Virtualization-based security (VBS) enclaves

A Virtualization-based security (VBS) Enclave is a software-based trusted execution environment inside the address space of a host application. VBS Enclaves leverage underlying VBS technology to isolate the sensitive portion of an application in a secure partition of memory. VBS Enclaves enable isolation of sensitive workloads from both the host application and the rest of the system.

By planning ahead and isolating the sensitive part of your workload, you can isolate it in a VBS Enclave, as illustrated in the following diagram:

Device requirements

The following are required to run VBS Enclaves:

• VBS/HVCI must be enabled. This should be enabled on Windows 11 or later by default. See Enable virtualization-based protection of code integrity for more information.
• Windows 11 or later or Windows Server 2019 or later.

Development prerequisites

In addition to the device requirements, the following are required to develop VBS Enclaves:

• Visual Studio 2022 version 17.9 or later - The Microsoft Visual C++ compiler (MSVC) is required. Installing Visual Studio simplifies this.
• The Windows Software Development Kit (SDK) version 10.0.22621.3233 or later, which provides veiid.exe (the VBS Enclave import ID binding utility) and signtool.exe.
• A Trusted Signing account.

Additional resources

• APIs available in VBS enclaves
• Securing your sensitive workloads with VBS Enclaves
• Secure Enclaves (Trusted Execution) overview
• Always Encrypted with secure enclaves documentation
• Virtualization-based Security (VBS) | Windows Hardware Developer