I want to create a vbs enclave module, but LoadEnclaveImageW return 557, how can i get the digital certificate?

mivv micv 0 Reputation points

I want to create a vbs enclave module(Virtualization-based security (VBS) memory enclaves), but there is no develop guide in msdn, I just get the api here.

  1. i dont known how to config IMAGE_ENCLAVE_CONFIG64 data, i just find the linker option /ENCLAVE here, there is no more information, also the /ENCALVE only work in vs2022, and msdn has no information for /ENCLAVE.
  2. when i call LoadEnclaveImageW to load the enclave module, it return 577, i known maybe the module should signed by special digital certificate. but there is no any document to introduce it, how can i get the digital certificate and what type of digital certificate.

I need help, Thank you very much!!

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,509 questions
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,619 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,831 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Shawn Ye 5 Reputation points Microsoft Employee

    Hello, AFAIK VBS enclave will load images signed by a specific certificate which is available only to MSFT internal users.

    1 person found this answer helpful.
    0 comments No comments

  2. Limitless Technology 44,096 Reputation points


    I'd be happy to help you out with your question. Sorry for the inconvenience caused.

    Regarding the error code you mentioned (557), it indicates that the LoadEnclaveImageW function encountered an error. However, without more context or code, it's difficult to determine the exact cause of the error. You may need to provide more information or consult the Microsoft documentation and developer resources for troubleshooting guidance specific to VBS enclave modules.

    In terms of the digital certificate required for signing the enclave module, Microsoft usually provides specific guidelines and requirements for the certificate. However, as there is no official documentation available for VBS enclave modules, it's challenging to provide specific instructions.

    In general, when signing code or modules, you typically need a digital certificate issued by a trusted certificate authority (CA). The type of certificate required can vary depending on the specific security requirements and configurations of VBS. Microsoft often provides guidance on the type of certificate to use for different scenarios.

    To obtain a digital certificate, you would typically follow these steps:

    1. Generate a cryptographic key pair: This involves generating a public-private key pair, where the private key remains secure and protected.
    2. Create a certificate signing request (CSR): The CSR contains your public key and other identifying information. You can generate a CSR using tools or libraries provided by your certificate authority or through programming interfaces.
    3. Submit the CSR to a certificate authority: You would need to choose a trusted certificate authority and follow their specific procedures for submitting the CSR and obtaining a digital certificate. This process often involves verifying your identity and paying any applicable fees.
    4. Receive and install the digital certificate: Once the certificate authority validates your request, they will issue a digital certificate. You would receive the certificate file and typically install it on the system or environment where you're working with VBS.

    Please note that the process described above is a general overview, and the actual steps and requirements may vary depending on the certificate authority and the specific security requirements of VBS enclave modules. It's important to refer to the official documentation or developer resources for accurate and up-to-date information on creating VBS enclave modules and obtaining the required digital certificate.

    If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments No comments

  3. mivv micv 0 Reputation points

    Thank you so much.

    The problem is that i can't search any documents for developing VBS enclave modules by google search.

    Msdn just provides the API document for enclave.


    So also you cant get any other documents of VBS enclave while you are the people in Microsoft?

    I known the SgrmEnclave_secure.dll in windows is an VBS enclave module, it can be loaded success into system.

    It's enhanced key usage:

    Protected Process Verification (

    Isolated User Mode (IUM) (

    Windows System Component Verification (

    Code Signing (

    so how can I get these enhanced key usage for my encalve module?

  4. Xiaopo Yang - MSFT 12,226 Reputation points Microsoft Vendor

    @mivv micv , you can send feedback to Microsoft with the Feedback Hub app about the concern and before that, you can consult @Hilal Asmat for a possible response.

    0 comments No comments