Microsoft is planning to remove a security feature on versions of Windows 11 older than 24H2. The company has confirmed that it is deprecating VBS enclaves on the likes of Windows 11 23H2 and 22H2. The same is happening to Server 2022 and 2019/2016 as well. This essentially makes the older versions of Windows 11 and Windows Server less secure.
The company writes:
VBS enclaves are being deprecated on Windows 11, version 23H2 and earlier versions of Windows. Support for VBS enclaves will continue for Windows 11, version 24H2 and later.
VBS enclaves are being deprecated on Windows Server 2022 and earlier versions of Windows Server. Support for VBS enclaves will continue for Windows Server 2025 and later.
VBS enclaves was released in July last year where the company also talked about the system requirements of the feature. As the name suggests, VBS enclaves is based on VBS or Virtualization-based Security.
VBS is an essential security feature on Windows 11 which Microsoft has pointed out several times in the past. So we are unsure why the company is removing one of the VBS features on the slightly older OSes. Microsoft also does not state the reason.
The tech giant typically removes older standards to improve the security of its software or introduces newer and improved ones. For example, it updated the way it collects user data on Edge recently, and is also gradually killing off ActiveX on Office apps.
For those of you wondering how VBS enclaves helps, the feature is meant to improve the memory safety of apps by creating virtual trust levels (VTL) inside a software-based Trust Execution Environment (TEE).
However, it is not infallible as Microsoft had to patch CVE-2025-21370 VBS enclaves local elevation of privilege (LPE) vulnerability back in January. On the topic of memory safety, Microsoft also began integrating Rust in the Windows kernel back in 2024 on Windows 11 version 23H2.
You can view the list of deprecated features here on Microsoft's official website.
Update, May 5, 7.00 am GMT: Microsoft has updated the message to add new information regarding Extended Key Usage (EKU) and VBS enclaves support on Windows 11 versions 24H2 and earlier. It writes:
[Update May 2025] Existing enclaves signed with the EKU 1.3.6.1.4.1.311.76.57.1.15 will continue to be supported for all Windows 11, version 23H2 and earlier versions of Windows, so long as no changes are made to the enclave that requires a re-sign of it. If a re-sign of the enclave occurs, the new EKU will be used to re-sign and the enclave will only be supported on Windows 11, version 24H2 and later.
Existing enclaves signed with EKU 1.3.6.1.4.1.311.76.57.1.15 will continue to function without disruption on the following operating systems until a re-sign is needed:
- Windows 10, version 22H2
- Windows 11, version 22H2
- Windows 11, version 23H2
- Windows 11, version 24H2 and later
8 Comments - Add comment