Hi Amelia Jones,
I’m following up to check whether the issue has been resolved. Feel free to reply if you need further information. If the information provided was helpful, please click "Accept Answer" to help others in the community. Thank you!
Adding custom services to virtualization-based security in Windows
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 6%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAJ%3C/text%3E%3C/svg%3E)
Amelia Jones
0
Reputation points
Hi everyone, I have a quick question about a security setup in our company. We use Virtualization-Based Security (VBS) in our Windows environment, and features like Credential Guard and hypervisor-enforced code integrity are already enabled. I'm trying to find out if it's possible to include or register a custom service within this protection scope. Unfortunately, I can't find a clear way to do this via policies or configurations, which is a bit confusing. This is important because we're securing endpoints for internal tools. I need to know if VBS can be extended to cover our service, or if it only works with the built-in protection mechanisms. Is there a supported method for integrating a custom service into VBS, or is this not possible?
Windows for business | Windows Server | Devices and deployment | Configure application groups
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 86%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
Jason Nguyen Tran 17,025 Reputation points Independent Advisor2026-04-26T01:11:47.4766667+00:00 -
Jason Nguyen Tran 17,025 Reputation points Independent Advisor
2026-04-24T14:58:25.8733333+00:00 Hi Amelia Jones,
As far as I know, VBS is designed to isolate sensitive processes using the hypervisor, and features like Credential Guard and Hypervisor-Enforced Code Integrity (HVCI) are tightly integrated with the Windows kernel. At this time, VBS does not provide a supported mechanism for registering or protecting custom services in the same way it does for built-in features. The protection scope is limited to Microsoft-defined components that are deeply tied into the OS security model.
That said, you can still harden your custom services by combining other layers of protection. For example, you can enforce code integrity policies through Windows Defender Application Control (WDAC), use sandboxing or containerization for isolation, and apply strict privilege management so your service runs with the least required rights. These approaches complement VBS even though they don’t extend it directly.
If your goal is to integrate with VBS-like protections, the closest supported path is to leverage WDAC and Device Guard policies, which allow you to define trusted binaries and prevent unauthorized code execution. For highly sensitive workloads, you might also consider running your service inside a Hyper-V isolated container, which gives you a similar level of separation.
I hope this clears up the confusion. If you find this answer helpful, please consider clicking Accept Answer so others can benefit too.
Jason.
-
Q&A Assist2026-04-24T13:58:43.44+00:00 AI generated content. This question contains an answer created with AI from Q&A Assist. Learn moreVirtualization-based security (VBS) and its components (such as Credential Guard and hypervisor-protected code integrity / memory integrity) are not extensible in the way described. There is no supported mechanism to “register” or host an arbitrary, custom service inside the VBS-isolated environment.
VBS creates a special, isolated execution environment (using the Windows hypervisor) that runs specific Microsoft-defined trustlets and services only. The documented services that use VBS include, for example:
- Credential Guard (LSA credential isolation) to protect NTLM, Kerberos, and other secrets
- Hypervisor-protected code integrity (HVCI, also called memory integrity) / Device Guard, which isolates the Code Integrity service from the Windows kernel
- Other Microsoft-defined isolated services such as vTPM in certain server scenarios
These components are tightly integrated with the OS and platform security features (Secure Boot, virtualization extensions, etc.) and are not designed as a general-purpose isolation framework for third-party or custom services.
Therefore:
- VBS cannot be extended to run a custom service inside its secure environment.
- The protection scope is limited to the built-in mechanisms and trustlets that Windows defines (Credential Guard, HVCI/memory integrity, and other documented isolated services).
- Custom services must use other hardening techniques (e.g., standard process isolation, code integrity policies, application control, least privilege, etc.), but they cannot themselves become VBS trustlets.
References: