Nutanix AOS 6.8 (Release Notes) brings us migration support for credential guard enabled virtual machines. In this blog post I will show you how to create a Windows 11 22H2 virtual machine and enable options to meet the requirements needed to enable credential guard in Windows 11. (link)
- Secure Boot;
- Credential Guard;
- Virtual TPM (vTPM).
This machine will be used as a template virtual machine to deploy a non persistent Citrix VDI infrastructure. The Citrix infrastructure is already running in my lab, this blogpost will not cover that part. (Read this link to finetune the Nutanix AHV plugin)
Before we start you need to know that this will only work with hardware level Skylake and above. If you have older hardware you can’t do migration and the virtual machines will run very slow.
In Prism Central, create a new virtual machine named: Windows 11 – Golden Image
- Install Windows 11;
- For easier installation use an ISO with VirtIO drivers inserted. More info here;
- Run Windows update;
- Rename Computer to, for example, WIN11-GI
- Add to domain in the correct OU.
Set a GPO on the OU where the VDI virtual machines are stored. With the following setting:
No reboot the virtual machine and run the following powershell line:
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
The command generates the following output:
- 0: Credential Guard is disabled (not running)
- 1: Credential Guard is enabled (running)
You can also check this with msinfo32.exe
No finalize your golden image with all required applications and don’t forget to add virusscanner exclusions and run Citrix optimizer.
The created VDI’s (and golden Image) can live migrate between hosts.
