Tag: TPM

May 01

Introducing support for Virtualization Based Security and Credential Guard in vSphere 6.7

Microsoft virtualization-based security, also known as “VBS”, is a feature of the Windows 10 and Windows Server 2016 operating systems. It uses hardware and software virtualization to enhance Windows system security by creating an isolated, hypervisor-restricted, specialized subsystem. Starting with vSphere 6.7, you can now enable Microsoft (VBS) on supported Windows guest operating systems.

You may or may not be familiar with these new Windows features. Based on conversations I have with security teams, you might want to become familiar! What you will hear first and foremost is the requirement for “Credential Guard” which is why I added that to the title. In order to level set the conversation in this blog I will go over the features as they related to a bare metal installation of Windows and then a Windows VM on ESXi.

Continue reading

Apr 30

vSphere 6.7 – ESXi and TPM 2.0

With vSphere 6.7 I’m happy to announce the support of TPM 2.0! This blog will go into detail on how we are leveraging the TPM 2.0 chip found on most modern servers. I’ll also clarify some mis-conceptions and try to put into context what pieces are doing what during the boot of ESXi 6.7.

First, we’ll start out with “What is a TPM?” and what its capabilities are.

Trusted Platform Module or “TPM”

A TPM (Trusted Platform Module) is a computer chip/microcontroller that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include measurements, passwords, certificates, or encryption keys. A TPM can also be used to digitally sign content and store platform measurements that help ensure that the platform remains trustworthy.  The  Trusted Computing Group has a great detailed overview of what a TPM is and does. I will attempt to provide a journeyman’s overview below.

Continue reading