VMware

Enabling VMWare VBS for Windows 2019 Credential Guard without KMS/TPM?

We are running VC 6.7 U2 and this allows us to enable VBS on VMs.

I am in the process of evaluating this for our W2019 VMs that are properly configured with GPT/UEFI.

We don’t have KMS configured on vSphere so vTPM is not an option for us. There don’t appear to be any free KMS options out there and buget is already closed for 2021 🙁 Having a KMS won’t be an option for us until 2022.

From MS:

>Trusted Platform Module (TPM) is a motherboard chip that stores Credential Guard encryption keys. If you don’t have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.

What are the drawbacks with implementing VBS+CG without vTPM, it seems to work (in that it uses software protection vs. hardware protection); what are the actual security drawbacks of not using a vTPM? I would think its still better than not having it enabled at all.

Anyone out there fully implement VBS+CG on VMware? What was your experience?

We also do array based replication from site A to site B where we bring up a copy of the VMs in D/R for testing purposes, will enabling VBS+CG cause issues with VMs booting at secondary site?


View Reddit by -c3rberus-View Source

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Close