Device Guard + VMware Workstation Pro 12.5

xy677 · 01 May 2017

Hi All

I'm hoping someone who knows something about Device Guard and virtualisation can help me with a question I have.

I recently rebuilt my desktop with Windows 10 Enterprise 64bit Creators Update. I use VMware Workstation Pro 12.5 daily for my work from home.

One of the features I would like to make use of in the Enterprise version of Windows 10 is Device Guard to help protect my machine from malware.

Unfortunately you need to enable the Hyper-V role to be able to use Device Guard. This means that VMware Workstation Pro 12.5 stops working.

So I was wondering since Hyper-V supports nested virtualisation in the Creators Update is there ANYWAY I can enable Device Guard on my machine AND still be able to use VMware Workstation Pro 12.5?

Before someone says "Just use Hyper-V to run your VMs", I did try this and a) Didn't like Hyper-V and b) Had issues using VPN connections from my VM under Hyper-V so using Hyper-V for my VMs isn't an option.

I'd really like to use Device Guard but don't want to give up VMware Workstation.

Thank you!

jimbo45 · 01 May 2017

Hi there
@xy677

you could do this with a 2 level nested virtualisation i.e create a VM with your VMware workstation - and then on that VM create Enterprise Windows VM with HYPER -V -- but there are plenty of good ways of preventing Malware - not sure why you have to use Device Guard -- even bog standard windows can prevent things like non admin users plugging in or using USB devices etc.

If you use nested VM's the main bugbear on performance will be slow HDD's so you'd probably need commercial SCSI or Fibre SAS connected controllers.

Another way you could do it is to use ESXI (from vmware) - but it's quite picky over hardware required to run it. The Esxi OS is TINY so ZERO overhead and your VM's will run at around 99% of Native speed - especially if you pass thru most of the hardware stuff.

You could run Esxi as a VM on Vmware workststion, then add a Windows Enterprise with HYPER-V as a VM on the Esxi VM system. In this case the overhead won't be too hideous - as I said the esxi OS is TINY but you'd need to use another machine as a console to access the VM's on ESXI unless your work place gives you access to Vsphere.

Running Esxi as a VM gets over the rather picky hardware requirements it has so a possible OK solution --it will easily boot in a few seconds from a small SD card if your machine can boot from a built in SD card reader.

Download VMware vSphere

RDP works just fine though from Windows Hosts to access the VM's on the ESXI machine. Esxi is free -- not sure though about the latest versions of Vsphere. You can run Esxi ( free earlier releases) without Vsphere -- a bit of Googling I think is what you need here -- hopefully I've given you some possible ideas to research.

Cheers
jimbo