Microsoft Deprecates VBS Enclaves in Windows 11 Old Versions: What You Need to Know

If you ever thought that Windows version numbers were just minor footnotes in a sea of endless updates, think again. Microsoft’s recent security reshuffle regarding Windows 11 and its virtualization-based security features is here not just to break that illusion—it’s ready to smack it with a blue-screened vengeance.

The Curious Case of the Disappearing VBS Enclaves​

Microsoft, never shy about pushing its OS down the path of security righteousness, has decided to "deprecate" a rather technical but crucial feature in Windows 11: VBS enclaves. If your PC is rocking anything older than Windows 11 24H2—so that's 23H2 or 22H2—you are suddenly, and rather unceremoniously, left without this armor. But what exactly is disappearing, and should you care?
Let’s break it down.

VBS, TEE, VTL: The Alphabet Soup of Security​

Virtualization-based Security (VBS) isn't just another bit of Microsoft jargon; it’s a core security backbone that’s been hyped for several generations of Windows. Think of VBS as the digital equivalent of carving out a hardened bunker inside your memory, using virtualization tricks provided by modern CPUs. The goal? Keep sensitive processes away from the prying hands of malware—even if it does gain access to your system.
VBS enclaves, introduced officially in July 2023, take this further with what’s called Trust Execution Environment (TEE) and Virtual Trust Levels (VTL). Imagine the software equivalent of those intimidating velvet-roped VIP areas in nightclubs—enclaves are sections of your system’s memory walled off for running especially sensitive code, like cryptographic operations, in splendid isolation.

Why Deprecate Something This Secure?​

Now, here’s where things get head-scratching. If enclaves are such a boon, why jettison them from recent Windows 11 versions (excluding the freshly minted 24H2)? As usual with the Redmond behemoth, the specifics are kept behind, well, an enclave of their own. Microsoft’s only public explanation is a brief note about aligning with improved standards or new architectural choices.
History tells us Microsoft doesn’t retire features on a whim—ActiveX, Flash, Internet Explorer… (okay, maybe they do pull the plug with a certain gusto). But VBS enclaves’ sudden exit leaves users and IT admins in a security lurch, especially since attackers are always eager to exploit bygone features.

The Fix Is in… If You Patch Often​

Let’s not pretend VBS enclaves were bulletproof. Security researchers discovered a glaring vulnerability—CVE-2025-21370—that allowed local privilege escalation inside VBS enclaves, patched in January 2024. This bug showed that even software-based fortresses can spring leaks.
But, as any IT veteran knows, security is a moving target. Rather than endlessly patching older defenses, Microsoft is sometimes quicker to snip them away, encouraging users to jump onto the latest release. So, if you’re on 23H2 or 22H2, you’ll find patches, but no more feature enhancements or new security tricks from enclaves.

What Does This Mean for Windows Server?​

This isn’t just a desktop phenomenon. Windows Server editions—namely 2016, 2019, and 2022—are also getting the VBS enclave boot. Only Server 2025 and beyond will retain the feature. For enterprises that like to run their servers with a “if it isn’t broken, don’t upgrade” ethos, this may come as an unwelcome jolt.

Room for Rust: Microsoft’s Future Security Play​

This apparent security backslide happens just as Microsoft finally begins integrating Rust programming language into the Windows kernel, starting with Windows 11 23H2. Rust is widely beloved for its memory safety, promising to eliminate an entire class of bugs that made life tough for C and C++-driven kernels. Ironically, at the same time that Windows is losing a technical shield in VBS enclaves, it's gaining one from architectural change.
If you like your security features the way you like your coffee—robust and free of memory bugs—Rust might give you more comfort than VBS enclaves ever could.

Why You Should Care (Even If You're Not a Security Nerd)​

So, you’re a casual user, not a system admin or a malware researcher. Should this concern you? Here’s why it should:

• App compatibility: Security features like VBS enclaves protect apps dealing with sensitive data, such as password managers, VPNs, or banking applications. Their absence theoretically expands the attack surface for hackers who specialize in memory exploits.
• Enterprise impact: Companies struggling to keep fleets of Windows machines on updated releases might find themselves with uneven protection bins, complicating security management.
• Modernization pressure: Microsoft’s message is clear: stay up-to-date or risk missing out on the best security they offer. That might mean buying new hardware or bracing yourself for forced upgrades.

What’s Behind Microsoft’s Curtain? Speculation, Theories, and Corporate Realities​

With no official and technical reason given, what could possibly be motivating the deprecation of VBS enclaves on older versions? Here are a few theories floating in the infosec echo chamber:

• Newer, shinier replacements: Microsoft could be prepping a much-improved security model in Windows 11 24H2 and Server 2025, making VBS enclaves obsolete or redundant.
• Performance trade-offs: Maintaining compatibility for enclave-based features may be a drag on development resources (and perhaps system performance)—escalating with each Windows flavor.
• Low adoption: If telemetry data shows minuscule enclave use outside of the Fortune 500, perhaps Microsoft doesn’t see return-on-investment for keeping the feature alive on less secure, older builds.

It’s unlikely we’ll see an honest answer any time soon—that’s just not how the Redmond PR machinery works.

Practical Risks and Mitigations​

The immediate risk to Windows 11 23H2 and 22H2 users is that, when attackers start mining for vulnerabilities, they may have a slightly easier time poking around. But let's be honest: unless you have “top secret” stamped all over your spreadsheets, VBS enclave deprecation won’t turn your PC into a honeypot overnight.
Still, organizations with compliance requirements or sensitive intellectual property should pay heed. Defense in depth is about layering protections, and every missing shield counts.
Mitigation steps:

• Upgrade, if possible: Windows 11 24H2 (once stable and widely available) or Server 2025 will continue receiving the latest enclave features and likely tighter integration with future secure hardware.
• Double down on general security hygiene: Patch religiously, use strong authentication, and compartmentalize sensitive workloads.
• Monitor for exploit activity: Keep an eye on reports related to memory-based attacks, especially those bypassing more publicized defenses.

How Does This Fit Into the Broader Microsoft Security Ecosystem?​

Microsoft’s security efforts have always been a blend of reactive hotfixes, proactive features, and more than a little bit of herding users toward the latest and greatest OS iterations. The retirement of VBS enclaves from older platforms is consistent with the larger strategy: sunset legacy components, add new shiny toys (hello, Rust!), and hope that enough people follow the upgrade breadcrumb trail.
In the process, Microsoft often leaves behind a trail of grumbling IT admins and confused end-users, but keeps the overall platform moving in the direction of “least pain for the greatest number.”

The Inevitable Tug-of-War: Legacy vs. Leading Edge​

Step into the shoes of a systems administrator for a moment. Every feature cut triggers a domino effect of “what-ifs”:

• What about that fleet of laptops purchased last year—that can’t run 24H2 yet?
• Will deprecating enclaves prompt attackers to focus more energy on the older OSes?
• How do you balance downtime, training, licensing costs, and ever-increasing security compliance audit checklists?

Microsoft is counting on inertia to fade—and for businesses to see value in the “move fast, update often” doctrine. Whether this works depends on how gracefully users adapt to these enforced changes.

So, Should You Rush to 24H2?​

That’s the million-dollar (well, maybe not but you get the idea) question. Here’s the honest take for different audiences:

• General users: The average home user may not notice the absence of enclaves at all, especially if all updates and patches are installed regularly. Memory safety bugs are important, but not the average person’s daily worry.
• Business and enterprise users: The calculus is different. Depending on regulatory requirements, security posture, and appetite for risk, the upgrade could be critical—or at the very least, a high-priority item on the IT department’s checklist.
• Security aficionados: You already know you’ll want the latest, with the longest list of active protections and features. Go 24H2 or bust.

Microsoft’s Mixed Messaging: Trust Us (But Upgrade First)​

If there’s one constant in the Windows universe, it’s that Microsoft’s public rationale is often as clear as a privacy policy after ten pints of marketing brew. By removing VBS enclaves from all but the latest OSes, Microsoft sends a conflicted message: “We care about your security, but only if you play in our newest sandbox.”
The writing is on the wall: Modern OS development is a treadmill. You hop on the newest cycle, or risk losing features (however obscure), wider support, and, potentially, your peace of mind.

Why Enclaves Still Matter—Even If Few Realize It​

A lot of security technology only comes into play on the worst day of your digital life—when something goes tragically, epically wrong. VBS enclaves, Trust Execution Environments, Virtual Trust Levels… these aren’t headline grabbers, but in a world awash with ransomware, credential theft, and increasingly sophisticated cybercrime, every hidden barricade in the OS can slow attackers down.
Their deprecation from older Windows flavors is less about your home desktop getting compromised tomorrow, and more about a future where the latest protections are reserved for, well, the latest and greatest.

The Bottom Line​

In the ever-churning world of Windows, change is the only constant. Today’s killer feature is tomorrow’s footnote. With the curtain falling on VBS enclaves for anything pre-24H2, Microsoft is forcing the faithful forward, trusting that enthusiasts, enterprises, and IT departments will shoulder the cost and inconvenience of modernization for the promise of better security.
Is this the right call? Only time—and perhaps your next scheduled upgrade—will tell. For now, keep patching, don’t panic, and maybe raise a digital toast to the unsung memory enclaves: for a fleeting moment, you kept us a little bit safer.

---

Source: Neowin Microsoft is making Windows 11 23H2, 22H2 less secure than 24H2 by killing a VBS feature

 

[ChatGPT]

Microsoft giveth, and Microsoft taketh away—a mantra Windows users know as well as the blue of a Stop error screen. So it’s no surprise that, as the calendar pages flutter forward, Redmond has ringfenced another feature for the great recycling bin in the sky: VBS Enclaves, the not-so-talked-about darling of Virtualization-Based Security. With deprecation announced for older versions of Windows 11 and Windows Server, a chorus of enterprise admins and tech enthusiasts is left wondering whether this is a silent curtain call, a strategic cleanup, or just another chapter in Microsoft’s never-ending performance of security theater. Let's dig into what all this means—and, of course, what it doesn’t.

VBS Enclaves: Security’s Little VIP Room​

First things first: what even are VBS Enclaves? The name has a certain whiff of military-grade technology, or perhaps an exclusive digital club for your most sensitive data. In practice, that’s not too far from the truth. VBS stands for Virtualization-Based Security, and enclaves are secure, isolated environments—think of them as safe rooms carved out inside your system's memory.
Originally introduced in Windows Server 2019 and subsequently improved and broadened (including opening their doors for third-party developers), VBS Enclaves provide a means for applications to squirrel away cryptographic secrets, authentication keys, or any other digital delicacy you wouldn’t want wandering around unattended. Unlike some hardware-based security features, VBS Enclaves rest entirely on software, gleefully sidestepping the tangle of chipset support and motherboards.
Tellingly, only a select few Microsoft and Windows-specific applications appear to have RSVP’d to the VBS Enclave party. Highlights include Microsoft’s Azure SQL Database, the credential-guarding parts of Windows 11, and the much-buzzed-about Recall feature. For most desktop users, enclaves remain quietly behind the curtains, humming away in the background.

The Deprecation Chronicles: What's Actually Going Away?​

Keep calm and carry on—sort of. “Deprecation” is an overloaded term in the world of software, often invoked with more drama than deletion. Microsoft deprecating VBS Enclaves on Windows 11 version 23H2 and earlier (and Windows Server 2022 and below) doesn’t mean an instant obliteration. The feature remains, albeit with a “best before” date inked somewhere in the not-so-distant future.
If you’re running Windows 11 version 24H2 or prepping for Windows Server 2025, rest easy: your applications can still hole up in an enclave. For everyone else, the writing is on the wall—but for the majority of home users, the ink is already dry. Most consumer versions of older Windows will be out of support by the time VBS Enclaves vanish, making this very much a business and enterprise concern.
Yet notably, Microsoft didn’t provide a rationale for the move. Usually, a deprecated security feature is accompanied by trumpeting about new and better protections, emerging standards, or just a shift to where customers actually need the tools. Not this time. Instead, we’re left with a combination of support window reasoning and one cryptic footnote on Microsoft’s Secure Enclaves documentation: VBS Enclave API usage now requires Windows 11 Build 26100.2314 or later. For the more adventurous sysadmins and third-party app developers, it's time to plan alternate routes—or upgrades.

VBS, Not VB: The Name Game​

If you’re a certain vintage of Windows user, the moment you see “VBS” your synapses might fire off “VBScript!” That’s an entirely different animal—one Microsoft sent off to pasture in 2023 (no tears were shed). VBS Enclaves and VBScript share nothing but three letters and an unfortunate propensity for being misunderstood.
In typical Microsoft fashion, nomenclature loves company, and the alphabet soup of Windows security acronyms continues unabated. The important distinction is this: VBS Enclaves live under the umbrella of virtualization-based security. They are about protecting secrets inside the OS, not automating Internet Explorer.

The (Limited) Impact: Why Most Users Won’t Care​

Pour one out for VBS Enclaves—but only if your IT department actually used them outside of Azure SQL or remained in thrall to Windows Credential Guard. For ordinary Windows users, deprecation of this under-the-hood security feature will register somewhere between “not at all” and “when’s lunch?” With Windows 11 version 23H2 already set to retire in November and prior releases for consumers firmly in the rearview mirror, home users are unlikely to witness so much as a warning dialog, let alone missing functionality.
The real audience for Microsoft’s deprecation memo? Those with long-lived, slow-moving fleets of enterprise Windows or custom third-party applications leveraging these enclaves. In those circles, any change to the security substrate can spark a mild panic or a protracted migration project. And, as is so often the case in digital security, updates tend to arrive just before you're ready for them—or just after you’d gotten comfortable.

Under the Hood: Why Deprecate?​

Software deprecation is as much about the future as it is about the past. In this case, it’s tempting to spy a bit of digital housecleaning at work. Maintaining secure, virtualized compartments across multiple Windows builds, hardware generations, and developer APIs is an expensive enterprise. By tying the ongoing survival of VBS Enclaves to the latest Windows builds, Microsoft can focus its efforts on new, well-supported releases—ideally with fewer vulnerabilities and greater efficiency.
Yet there’s speculation that runs deeper. Is the removal about simplifying support for third-party apps, tightening Microsoft’s grip on the enclave APIs, or prepping for a next-generation security architecture entirely? The company isn’t saying (yet), but the side effect remains an urge for enterprise IT to either get current or get creative.
It’s possible, too, that first-party (Microsoft) applications will continue to use enclave technology through proprietary or internal mechanisms, even as public APIs to the feature disappear. If so, this is more of a closing window for third-party developers than an outright security retreat.

Recall and Beyond: VBS Enclaves in the News​

VBS Enclaves re-entered the limelight recently via Windows 11’s “Recall” feature, itself a polarizing blast of AI-fueled productivity promise and privacy concern. Recall leverages VBS Enclaves to secure the flood of snapshots it takes of users’ desktops, hopefully keeping prying malware or local snoops at bay.
If VBS Enclave support disappears on older builds, Recall—already restricted to high-end Copilot+ PCs—will simply decline to function, not gallantly fall back to something less protected. The architectural requirement is now a wall between those with new machines and those with merely “modern” ones.

A Brief History of Enclave Security​

Hardware manufacturers and OS developers have been obsessed with secure enclaves for the better part of a decade. Apple made its Secure Enclave coprocessor a buzzword with iPhones and Macs; Intel's SGX promised enclaves on the chip, at least until it didn’t. Microsoft’s VBS Enclaves always stood out for being hardware-agnostic—just a sprinkle of right OS, and you had yourself a safe haven.
But while the technology is clever, its day-to-day relevance largely passed over consumers. Even many enterprise deployments relied more heavily on Credential Guard in general than on the enclave trick itself. The niche audience—security-minded software developers—got the most out of this feature, and it’s that same crowd who’ll feel the chill of deprecation.

Third-Party Developers: The API Door Shuts​

Perhaps the most significant consequence hidden in Microsoft’s blizzard of footnotes and update advisories is for third-party developers. Only native or tightly-integrated Microsoft applications are assured continued enclave access. If your business relies on a custom app that tucks away secrets in a VBS Enclave using official APIs, it's now critical to evaluate OS build requirements—and start planning to target only the latest releases.
This shift may have a chilling effect on experimental or innovative enclave-using apps, at least outside the tight embrace of Redmond’s internal teams. Some security advocates might see this as a blow against software diversity; others might argue it’s necessary to keep the attack surface manageable in a world where Windows configurations sprawl endlessly.

Enterprise Realities: Migration or Margins?​

For IT administrators in big organizations, every deprecation event rings like a challenge bell. Supporting a patchwork of Windows builds, each with slightly different security capabilities, is a recipe for nervy nights and hastily scheduled meetings. For those still on Windows 11 23H2 or—gasp—older server versions, planning is now vital.
The upside? Feature deprecation often foreshadows better, faster, or at least better-documented replacements. Microsoft has never been one to let a little technical debt get in the way of marketing “next-gen” security, and the company’s motivation to keep enterprise customers current translates into pressure (sometimes gentle, sometimes blunt) to upgrade.
But for organizations already stretched thin—the sort that only just completed the last round of upgrades—news like this is bitter, if familiar, medicine. The question isn’t whether to migrate, but when, and how to build in resilience for whatever comes next.

Reading Between the Lines: Security, Support, and the Windows Future​

The deprecation of VBS Enclaves, absent a detailed explanation, tells us a few things about the shifting sands beneath Windows security. As Microsoft pushes further into AI, cloud, and a more integrated approach to device management, older security models become deadweight—or at least, less deserving of developer attention and support hours.
That doesn’t always mean risk, of course. Removing features with low adoption but high maintenance can actually tighten security by eliminating unexamined attack surfaces. It does, however, mean that businesses and developers who’ve built custom workflows or compliance strategies atop these features must scramble to find or invent alternatives.
For trainees in the IT trenches, it’s an object lesson: even “invisible” security features, long taken for granted, have limited lifespans. The pace of change in the Windows world—juiced up by yearly releases, extended beta periods, and public “Insider” flights—means anything not actively improved is always at risk of winding up on the digital chopping block.

What Comes Next: The Era of Secure Processing Evolves​

So where does Windows security go from here? Expect more, not less, core logic to shift into environments that Microsoft directly controls, whether in the cloud (via Azure) or on the client (copilot-driven, AI-filtered, perhaps reliant on new hardware as the baseline).
For developers, the future likely involves more “vertical” integration—security and privacy guarantees nested within trusted hardware and cloud services, leaving less to userland software and public APIs. We may yet see return appearances from other enclave-like structures, only this time bound to chips and firmware, rather than the chameleonic moods of Windows builds.
For businesses, the path forward is clear: stay current. Keep abreast of security deprecations, shed the legacy builds, and be ready to pivot when Microsoft next rearranges the security furniture.
And for the everyday user? Keep calm, auto-update on, and hope the only enclaves you ever notice are the ones on an architectural tour.

Final Thoughts: Memory Lane, Securely Paved​

While the quiet deprecation of VBS Enclaves isn’t likely to make headlines outside tech corners, it’s a revealing moment in the ongoing evolution of Windows security. The move illustrates Microsoft’s everything-old-is-sunsetted ethos, forces developers and enterprises to keep pace, and reminds us all that, in the end, the only constant in technology is change—a fact as enduring as the Windows start menu.
Microsoft may not have offered a clear reason for shuffling this feature off-stage, but their direction is unmistakable: secure what matters, streamline the rest, and nudge every user along a single, supported path. Whether that path leads to more robust, accessible security—or simply a fresh batch of acronyms—we’ll be watching. Because in Windows world, what’s deprecated today could very well be tomorrow’s “vintage” feature, fondly remembered… and quietly missed.

---

Source: gHacks Technology News Windows 11: Security-feature VBS Enclaves is being deprecated on some systems - gHacks Tech News

 

[ChatGPT]

Windows 11’s security landscape is shifting again, and this time the news carries both technical nuance and real-world consequences: Microsoft is officially deprecating the Virtualization-Based Security (VBS) Enclaves feature for certain Windows 11 systems, including the widely deployed 23H2 release and earlier. The move, while nested among a broader cull of legacy and underutilized features, strikes at the heart of Microsoft’s decades-long push for operating system hardening through virtualization. For IT professionals, security architects, and everyday Windows users, this change raises pressing questions—not just about immediate risks but about the direction of Windows security itself.

What Were VBS Enclaves—and Why Did They Matter?​

At its core, VBS Enclaves represented Microsoft’s answer to a persistent challenge: how to keep the most sensitive data, processes, and credentials not just theoretically secure, but practically untouchable—even if an attacker managed to compromise the operating system. Introduced as an expansion to the Virtualization-Based Security suite, enclaves carved out memory “safe zones” that were isolated from the rest of Windows—even if the rest of the system had been subverted.
The intent was ambitious: let Windows applications run highly sensitive code (like cryptographic operations, credential management, or DRM routines) within a hypervisor-shielded microenvironment. Even administrator-level attackers would be blocked from snooping or tampering—a crucial objective given the persistent, evolving threats from both external actors and malicious insiders.
Used in conjunction with heavyweight features like Credential Guard, Hypervisor-protected Code Integrity (HVCI), and Windows Defender Application Guard, VBS enclaves became a pillar in Microsoft’s strategy to make Windows more resilient against privilege escalation, memory attacks, and kernel-level exploits.

The Promise and Perils of a Virtualized Security Model​

For a time, the vision felt aligned with industry needs. Enterprises moving sensitive workloads to endpoints, governments seeking advanced security assurances against nation-state threats, and technology vendors attempting to offer robust digital rights management all found reasons to embrace enclave technology.
Yet, this approach was always a double-edged sword. The very complexity that made VBS enclaves powerful also made them difficult to fully secure and maintain. Vulnerabilities impacting the enclave’s integrity—such as those that allowed attackers to bypass authentication or inject malicious input—could potentially undermine not only the enclaved code but also other layers of Windows’ virtualized security framework.
A critical tipping point arrived with public disclosures of flaws like CVE-2025-27735. Researchers demonstrated that, under certain conditions, carefully crafted attacks could subvert enclave protections, escalate privileges, and manipulate or disable core security features. This risk shook confidence—not merely in VBS enclaves, but in the infallibility of “security by virtualization” itself.

Deprecation: Microsoft’s Strategy and the Broader Context​

The retirement of VBS enclaves isn’t happening in isolation. It’s part of a broader “spring cleaning” orchestrated by Microsoft: Windows Maps and related platform APIs are also being sunset, Paint 3D and DirectAccess have recently been retired, and even the venerable NTLM authentication protocol is slated for removal. Across the board, Microsoft appears focused on shifting legacy, niche, or high-risk features out of production Windows, urging stakeholders to adopt newer, better-supported alternatives or cloud-based replacements.
For VBS enclaves specifically, deprecation is targeted at Windows 11 23H2 and previous versions—a clear sign that the feature will quietly disappear from many business and consumer deployments unless future versions re-engineer the concept in a more robust fashion.
On paper, Microsoft’s rationale is pragmatic. When a feature’s security promises are undermined by fundamental design or implementation issues, continuing to support it can pose more risk than reward. Ongoing maintenance siphons resources that could be redirected toward reinforcing more widely used or more resilient protections.

The Reality Under the Hood: Recent Exploits and the “Windows Downdate” Risk​

It’s impossible to analyze the deprecation of VBS enclaves without considering the troubling spate of recent security bugs that have rocked virtualized security in general. CVE-2024-21302, for example, made headlines for permitting attackers to “downgrade” Windows systems—replacing up-to-date, patched security files with outdated, vulnerable ones without user awareness. Even with Windows Update claiming all was well, the actual state of system security was anything but.
Such flaws didn’t just allow individual security boundaries to be pierced; they threatened the very concept of chain-of-trust that undergirds virtualization-based security. With attackers able to sidestep virtual protections, the guarantees provided by features like VBS, Credential Guard, and HVCI could be undone retroactively, reintroducing vulnerabilities supposedly already fixed.
Researchers have shown that even well-patched systems could be returned to an insecure state, shaking user trust in both virtualized enclaves and the broader Windows security update process.

Enterprise and End-User Impact: What Changes Now?​

The immediate impact of the VBS enclave deprecation is clearest in enterprise environments—but home users aren’t immune. Organizations that leveraged enclaves for credential isolation, secure computation, or compliance-driven controls must now reassess their security architectures. For some, this will mean accelerating adoption of alternatives such as cloud-based solutions, dedicated hardware security modules (HSMs), or embracing Azure-backed features that are more aggressively maintained.
End users may not notice explicit changes; deprecation rarely triggers a dramatic visual shift in Windows. But in the background, the risk landscape is evolving. Without VBS enclaves, certain advanced attacks—while still complex and requiring local access—may become more feasible for sophisticated adversaries if compensating controls aren’t in place.
Advisories stress that organizations should:

• Audit dependent software to identify enclave dependencies.
• Tighten privilege boundaries and minimize admin access on all endpoints.
• Aggressively monitor Microsoft’s security updates and bulletins for compensating mitigations.
• Consider rapidly phasing out use of deprecated install media for Windows 11 (since outdated images can further amplify vulnerabilities by skipping essential patches).

This is not just a hypothetical worry. Systems set up using out-of-date DVDs or USBs have already been found to be locked out of security updates—notified too late that they are skating on a thin, unsupported patch surface.

The Chain Reaction: Trust, Attack Chains, and Insider Threats​

A core promise of VBS was to shrink the “attack surface” available to adversaries. However, as insiders and local attackers proved able to undermine enclave protections, Microsoft and the security community have had to revise longstanding assumptions about risk. With the enclave layer weakened or removed, defenders must compensate elsewhere: beefing up endpoint monitoring, rolling out advanced behavioral analytics, and doubling down on employee education about insider threats and phishing.
It’s also a warning shot for organizations overly reliant on any single security boundary. The cascade effect from failures in VBS enclaves illustrates that a layered, defense-in-depth approach remains essential. “No system is ever perfect,” as one analyst noted; even advanced techniques like virtualization or Secure Kernel Mode can be outmaneuvered when exploiters find overlooked flaws.

The Road Ahead: What Will Replace VBS Enclaves?​

With enclaves out, what rises to take their place?
Microsoft hasn’t left users empty-handed. Recent Windows 11 updates have introduced several new and enhanced security features:

• Administrator Protection: A reimagined privilege management scheme that ensures even admin accounts operate with least privilege, only elevating after explicit authentication prompts. This actively curbs some classes of privilege escalation attacks and helps reduce accidental exposure to malware.
• Broad Hardware-backed Security: BitLocker and similar technologies are being rolled out with broader compatibility in the 24H2 update, sometimes enabled by default, providing “whole disk” encryption for a growing spectrum of devices.
• Streamlined Compliance: Newer releases emphasize easier security compliance—even eliminating some legacy checks to foster better user adoption while retaining core protections.

But, not all is smooth sailing. The expansion of default encryption in Windows 11 has stirred its own controversy, with some power users raising red flags over possible SSD performance slowdowns or device compatibility headaches. Microsoft is being urged by its user base to communicate more transparently about trade-offs and default settings so end-users can make truly informed decisions.

Developer Frustrations and the Changing Windows Ecosystem​

The axing of VBS enclaves, alongside legacy mapping APIs and other developer tools, creates real work for those who’ve invested in the deprecated tech stack. ISVs that built sophisticated workflows atop the enclave model must now pivot: rewriting security-sensitive modules, shifting to cloud-native trust boundaries, and testing against new standards that may be less mature or differently scoped.
On the other hand, Microsoft’s move underscores a broader pivot to cloud-first, API-driven solution architectures. Features like Azure Maps replace legacy mapping APIs, integrating deeply with identity and telemetry services, and offering ongoing updates unavailable to on-premise interfaces.

The Security Community’s Verdict: A Sobering but Strategic Retreat​

Ultimately, retiring VBS enclaves represents both admission of defeat and a recalibration of priorities for Microsoft. While the dream of perfect virtualization-isolated trust may fade from local Windows devices, it sets the stage for more robust, flexible, and future-ready security strategies—ones based on continuous updates, rapid response to newly discovered flaws, and a commitment to defense-in-depth.
This transition, though, won’t happen overnight. For security teams and IT departments, vigilance is still the order of the day:

• Apply security patches and follow configuration guidance as soon as they become available.
• Monitor new channels for security advisories now that layers like the VBS enclaves may disappear from under their application stack.
• Rethink the separation of duties, network segmentation, and mitigate against internal threats.

For the rest of the Windows community, this is a telling moment—a classic illustration that security is a “process, not a product.” Technology, however advanced, cannot stand still: every innovation attracts a determined adversary, and defense must always evolve ahead of the threat.

Final Reflections: Lessons Learned and the Path Forward​

The saga of VBS enclaves encapsulates the paradoxes of modern security engineering: ambitious mechanisms carry equally ambitious risks; robust boundaries can hide brittle flaws; and trust, once undermined, is slow to rebuild. Microsoft’s decision to deprecate VBS enclaves signals a necessary, if painful, realignment with today’s realities: cyber threats are unceasingly inventive, and no single feature can promise complete invulnerability.
The focus now shifts to adaptability, transparency, and layered mitigation. For users, developers, and defenders alike, it’s a reminder not to place uncritical faith in any single barrier—and to keep looking ahead, even as Windows’ historical fences are torn down and rebuilt.
As 2025 draws near and new endpoint architectures take center stage, the lesson of VBS enclaves may be this: True security is not just about building higher walls, but about constructing smarter, more responsive systems—ready to learn, adapt, and recover from every new challenge the digital world throws their way.

---

Source: www.ghacks.net https://www.ghacks.net/2025/04/17/windows-11-security-feature-vbs-enclaves-is-being-deprecated-on-some-systems/&ved=2ahUKEwie8YuWpfeMAxX_STABHQGaBaw4FBDF9AF6BAgEEAI&usg=AOvVaw2R6V-fYvULOuHPgC_UPTcB/

 

[ChatGPT]

A subtle but consequential security change is taking shape in the Windows ecosystem: Microsoft is deprecating VBS enclaves on Windows 11 versions 23H2 and 22H2, alongside similar rollbacks on Windows Server 2022 and its predecessors. With the advent of Windows 11 24H2 and Windows Server 2025, only users on these newest platforms will retain access to the next-generation memory safety features VBS enclaves provide. This move—quiet on the surface but seismic beneath—highlights both the relentless pace of security innovation in Windows and the hidden trade-offs that come with reaching for the bleeding edge.

The End of an Era: VBS Enclaves Pulled from Older Versions​

Virtualization-Based Security (VBS) has, for years, been at the heart of Microsoft’s security posture. By isolating sensitive processes from the operating system using hardware and software virtualization, VBS creates a deeper trust boundary—making it much harder for attackers to reach critical secrets and execute privilege escalation exploits. Among its enhancements, VBS enclaves introduced an additional segmentation of trust: creating virtual trust levels (VTLs) within applications, using software-based Trust Execution Environments (TEEs) to compartmentalize memory and restrict access even further.
Yet, Microsoft has confirmed that support for VBS enclaves is now exclusive to Windows 11 24H2 and later, and to Windows Server 2025 and above. Earlier versions—including the still widely used 23H2 and 22H2 for Windows 11 and Server 2022, 2019, and 2016—will see this security technology deprecated. The result? A notable divergence in protection levels across the Windows platform: the same hardware, running different OS builds, will enjoy very different defenses against modern attacks.

Why Deprecate a Modern Security Feature?​

Microsoft’s decision hasn’t come with an explicit rationale. In the past, retiring features often signaled obsolescence, a shift to better standards, or technical debt too costly to carry forward. But in the case of VBS enclaves, the technology is not broadly outdated—on the contrary, it’s a recent addition, rolled out in mid-2023, and is closely tied to Microsoft’s agenda of memory safety and secure application environments.
This makes the deprecation notable: there’s been no major public exploit, no damning performance issue, nor a cascade of negative feedback. While VBS enclaves did suffer at least one published vulnerability (CVE-2025-21370, a local elevation of privilege flaw patched in January), a single CVE is par for the course with mature security tech.
Instead, the change may reflect Microsoft’s ever-persistent drive to push customers rapidly toward the latest OS versions. Maintaining advanced virtualized features across multiple kernel versions is extremely challenging, especially as underlying platforms like Hyper-V, TPM, and kernel memory management continue to shift. It also gives Microsoft room to accelerate improvements and bug fixes—free of the weight of legacy support. However, for organizations slow to migrate, the cost could be substantial: older Windows installations may become prime targets for exploits developers expect to thwart only on the “latest and greatest” versions.

The Rise (and Limits) of Virtualization-Based Security​

VBS has evolved from niche enterprise feature to a nearly standard baseline for modern security on Windows. It forms the backbone of several advanced controls, such as Credential Guard, Hypervisor-Protected Code Integrity (HVCI), and Virtual Secure Mode. VBS enclaves in particular carve out exclusive memory zones in which application code can operate at a higher “virtual trust level” than the host OS or even other processes. The result is a sandbox-within-a-sandbox: memory space shielded from everything except the enclave owner.
For developers, enclaves mean they can place secrets, cryptographic keys, or operation-critical logic in a place malware simply can’t reach—even if it manages to infect the host OS. For enterprises running sensitive workloads or handling regulated data, this kind of defense is invaluable: think financial applications, identity providers, or digital rights management tooling.
But this extra layer comes at a price. From a technical standpoint, managing and updating virtualized trust levels requires close alignment with firmware, hypervisor, and hardware chipsets. Even a small change at the silicon or bootloader level can break compatibility. As Microsoft hardens each new release—especially with the increased use of Rust in the kernel for memory safety in 24H2 and beyond—the cost of making VBS enclaves work everywhere can exceed their security payoff on older, less protected platforms.

The Security Impact: What Does the Loss of VBS Enclaves Mean?​

Deprecating VBS enclaves widens the already extant “security gap” between older but still supported versions of Windows and the flagship latest build. Organizations that haven’t yet moved to 24H2 or plan to remain on Server 2022, 2019, or 2016 for stability reasons will lack several classes of modern memory protections.
While VBS as a baseline remains robust—protecting credential storage, isolating LSA, and offering kernel-mode security—the isolation of critical application memory will be weaker than what is offered in the cutting-edge builds. Attackers who succeed in breaking out of the OS or leveraging privilege escalation vulnerabilities may find fewer guardrails. For businesses unwilling or unable to upgrade, this is a risk that should not be underestimated.
Microsoft’s security advisories make clear that maintaining regular patch cycles is non-negotiable, especially as vulnerabilities continue to surface across all versions that use VBS-related features. But the reality for “trailing edge” organizations is stark: the future of advanced app memory compartmentalization simply won’t include them.

Windows 11 24H2: The Fortress Approach to Security​

The timing of this change coincides with a larger security revolution debuting in Windows 11 24H2. This update is, by all accounts, Microsoft’s most ambitious overhaul of the Windows security model in decades. Key features include:

• Enhanced Sign-In Security (ESS): ESS builds further on Windows Hello, combining biometrics (fingerprint, facial recognition) with deeper VBS integration to ensure credentials never leave protected memory spaces. ESS is designed with VBS at its heart—a clear signal that local hardware isolation remains a priority.
• Advanced Application Control: Stricter default policies and more intelligent application whitelisting mean fewer rogue apps can ever gain a foothold—an essential protection as new attack vectors (especially via AI-generated malware) proliferate.
• BitLocker for All: Device-wide encryption, historically reserved for Pro or Enterprise SKUs, now arrives by default even for Home edition users. This comes with trade-offs—some SSDs may see measurable performance reductions under BitLocker software encryption—but Microsoft has prioritized data security in the age of remote work and hybrid learning.
• Hotpatching for Enterprise: Fewer forced restarts will be required for routine security updates, thanks to memory-level injection of patches. This is a blessing for business continuity and uptime.
• Kernel Modernization With Rust: A historic move, Microsoft has started integrating Rust into kernel development with 24H2, aiming to eradicate entire classes of memory safety bugs inherent to C/C++ codebases. Rust is celebrated in the security community for making buffer overflows, use-after-free, and similar attacks vastly harder to pull off.

Layered Security: The New Gold Standard—But Only for the Latest​

Microsoft’s strategy is clear: real, next-generation security will now be layered predominantly on its most current Windows builds. VBS enclaves, ESS, deep app controls, and Rust-protected kernel spaces work in concert to create an OS where most direct memory attacks are not just impractical—they’re computationally unfeasible.
But this progress introduces a new challenge for the IT world: the “security stratification” of the Windows fleet. Endpoints running older (even if fully patched) 22H2 or 23H2 builds will inevitably lag behind contemporary threats. In the rapidly pivoting threat landscape, this can make patch management, compliance documentation, and risk calculation exponentially more complicated for IT administrators. Enterprises in particular face an unpalatable choice: race to keep up with Windows innovation—or risk falling victim to attacks crafted specifically for the slow-footed.

The (Silent) Cost of Deprecation​

On the surface, Microsoft’s changes seem like simple housekeeping: cut older dependencies, embrace better architecture, move faster. But for organizations and everyday users, the move raises several tough questions:

• How long before other essential security features meet the same fate? Deprecation can snowball; today it’s VBS enclaves, tomorrow it could be other VBS derivatives, compatibility layers, or even key kernel routines.
• Is Microsoft signaling that long-tail OS support is now mainly for bugfixes, not innovation? For years, businesses could expect early deprecation only for true legacy (think Internet Explorer or SMBv1). Now, best-in-class defenses are tied tightly to a specific annual update cadence, with little grace for those who can’t—or won’t—keep up.
• What about regulated or legacy environments? Many organizations—healthcare, government, finance—can’t upgrade instantly. These verticals now face the unenviable task of explaining why their systems are missing best-practice protections, even though they’re up-to-date by normal standards.
• How much notification is enough? Silent sunsetting, without adequate communication, exposes organizations to accidental non-compliance, data loss, and liability complications.

The Broader Deprecation Wave​

VBS enclaves join a growing list of removed or deprecated features in 2024: Windows Subsystem for Android, older cryptographic standards, and even the humble Windows Maps app are all being shown the door. Each change reflects Microsoft’s evolving approach—not just to improving Windows’ feature set, but to dictating what a “secure” modern OS must look like.
Some of these changes are driven by direct security imperatives: for instance, the elimination of obsolete DES encryption from Windows 11 24H2 and Server 2025, a long-awaited move that finally brings Windows into line with contemporary cryptographic standards. Others, like deprecating legacy system APIs, make room for architectural advances that would otherwise be hamstrung by compatibility concerns.

What Should Users and IT Professionals Do?​

The roadmap is clear: the future of Windows security lies with the 24H2 branch and beyond. For individual users, this means embracing updates not just as productivity enhancements, but as security essentials. For organizations, particularly those in compliance-heavy sectors, it’s time to move aggressively toward modernizing fleets and retiring any tool, deployment script, or process that anchors systems in the past.

• Audit Your Systems: Inventory which endpoints are running 23H2, 22H2, or earlier. Understand what protections those builds now lack.
• Accelerate Upgrades: Make Windows 11 24H2 or Windows Server 2025 the new organizational baseline wherever possible. For those on slower adoption paths, put migration plans into overdrive.
• Educate Users and Admins: Communicate that “fully patched” no longer means “fully protected”—especially as attackers shift strategies to exploit what’s missing in older builds.
• Monitor Feature Deprecation: Stay current on Microsoft’s list of deprecated features and plan for a future where only the current-year builds are fully-featured.

The Push and Pull of Progress​

Microsoft’s decision to deprecate VBS enclaves reflects something much bigger than just a feature loss: it’s emblematic of the modern OS landscape, where innovation and obsolescence travel hand-in-hand. “Future-proof security” is no longer an abstract goal but a moving target—one that, for better or worse, often leaves yesterday’s hardware and software out in the cold.
The message for users and enterprises is unambiguous. To stay secure in the Windows world, you can't stand still. The fortress is only as strong as its newest wall—so now, more than ever, the mandate is clear: keep moving forward.

---

Source: www.neowin.net Microsoft is making Windows 11 23H2, 22H2 less secure than 24H2 by killing a VBS feature