Translate

Wednesday, August 24, 2016

Virtualization based security (Device Guard, Credential Guard) vs. VMware Workstation

Recently a customer asked me what's about the coexistence of the new Microsoft security features like Credential Guard and Device Guard when you need to work with VMware Workstation where you have some VMs locally used for application compatibility where they run older OSes and they need specific interface types like COM Port or USB for their machine diagnostic software?


So the basic question is: Can virtualization based security in Windows 10 which uses Client Hyper-V underneath coexist with VMware Workstation?

When you need more to know about Credential Guard then check this here: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard


I took the question to MS an the clear answer currently is:
This is CURRENTLY not supported!  (as of Redstone 1 build release in 08/2016)
They are aware of this issue and looking to solve this in some point of time.


The main reason for this is that Client Hyper-V and VMware Workstation occupy exclusively the hardware virtualization extensions (like IOMMU or VT-X).
In this case nested virtualization does not work. For nested virtualization you find more info here:
https://msdn.microsoft.com/en-us/virtualization/hyperv_on_windows/user_guide/nesting

Also running other virtualization solutions like VirtualBox in a Hyper-V VM that supports nested virtualization is currently not supported!Some VMware Workstation users tried that recently as reported in forums and end up with bluescreens. Check out this here: https://communities.vmware.com/thread/528385?start=0&tstart=0

When you need VMs with older OSes regarding App Compat you have currently these options:

  1. Use Client Hyper-V for virtualization. And explore the improved interface mappings like COM-Port or USB port redirection.  To check out the new possibilities read this here:https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/learn-more/use-local-resources-on-hyper-v-virtual-machine-with-vmconnect
    for COM Port this may also help:
    https://blogs.technet.microsoft.com/jeff_stokes/2013/05/06/how-to-redirect-serial-ports-in-windows-server-2012-rdsvdi/
    or make use of Terminal server devices with physical com port redirection via TCP-IP like these here: http://www.fabulatech.com/serial-port-redirector.html  There are a couple different vendors available.

  2. A few other virtualization applications have an “emulator” mode.  This mode don’t require hardware virtualization extensions. But their performance is mostly really bad.
  3. Disable Credential Guard and Device Guard, and run a different virtualization technology.


So my recommendation is give Client Hyper-V another trial :-)
Hyper-V was further developed over the last years and is now really break even with VMware virtualization. In some points its even better :-)