Is it supported Virtualization-Based Security (VBS) on Windows VMs running on OpenShift Virtualization?

Solution Verified - Updated 13 Feb 2026

Environment

Red Hat OpenShift Container Platform (OCP) 4.19 and later
Red Hat OpenShift Virtualization 4.19 and later
Windows VMs

Issue

We want to enable Virtualization-Based Security (VBS) in Windows VMs in a OpenShift cluster.

Resolution

Note that enabling VBS can result in a reduced performance which can be quite significant in certain scenarios. Enabling HVCI can cause even further performance overhead. Please see Windows Guest migrated from VMware shows high CPU utilization for the required tuning and known issues.

Follow these steps to configure Red Hat OpenShift Container Platform (RHOCP) for VBS:

Refer to KCS 6692341 to confirm that the worker nodes have nested virtualization enabled.

You need to enable all required VM features: persistent vTPM, UEFI secure boot, vCPU virtualization support and Hyper-V enlightenments. To do so, configure the VM as follows (only the relevant options shown below):

apiVersion: kubevirt.io/v1
kind: VirtualMachine
spec:
  template:
    spec:
      domain:
        clock:
          timer:
            hyperv: {}
        cpu:
          features:
            - name: vmx   # <-- for Intel CPUs. Use 'svm' in AMD nodes
              policy: require
        devices:
          tpm:
            persistent: true
        features:
          acpi: {}
          apic: {}
          hyperv:
            reenlightenment: {}
            ipi: {}
            synic: {}
            synictimer:
              direct: {}
            spinlocks:
              spinlocks: 8191
            reset: {}
            relaxed: {}
            vpindex: {}
            runtime: {}
            tlbflush: {}
            frequencies: {}
            vapic: {}
            evmcs: {}    # <--- Only for Intel CPUs
          smm: {}
        firmware:
          bootloader:
            efi:
              persistent: true
              secureBoot: true

Root Cause

VBS depends on several VM features:

vTPM
UEFI SecureBoot
Nested virtualization
Hyper-V enlightenments

vTPM and SecureBoot are available out of the box in OpenShift Virtualization 4.18+.

Nested virtualization has to be explicitly enabled for the VM to make use of VBS. Nested virtualization is a Technology Preview feature, so it has a reduced support scope but can be supported for VBS. VBS support is documented in Certified Guest Operating Systems in OpenShift Virtualization in the section "Microsoft Windows Features".

SBR

Virtualization

Product(s)

Red Hat OpenShift Container Platform

Components

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.