On the first of July, Microsoft introduced a new security function in Windows 11 – VBS Enclave, which will protect confidential data using virtualization. This innovation promises revolutionary changes in the protection of data from hackers.
VBS function (virtualization-based security) was previously present in Windows. Activated by default when installing Windows 11, it turns the operating system into a virtual machine operating on the Hyper-V hypervisor. This significantly improves data protection and its integrity, although it slightly reduces performance.
Gamers and ordinary users are usually recommended to turn off the VBS and Hyper-V virtualization to increase performance. However, Microsoft insists that VBS significantly improves safety in Windows 10 and 11.
Now the company introduces VBS Enclave, which offers a completely new way to create applications with a priority to protect data. VBS ENCLAVE is a “programmatic environment of trusted execution inside the host application,” Microsoft explains.
Thanks to Hyper-V, VBS can create an environment with a higher level of privileges than the operating system working in a virtual machine. VBS Enclave allows developers to protect certain parts of their applications using DLL files that can be loaded with any standard Windows software.
Isolated virtual environment created by VBS through the Hyper-V hypervisor is known as the Virtual Trust Level 1 (VTL1). Microsoft describes VTL1 as “The root of the operating system confidence.” The traditional Windows environment works at a lower level of privileges (VTL0), while VTL1 is additionally divided into an isolated user mode and a safe core.
In the Windows virtualized installation, many security functions work at the VTL1 level, while VBS Enclave can be used to insulate individual parts of the application at this level. Nothing working at the VTL0 level should have access to ENCLAVE secure in VTL1, which allows the developers to more reliably protect passwords, encryption data and decoding operations in an isolated environmental environment.
To create and use software working with VBS Enclave, certain devices are required, including virtualized Windows installation with the VBS/HVCI function enabled. Windows 11 or Windows Server 2019 is also required. Developers need to use Visual Studio 202