VMware Horizon & Windows 10 Virtual Secure Mode

The current version of VMware Horizon 7 (VDI) is not able to handle Windows 10 Enterprise features based on Virtual Secure Mode (VSM). This is based on issues with nested hypervisors from different manufacturers.
VMware tries to solve the situation by explaining that a VDI infrastructure that regularly refreshes the virtual machines (VM) is not prone to Pass-the-hash attacks (PtH), so disabling VSM would not put VMs at risk.
But if you are not refreshing the VMs in high frequency and all at the same time a malware can easily survive the refresh and can infect the newly created machines again.
On top of that you will not be able to use upcoming features like Application Guard.
So, in the current possible environment you can’t have the same high level of security on VMware based VMs as on physical machines that support VSM.
A similar issue exists in the other direction. You can’t run VMware Workstation on a Windows 10 machines with VSM activated and you can’t run VSM inside VMware workstation.
Based on latest information VMware is now at least discussing with Microsoft how a technical solution for VSM on VMware based VMs could look like, but for the moment no timeline.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s