Windows 11 brought VBS into the spotlight by enabling it by default, alongside TPM 2.0, to enhance system security. VBS, or Virtualization-based Security, indeed utilizes the Windows Hyper-V hypervisor to establish isolated environments known as Virtual Trust Levels (VTLs).
VTL1, or Virtual Trust Level 1, is a privileged environment within the OS hierarchy, designed to protect critical system components from unauthorized access.
The latest innovation, VBS Enclaves, builds on this foundation by introducing a Trust Execution Environment (TEE) within the VTL1 space. Essentially, VBS Enclaves are Dynamic Link Library (DLL) files that Windows applications can use to isolate and protect sensitive operations and data in memory. This isolation is crucial for securing secrets and sensitive functions, ensuring they are shielded from less trusted environments like VTL0, the traditional Windows operating environment.
Here’s a simplified breakdown:
- Virtual Trust Levels (VTLs): VTL1 is a higher-privilege level created by VBS using Hyper-V, establishing a secure root of trust within the OS.
- VBS Enclaves: These are DLLs loaded by applications to create isolated, secure environments within VTL1. They safeguard sensitive operations and data from unauthorized access or tampering.
- Security Benefits: By leveraging VTL1, VBS Enclaves ensure that critical application components operate in a protected environment, inaccessible to less trusted parts of the system (VTL0).
This advancement underscores Microsoft’s commitment to bolstering Windows security, particularly in protecting against sophisticated attacks that target sensitive data and operations. VBS Enclaves represent a significant step forward in ensuring that third-party applications can securely handle sensitive information, thereby enhancing overall system security in Windows 11.