.png?width=100&auto=webp&quality=80&disable=upscale "Picture of John Savill")
.png?width=400&auto=webp&quality=80&disable=upscale "John Savill")
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Solve IOMMU errors with Shielded VMs
Solve IOMMU errors related to attestation with Shielded VMs
John Savill
December 30, 2016
1 Min Read
Q. I'm receiving an IOMMU not required error trying to use Shielded VMs.
A. Shielded VMs when using TPM attestation has a policy that defines the requirements of the Hyper-V server configuration. IOMMU is a requirement when using credential guard on a Hyper-V host per https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard. If you are receiving an error related to IOMMU trying to attest a Hyper-V host to run shielded VMs under Microsoft-Windows-HostGuardianService-Client/Operational then it is likely you have configured the host to require credential guard when it is not part of code integrity policy.
Run Get-ComputerInfo and view the DeviceGuardRequiredSecurityProperties, e.g.
DeviceGuardRequiredSecurityProperties : {BaseVirtualizationSupport, SecureBoot}
DeviceGuardAvailableSecurityProperties : {BaseVirtualizationSupport, SecureBoot,
DMAProtection}
In my example IOMMU is not required so ensure the policy does not require Credential Guard, e.g.:
Open gpedit.msc
Navigate to Computer Configuration - Administrative Templates - System - Device Guard
Double click Turn on Virtualization Based Security
Ensure the Virtualization Based Protection of Code Integrity is set to Enabled without lock
Set Credential Guard Configuration to Not Configured and click OK
Reboot
Note that this is required because the attestation policy did NOT require credential guard. The point is the configuration of the host needs to meet whatever the configuration of the attestation policy is.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
