Disable the little drawing (known as search highlights) in the Windows 10/11 search bar

After deploying new Windows 10/11 images with the latest updates, Microsoft has included Search highlights. You can see if you have search highlights enabled when having a little drawing in the search bar. When clicking on the search bar it extends with graphics and more crap.

So what are search highlights?

Designed to help Windows users discover more information and related content, search highlights present noteworthy, informative, and interesting information of what’s special about each day—like holidays, anniversaries, and other moments in time both globally and in your region

This new feature can be nice for home users but not for most enterprise environments. So I disable this feature for all the Windows 10/11 deployments.

Disable search highlights by using a Group Policy Object (GPO) 

  • Make sure you have at least the Administrative Templates (admx) for Windows 10 November 2021 Update (21H2) – v2.0 (link).
  • Copy the ADMX files to the Group Policy Central Store in the sysvol folder (example: \\<fqd domain name>\SYSVOL\<fqd domain name>\policies\PolicyDefinitions)
  • Create or edit a Group Policy Object (GPO) to the OU where the computer objects are placed
  • Browse to Computer Configuration – Policies – Administrative Templates – Windows Components – Search
  • Open the “Allow search highlights” setting and select Disable
  • Perform a “gpupdate /force”  on the Windows client

 

Disable search highlights by registry setting

Another method is by creating a registry key on the Windows 10/11 machine.

  • Execute the following command as administrator:
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "EnableDynamicContentInWSB" /t REG_DWORD /d "0" /f

Disabling this setting turns off search highlights in the taskbar search box and in search home.

Use Packer to install Windows 11 and enable vTPM and VBS

I use Packer for building images for VMware VDI environments. With the latest version (when writing this blog Packer version 1.7.7 is the latest version) it is not possible to configure a TPM in the Hashicorp Configuration Languag (HCL) config file. TPM 2.0 is required to install Windows 11. A vTPM emulates a physical TPM 2.0 and is available in VMware vSphere.

Update: January 27, 2022: Packer with the VMware vSphere plugin ((V1.0.3) has now support for adding a vTPM device. More information can be found here: link.

You can install Windows 11 using a registry hack (link) to bypass the TPM check:

reg ADD "HKLM\SYSTEM\Setup\LabConfig" /f /v BypassSecureBootCheck /t REG_DWORD /d 1

vCommunity member Sidney Laan from vEUCaddict wrote a nice blog about using Packer to install Windows 11 using this registry hack (link). When using this hack, it doesn’t enable vTPM or VBS.

For LAB environments, this is no issue but for production, environments you want to have a vTPM enabled and even Virtualization-Based Security (VBS) depending on the security requirements.

So what are TPM and VBS?

TPM

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys.

VBS

Virtualization-based security, or VBS, uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. Windows can use this “virtual secure mode” to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections.

source link

After the Windows 11 installation with Packer, it is possible to add a vTPM and even enable Virtualization-Based Security (VBS)  by using VMware PowerCLI.

Requirements

  • Use vCenter Server system versions 6.7 or later
  • Add a Key Provider (link)
  • Install PowerCLI by using the following command in PowerShell:
    • Install-Module VMware.PowerCLI -Scope CurrentUser
  • The Windows 11 VM must be powered off
  • Use VM hardware version 14 or higher
  • Don’t create a snapshot with Packer (create_snapshot = false)

PowerCLI Script

The following PowerCLI script can be executed after the Packer Windows 11 deployment. This script adds vTPM, enables VBS support, and creates a snapshot.

  • Change the variables for your environment.

# Import PowerCLI 
Import-Module VMware.PowerCLI

# Variables
$vcentername = "vcentername"
$VMTempName = "VMname"
$snapname = "v0.1"
$snapdescription = "Packer deployement with vTPM and VBS enabled"

# Connect to vCenter Server
Connect-VIServer -Server $vcentername

# Add vTPM
Write-Host 'Set vTPM' 
New-VTpm -VM $VMTempName

# Enable Virtualization Based Security (VBS)
Write-Host 'Enable VBS' 
$vm = Get-VM $VMTempName
$spec = New-Object VMware.Vim.VirtualMachineConfigSpec
$spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi
$spec.NestedHVEnabled = $true
$boot = New-Object VMware.Vim.VirtualMachineBootOptions
$boot.EfiSecureBootEnabled = $true
$spec.BootOptions = $boot
$flags = New-Object VMware.Vim.VirtualMachineFlagInfo
$flags.VbsEnabled = $true
$flags.VvtdEnabled = $true
$spec.flags = $flags
$vm.ExtensionData.ReconfigVM($spec)

# Create Snapshot
Write-Host 'Create snapshot' -ForegroundColor green
Get-VM -Name $VMTempName | New-Snapshot -Name $snapname -Description $snapdescription
    
# Disconnect vCenter Server
Disconnect-VIServer -Server * -Confirm:$false
  • When the script is finished, vTPM and VBS support is added
  • Start the VM
  • Check if a TPM is displayed in Device Manager and with the TPM.MSC command

  • Using Powershell the command “Get-TPM” can check the presence of the TPM

    • For Enabling VBS (*1) go to “Device security” in Windows 11, select “Core isolation details” and enable “Memory Integrity”
        • Enabling VBS can also be done by using the following registry settings
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked"

More info: Link

(*1) Adding VBS in Windows 11 can have a performance impact on the VM

  • Reboot the VM

  • When the VM is restarted run “msinfo32”
  • Scroll down and check if “Virtualization-Based Security” is running

Adding the PowerCLI script after the Packer deployment will enable vTPM and VBS for the Windows 11 VM. I hope the vTPM and VBS options will be added soon in Packer so we use the HCL config file without the need for an extra PowerCLI script.

Install Windows 11 on VMware vSphere with a virtual TPM

Yesterday I wrote a blog called “Install Windows 11 as VM on VMware vSphere / Workstation without TPM 2.0 chipset“. In this blog article, I explained how to install Windows 11 without having a TPM 2.0 chipset by using a registry hack. Paul Braren from tinkertry.com created a cool video (link) about installing Windows 11 on VMware vSphere using my blog article. Bob Plankers (@plankers) replied on Twitter that virtual TPM can be used too. 

So I did some research in my home lab. With VMware vSphere and VMware Workstation, it is possible to install Windows 11 by using a vTPM device that emulates a physical TPM 2.0 chipset without having one. This is called Virtual Trusted Platform Module (vTPM). A vTPM performs the same functions as a hardware TPM, it performs cryptographic coprocessor capabilities in software So without having a physical TPM 2.0 you can run Windows 11 without performing any hacks to the Windows 11 Operating System.

In this blog post, I explain how to configure vTPM for VMware vSphere and install Windows 11. Here are the steps:

Requirements for vTPM

  • EFI firmware
  • Hardware Version 14 or later
  • vSphere 6.7 or later
  • Virtual Machine encryption
  • Key Provider. The Key Provider is used to enable encrypted technologies such as TPM

To enable vTPM you must first add a Key Provider

  • Open the vSphere Client URL (https://vcentername/ui)
  • Log-in
  • Click on the vCenter name – Configure and select Key Providers
  • Click on ADD
  • Select Add Native Key Provider. When using the Native Key provider you don’t need an external key server.
  • Enter a name for the Key Provider and uncheck “Use key provider only with TPM protected ESXi hosts (Recommended).

  • Select Backup and uncheck “Protect Native Key Provider data with password (Recommended)” and click on BACK UP KEY PROVIDER

  • The Key Provider is configured and active now

 

Windows 11 VM Configuration

For the Windows 11 VM configuration, I configured the following:

  • Create or download a Windows 11 ISO (for more information see the blog post mentioned at the beginning).
  • Copy the ISO to a datastore that can be accessed  when used to install Windows 11

In the vCenter client create a new VM with the following specification:

  • Configuration step 1: Create a new Virtual Machine
  • Configuration step 2: Enter the Virtual Machine name
  • Configuration step 3: Select the ESXi host or cluster for the VM
  • Configuration step 4: Select the datastore and select Encrypt this virtual machine

  • Configuration step 5: Compatibility: ESXi 7.0 U2 and later (I’m using ESXi 7)

  • Configuration step 6: Guest OS: Guest OS Family: Windows
    • Guest OS Version: Windows 10 (64-bit)
    • Enable Windows Virtualization Based Security: Check

  • Configuration step 7: CPU: 2 or more
    • Memory: 4 GB or more
    • Hard disk: 64 GB or more
    • CD/DVD: Mount the ISO on the datastore
    • Custom Hardware Select Add New Device and choose for Trusted Platform Module

 

  • Configuration step 8: VM configuration overview
    • Click on Finish

  • Start the VM and the installation begins without complaining that this PC can’t run Windows 11

Windows 11 can be installed without having a physical TPM 2.0 chipset or using the registry hack mentioned at the beginning of the blog post. How cool is that!