What Is Virtual Secure Mode (VSM)? - ITU Online IT Training
Service Impact Notice: Due to the ongoing hurricane, our operations may be affected. Our primary concern is the safety of our team members. As a result, response times may be delayed, and live chat will be temporarily unavailable. We appreciate your understanding and patience during this time. Please feel free to email us, and we will get back to you as soon as possible.

What is Virtual Secure Mode (VSM)?

Definition: Virtual Secure Mode (VSM)

Virtual Secure Mode (VSM) is a security feature in modern computing that isolates sensitive processes, such as credential management and encryption keys, within a secure, virtualized environment. By using hardware-based virtualization, VSM protects key system processes from potential malware or unauthorized access by running them in a protected memory space that even the main operating system cannot access.

How Virtual Secure Mode (VSM) Works

At its core, Virtual Secure Mode (VSM) leverages hardware-assisted virtualization technologies, such as Intel VT-x or AMD-V, alongside Windows’ Hyper-V hypervisor, to create a secure, isolated environment. This isolated virtual space is known as a Virtual Trust Level (VTL), which operates separately from the normal Windows operating environment.

In typical scenarios, the operating system has full control over the computer’s hardware resources and can access sensitive data like passwords, encryption keys, or user credentials. This makes the system vulnerable to sophisticated attacks, such as kernel-level exploits, which can compromise this critical information. VSM mitigates these risks by running specific security functions in a highly secure virtual environment.

Components of VSM

VSM has several integral components that work together to secure sensitive system processes. These components include:

  • Virtual Trust Levels (VTLs): VSM divides the system into two levels of trust, VTL0 and VTL1. VTL0 corresponds to the traditional operating system, while VTL1 represents the more secure virtual environment. Code running in VTL1 is fully protected from processes running in VTL0, even if the VTL0 environment (the standard operating system) is compromised.
  • Isolated User Mode (IUM): IUM is an essential part of VSM that runs user-mode code in the secure VTL1 environment. Processes running in this mode cannot be accessed or tampered with by the operating system, ensuring that sensitive data remains protected.
  • Hypervisor: The hypervisor is a low-level software component that manages the virtualization layer, ensuring that VTL0 and VTL1 are strictly separated. It handles the context switching between these two levels and allocates system resources securely.

Enabling and Managing VSM

To enable VSM, certain prerequisites must be met, including:

  • A 64-bit processor with hardware virtualization extensions (such as Intel VT-x or AMD-V)
  • UEFI firmware with Secure Boot enabled
  • A Trusted Platform Module (TPM) version 2.0
  • Windows 10 or Windows Server operating systems with Hyper-V enabled

Once enabled, VSM can be managed through Group Policy settings, where administrators can configure various security options and determine which processes run inside the secure VTL1 environment.

Benefits of Virtual Secure Mode (VSM)

VSM introduces significant advantages for system security, particularly in enterprise environments where safeguarding sensitive data is critical. Key benefits include:

Enhanced Protection Against Malware

Because VSM operates in a virtualized environment separate from the main OS, it protects critical security functions from malware attacks that target the OS kernel. Even if a malware manages to infiltrate the normal OS (VTL0), the processes running in VTL1 remain unaffected.

Safeguarding Credential Management

Credential Guard, a component that works in conjunction with VSM, helps protect user credentials, preventing unauthorized access to password hashes or Kerberos tickets. This protection is crucial for stopping attacks like Pass-the-Hash, where attackers steal password hashes from memory to access network resources.

Kernel Integrity and Code Protection

By isolating security-sensitive operations, VSM helps to ensure kernel integrity. Even advanced rootkits that target the kernel cannot compromise the system when VSM is active. This secure kernel environment allows system code to execute in a protected state, reducing the risk of code injection or privilege escalation.

Hardware-Based Security

VSM relies on the hardware-level security features provided by modern processors and the Trusted Platform Module (TPM). This tight integration between software and hardware adds an extra layer of security that is difficult to bypass, making it an ideal solution for environments requiring high-assurance security measures.

Uses of Virtual Secure Mode (VSM)

VSM has become a key feature in a variety of security-focused applications and solutions. Some common uses include:

Credential Guard

Credential Guard is perhaps the most notable feature that leverages VSM. By running within VSM, Credential Guard protects user credentials such as NTLM password hashes and Kerberos tickets. This prevents attackers from using stolen credentials to laterally move within an organization’s network.

Device Guard

Device Guard uses VSM to ensure that only trusted applications can run on a system. By enforcing code integrity policies within VSM, Device Guard can block unauthorized or potentially malicious code from executing, helping to safeguard the integrity of the system.

Windows Defender Application Guard (WDAG)

Windows Defender Application Guard, another security feature using VSM, allows organizations to run untrusted websites in a secure, isolated environment. This feature creates a virtualized browsing session, protecting the host system from any potential malicious web content.

Secure Boot and Firmware Protection

With VSM in place, features like Secure Boot can be enhanced, ensuring that the system starts only with trusted firmware and operating system files. This eliminates the risk of rootkits and other firmware-based attacks from taking control during the boot process.

Features of Virtual Secure Mode (VSM)

Several key features make VSM a powerful tool for modern security solutions. Some of its most notable features include:

Isolation of Sensitive Processes

One of VSM’s core features is its ability to isolate sensitive processes, ensuring that even if the primary OS is compromised, these critical operations remain secure.

Hardware-Rooted Trust

VSM leverages the capabilities of TPM 2.0 and processor-based virtualization technologies like Intel VT-x and AMD-V to provide a hardware-rooted trust model. This makes the security measures difficult to bypass even with advanced attack vectors.

Seamless Integration with Windows Security Features

VSM works seamlessly with a range of Windows security features, including Credential Guard, Device Guard, and Secure Boot, providing a holistic security solution without requiring significant manual configuration.

Role in Securing Virtual Machines (VMs)

Virtual machines (VMs) benefit from VSM by running critical operations in isolated, secure environments. This is particularly useful in cloud and hybrid infrastructures where multi-tenancy introduces additional security concerns.

How to Enable Virtual Secure Mode (VSM)

Enabling VSM is generally straightforward but requires specific hardware and software configurations. Here’s how to enable VSM:

Step 1: Verify Hardware and Firmware Requirements

  • Ensure the system has a 64-bit processor that supports Intel VT-x or AMD-V.
  • Verify that UEFI firmware with Secure Boot is enabled.
  • Check for TPM version 2.0 or later.

Step 2: Enable Hyper-V

VSM relies on the Hyper-V hypervisor to create the secure virtual environment. To enable Hyper-V:

  1. Open Control Panel and navigate to “Programs.”
  2. Click “Turn Windows features on or off.”
  3. Check the box for “Hyper-V” and click “OK.”
  4. Restart your system if prompted.

Step 3: Enable VSM via Group Policy

  1. Press Win + R to open the Run dialog, then type gpedit.msc to launch the Group Policy Editor.
  2. Navigate to Computer Configuration > Administrative Templates > System > Device Guard.
  3. Enable the policies “Turn On Virtualization Based Security” and “Credential Guard Configuration.”
  4. Restart your system to apply the changes.

Key Term Knowledge Base: Key Terms Related to Virtual Secure Mode (VSM)

Understanding Virtual Secure Mode (VSM) and its associated technologies is critical for professionals working in the areas of cybersecurity, virtualization, and operating system security. VSM is an important security feature introduced in modern Windows systems, providing an isolated environment to protect sensitive operations, including credential storage and security features. Mastering the terminology related to VSM will help in understanding how it secures systems and integrates with other modern security technologies.

TermDefinition
Virtual Secure Mode (VSM)A security feature in Windows that isolates sensitive operations from the main OS using virtualization technology to enhance system protection.
HypervisorSoftware that creates and runs virtual machines (VMs). VSM leverages hypervisors to create a secure environment for running sensitive operations separately from the main OS.
Credential GuardA VSM feature that helps protect credentials by isolating them in a secure, virtualized environment, preventing theft by malware.
Device GuardA security feature that uses VSM to ensure that only trusted applications are allowed to run on a Windows system.
Kernel ModeThe highest privilege level in the Windows operating system where core processes and drivers run. VSM helps protect the kernel from malicious interference.
User ModeA lower privilege level where standard applications run. VSM isolates sensitive data in higher privilege levels to protect it from threats in User Mode.
Secure KernelA separate, isolated component within VSM that handles sensitive tasks like credential management and memory isolation, beyond the reach of the standard Windows kernel.
Hardware Security Module (HSM)A physical or virtual device that manages cryptographic keys in a secure environment. VSM interacts with HSMs for secure key management.
BitLockerA disk encryption feature that can leverage VSM for additional security, protecting encryption keys by storing them in the virtualized secure environment.
Trusted Platform Module (TPM)A hardware chip used to secure hardware through integrated cryptographic keys. VSM uses TPM to ensure the integrity of the virtualized environment.
Memory IsolationA security technique used by VSM to separate sensitive memory spaces, preventing malware from accessing or manipulating protected data.
Virtualization-Based Security (VBS)A security feature in Windows that uses hardware virtualization to create isolated environments for security-critical operations, which includes VSM.
Hyper-VMicrosoft’s hypervisor technology that powers VSM by creating isolated virtual machines where secure processes can run independently of the main OS.
Intel VT-xIntel’s hardware-assisted virtualization technology that helps support VSM by providing the necessary hardware capabilities for virtualization.
AMD-VAMD’s virtualization technology that enables VSM on AMD-based systems, offering hardware support for secure virtual environments.
Secure BootA security standard that ensures a device boots using only software that is trusted by the original equipment manufacturer (OEM). It often works in tandem with VSM.
Root of TrustA set of trusted components (like TPM or firmware) that form the foundation of security for a system. VSM relies on a strong Root of Trust for integrity.
Hardware Enforced Stack ProtectionA VSM-related security mechanism that protects the call stack from corruption by malware or exploits, especially during privilege escalation attempts.
Code IntegrityA security feature that checks that only trusted and verified code can run on the system. VSM helps ensure code integrity by running checks in an isolated environment.
LSA ProtectionLocal Security Authority (LSA) Protection is a security mechanism that secures authentication data; VSM provides an isolated environment for it.
Windows Defender Application GuardA security feature that uses VSM to isolate browser sessions and protect the system from malware when accessing untrusted sites.
Shielded Virtual MachinesVirtual machines that are protected from unauthorized access using VSM technology, ensuring the privacy and integrity of VM data.
Secure EnclaveA protected memory region designed to handle sensitive computations. VSM creates a virtual equivalent of this for enhanced security on Windows.
PatchGuardA security feature in Windows that prevents the kernel from being patched or modified. VSM enhances PatchGuard’s protection by isolating these operations.
Hypervisor-Protected Code Integrity (HVCI)A VSM feature that enforces code integrity rules by using the hypervisor to prevent the execution of untrusted or unauthorized code in the kernel.
Privileged Access Management (PAM)A security practice to restrict privileged accounts. VSM plays a role by isolating and securing credentials for privileged access.
Secure VirtualizationThe process of using virtualization to enhance security, where VSM is one of the key implementations to create isolated secure environments.
Execution ContextThe state and information needed to run code, including register values and security tokens. VSM isolates execution contexts to protect them from tampering.
Secure Memory Encryption (SME)A security feature that encrypts memory to prevent unauthorized access, often used in tandem with VSM to protect sensitive data.
Dynamic Root of Trust for Measurement (DRTM)A security technology that provides dynamic verification of the system’s integrity. VSM can use DRTM to establish secure environments at runtime.
Virtual Trusted Platform Module (vTPM)A virtual version of TPM used in cloud and virtualized environments, which VSM leverages to ensure the integrity of secure environments.
Windows Hypervisor Platform (WHP)A set of APIs that allow third-party virtualization stacks to leverage the Windows hypervisor, extending VSM’s benefits to other software platforms.
Security Support Provider Interface (SSPI)An API that provides security services like authentication in Windows. VSM enhances SSPI by isolating sensitive operations in secure environments.
Firmware ProtectionThe process of securing system firmware against tampering. VSM works alongside firmware protections to maintain system security from boot-up onward.

This comprehensive list of key terms will help you navigate the technical aspects of Virtual Secure Mode and related security features within Windows operating systems. Understanding these terms is essential for anyone involved in system security, administration, or development in virtualized environments.

Frequently Asked Questions Related to Virtual Secure Mode (VSM)

What is Virtual Secure Mode (VSM)?

Virtual Secure Mode (VSM) is a security feature that isolates sensitive processes within a virtualized environment using hardware-based virtualization technologies. It protects key system processes from malware or unauthorized access by running them in a protected memory space that even the main operating system cannot access.

How does Virtual Secure Mode (VSM) work?

VSM works by leveraging hardware virtualization technologies, such as Intel VT-x or AMD-V, and creating a Virtual Trust Level (VTL) environment. This allows sensitive processes to run in a secure virtual space (VTL1) separate from the standard operating system (VTL0), protecting them from potential malware attacks or unauthorized access.

What are the benefits of Virtual Secure Mode (VSM)?

VSM enhances security by isolating sensitive processes, protecting credentials through Credential Guard, ensuring kernel integrity, and using hardware-based security features like TPM. This makes it ideal for enterprise-level security where protection of sensitive data is crucial.

What are the prerequisites for enabling Virtual Secure Mode (VSM)?

To enable VSM, you need a 64-bit processor with virtualization extensions (Intel VT-x or AMD-V), UEFI firmware with Secure Boot enabled, TPM version 2.0, and a Windows 10 or Windows Server OS with Hyper-V enabled.

How is Virtual Secure Mode (VSM) enabled?

VSM can be enabled by ensuring hardware prerequisites are met, enabling Hyper-V, and configuring Group Policy settings. This includes enabling the “Turn On Virtualization Based Security” and “Credential Guard Configuration” policies.

All Access Lifetime IT Training

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Total Hours
2815 Hrs 25 Min
icons8-video-camera-58
14,314 On-demand Videos

Original price was: $699.00.Current price is: $349.00.

Add To Cart
All Access IT Training – 1 Year

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Total Hours
2785 Hrs 38 Min
icons8-video-camera-58
14,186 On-demand Videos

Original price was: $199.00.Current price is: $129.00.

Add To Cart
All Access Library – Monthly subscription

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Total Hours
2788 Hrs 11 Min
icons8-video-camera-58
14,237 On-demand Videos

Original price was: $49.99.Current price is: $16.99. / month with a 10-day free trial

Cyber Monday

70% off

Our Most popular LIFETIME All-Access Pass