Putting a trusted execution environment on a PC is useful for more than securing AI. It protects sensitive data, adding a new level of protection beyond at rest and in motion: in use. While it does require more work to define and use a VBS Enclave, it’s worth it to have more security with only limited performance impact.
With Windows 11’s memory integrity tools, a VBS Enclave uses Windows’ integral hypervisor to create a new, isolated, high-privilege area of system memory: Virtual Trust Level 1. Most of your code, and Windows itself, continues to run at Virtual Trust Level 0. VTL 1 is used by a secure version of the Windows kernel, with its own isolated user mode. This is where your VBS Enclave runs, as part of an application that appears to cross the boundary between the two zones. In reality, you’re separating off the VTL 1 enclave and using secure channels to communicate with it from the rest of your application in VTL 0.
Using VBS Enclaves in your applications
So how do you build and use VBS Enclaves? First, you’ll need Windows 11 or Windows Server 2019 or later, with VBS enabled. You can do this from the Windows security tool, via a Group Policy, or with Intune to control it via MDM. It’s part of the Memory Integrity service, so you should really be enabling it on all supported devices to help reduce security risks, even if you don’t plan to use VBS Enclaves in your code.
