20.4. Enabling enhanced hardware security on Windows virtual machines

To further secure Windows virtual machines (VMs), you can enable virtualization-based protection of code integrity, also known as Hypervisor-Protected Code Integrity (HVCI).

Conditions préalables

Procédure

  1. Open the XML configuration of the Windows VM. The following example opens the configuration of the Example-L1 VM: 

    # virsh edit Example-L1

  2. Under the <cpu> section, specify the CPU mode and add the policy flag.

    Important
    • For Intel CPUs, enable the vmx policy flag.
    • For AMD CPUs, enable the svm policy flag.
    • If you do not wish to specify a custom CPU, you can set the <cpu mode> as host-passthrough. 
    <cpu mode='custom' match='exact' check='partial'>
    <model fallback='allow'>Skylake-Client-IBRS</model>
    <topology sockets='1' dies='1' cores='4' threads='1'/>
    <feature policy='require' name='vmx'/>
</cpu>
  3. Save the XML configuration and reboot the VM.

  4. On the VMs operating system, navigate to the Core isolation details page:

    Settings > Update & Security > Windows Security > Device Security > Core isolation details

  5. Toggle the switch to enable Memory Integrity.
  6. Reboot the VM.
Note

For other methods of enabling HVCI, see the relevant Microsoft documentation.

Vérification

  • Ensure that the Device Security page on your Windows VM displays the following message:

    Settings > Update & Security > Windows Security > Device Security 

    Your device meets the requirements for enhanced hardware security.

  • Alternatively, check System Information on the Windows VM:

    1. Run msinfo32.exe in a command prompt.
    2. Check if Credential Guard, Hypervisor enforced Code Integrity is listed under Virtualization-based security Services Running.