Best Method to Enable Virtualization Based Security Using Microsoft Intune

In this article am going to explain how we can enable Virtualization Based Security using Microsoft Intune. Virtualization Based Security (VBS) leverages hardware virtualization features to create an isolated, secure memory region within the system.

This isolated environment protects critical system processes from common vulnerabilities and attacks, enhancing the overall security posture. By enabling VBS, organizations can safeguard sensitive data and prevent exploits targeting kernel-level code execution.

Microsoft Intune simplifies the deployment of VBS across managed devices through security baselines and configuration profiles. Administrators can create and assign security policies that enable features like Hypervisor-Enforced Code Integrity (HVCI) and Credential Guard.

This centralized approach ensures consistent security settings across endpoints, reducing the risk of misconfigurations and security gaps. Also Virtualization Based Security (VBS) must be Enable to receive Hotpatch updates on a Windows device.

Sign up to get the best of How To Manage Devices straight to your inbox!

Virtualization Based Security Supported Environments

Below mentioned table shows the Supported Scope, Editions and Applicable Operating Systems details of this Virtualization Based Security Configuration Policy.

• Easy Guide to Configure EPM Reusable Settings with Intune
• How to Configure Support Approved EPM Elevation using Intune | Highly secured option
• Best Way to Set Copilot Hardware Key Using Microsoft Intune
• Best Guide to Setup Conditional Access for Remote Help with Intune | RemoteAssistanceService

Create a Configuration Policy to Enable Virtualization Based Security

Follow the below mentioned steps to create a configuration policy to Enable Virtualization Based Security using Microsoft Intune. First, Sign In to the Microsoft Intune Admin Center with your administrator credentials.

• Navigate to Devices  > Windows > Manage devices > Configuration
• Click on +Create > +New Policy

In the next step, we can create a new Configuration profile from scratch. First, we need to provide the options mentioned below.

• Platform: Windows 10 and later
• Profile type: Settings Catalog

On the Basics details pane, we can name the configuration policy as “Enable Virtualization Based Security” if needed, briefly describe the policy’s use, here am giving as “Virtualization Based Security (VBS) must be Enable to receive Hotpatch updates on a Windows device” and click Next.

We can now add the required settings to the Configuration Settings pane. To do that, click +Add settings in the bottom left corner of the page.

Note! In Microsoft’s testing they have discovered admins may experience performance degradation when greater than 400 settings are added to a single policy. While MS continue to make improvements, please take this into consideration when designing your policies.

Search “Virtualization Based Security” as a keyword. This will help us to find the correct policy based on our your current need. Now you can see the browse by category found as Device Guard. Click that and check the “ Enable Virtualization Based Security” Settings name and close the Settings picker window.

On the current Configuration Settings page, select the enable virtualization based security. option from the drop-down menu and click Next.

On the next page, Leave the Scope tags as Default. If your tenant has custom scope tags, you can select them based on your policy needs then Click on Next.

Here, I am assigning the configuration policy to HTMD – Test Computers & Hotpatch Test Device Groups. To do that, click Add Groups and select a required device group under the Included Groups option. Not using any Filter in this example, and the Excluded Groups option was also left blank.

On the Review + Create page, carefully review all the settings you’ve defined for the enable VBS configuration policy. Once you’ve confirmed everything is correct, select “Create” to deploy the policy.

• How to use the Update option in Intune Enterprise App Catalog apps by Vaishnav
• Best Method to Create EPM Elevation Rules Policy from Elevation Request Using Intune Policy
• 4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11

Monitor the Enable Virtualization Based Security Policy Deployment

The configuration policy has been deployed to the HTMD – Test Computers & Hotpatch Test Microsoft Entra ID Device groups. Once the devices are synced, the policy will take effect immediately. To monitor the policy deployment status from the Intune Portal, follow the steps below.

• Navigate to Devices >  Windows > Configuration > Search for the “Enable Virtualization Based Security” configuration policy.
• Under the Device and user check-in status, you can see the policy’s deployment status.

End User Experience – Enable Virtualization Based Security Configuration Policy

It’s time to check whether the Enable VBS Configuration Policy worked. To check that, log in to one of the policy-targeted devices.

• Click On Start > Search “System Information” > System Summary > Virtualization-based security showing as Running and it is Enabled.

We can also notice few more other Virtualization-based security based components also enabled in the device. So we can conclude our policy is working as expected!

• Virtualization-based security Required Security Properties – Base Virtualization Support, Secure Boot
• Virtualization-based security Available Security Properties – Base Virtualization Support, Secure Boot, UEFI Code Readonly, Mode Based Execution Control
• Virtualization-based security Services Configured – Credential Guard, Secure Launch
• Virtualization-based security Services Configured – Credential Guard

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Vaishnav K has over 11 years of experience in SCCM, Device Management, and Automation Solutions. He writes and imparts knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out his profile on LinkedIn.