyper-V?

Also, if anyone has a setup with working and usable VBS on Proxmox VE, it would be great if they could share it.

 

[_gabriel]

VBS ( = nested virtualization) require modern hardware.
What is your cpu model ?

 

[jul43257]

VBS ( = nested virtualization) require modern hardware.
What is your cpu model ?

I'm using a Intel Xeon Gold 6134

 

[_gabriel]

Not the oldest, but seems borderline.
try with mitigations=off
try with another hypervisor

 

[jul43257]

Not the oldest, but seems borderline.
try with mitigations=off
try with another hypervisor

According to the documentation, the CPU should be sufficient for VBS.
If anyone has managed to get VBS working with a newer CPU, that’s fine - but so far I haven’t seen anyone report success.

If I set mitigations=off, won’t that reduce the security of my host?

 

[_gabriel]

According to the documentation, the CPU should be sufficient for VBS

baremetal VBS, not nested VBS, that's the whole point.

 

[jul43257]

baremetal VBS, not nested VBS, that's the whole point.

Which CPU or CPU generation is sufficient for nested VBS?

 

[_gabriel]

I have no experience with VBS , as I disable it anywhere (VM and, even on baremetal to not feel the sluggish )

 

[jul43257]

Thanks anyway! Maybe someone else has experience with nested VBS on a modern CPU.
On (modern) baremetel clients I don't see any issues.

 

[BobhWasatch]

One might also ask what the benefit of VBS is when you're already in a virtualized environment.

 

[jul43257]

VBS protects the guest operating system itself.

According to Microsoft documentation:

Virtualization-based security, or VBS, uses hardware virtualization and the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised.

As noted in the CIS Baseline for Windows Server 2025:

With Windows Defender Credential Guard enabled, the LSA processin the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protectedusing virtualization-based security and is not accessible to the rest of the operatingsystem.

CIS also notes the following for VMs:

In addition, if running Windows on avirtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V)must be exposed by the host to the guest VM.

 

[BobhWasatch]

VBS protects the guest operating system itself.

It is also going to be a significant performance hit, especially when running under a hypervisor where nested virtualization must be enabled. The question is whether it is worth it or not. For a server that presumably doesn't have interactive users.

This industry is completely full of itself. Security sucks but rather than clean up our code and fix bugs, we push out ever-more-elaborate new "features" that are just another layer on the pile. Everything gets constantly more difficult to administer, constantly needs more hardware, and yet I have not seen any hint at all that e.g. ransomware attacks are declining.