Microsoft announced the deprecation of the security feature VBS Enclaves today for earlier versions of Windows 11 and Windows Server. Based on VBS, Virtualized-Based Security, VBS Enclaves were formally introduced by Microsoft in Windows Server 2019. Microsoft improved the feature ever since, for instance by opening it up for third-party apps last year.

The deprecation announcement offers no explanation why the feature is being removed from older versions of Windows 11 and Windows Server.

The details:

• VBS Enclaves continue to be supported in Windows 11, version 24H2 and later, or Windows Server 2025 and later.
• The feature is deprecated on Windows 11, version 23H2 and earlier, and Windows Server 2022 and earlier.

Note: This has nothing to do with VBScript, which Microsoft deprecated in 2023.

VBS Enclaves explained

VBS Enclaves provide isolated, secure environments for sensitive data on Windows systems. Only a few Microsoft and Windows-specific programs are confirmed to use the feature at the time of writing. Besides Microsoft Azure SQL Database, it is Windows 11's Recall feature and Credential Guard that are making use of it as well.

One advantage of VBS Enclaves is that they do not have hardware dependencies. As long as the VBS Enclaves feature is enabled on a supported Windows PC, it should work fine.

What deprecation means

Deprecation does not mean that the feature is going to be removed immediately. It means that a specific feature will be removed in a future version of the operating system. Or, in this case, in a future update for the affected operating systems. In fact, most home users may not be impacted by this at all. Here is why.

Windows 11, version 23H2 reaches end of support this November. All previous versions of Windows 11 are no longer supported for consumers. Means, Microsoft would have to remove the feature between April 2025 and November 2025 to affect home users. It seems unlikely that this is going to be the case.

Microsoft does not give a reason for the removal, which makes it all the more puzzling. Since the removal does not affect most home users, it is likely business and Enterprise customers that Microsoft is aiming at with the notice of deprecation.

One possible explanation is found on the Secure Enclaves documentation on Microsoft's Windows App Development website. There, Microsoft has added the following note: "Using these APIs for a VBS Enclave requires Windows 11 Build 26100.2314 or later or Windows Server 2025 or later."

It is possible that the deprecation affects third-party apps and they access to the API only and not first-party apps. We asked Microsoft about this but have not heard back at this point. We will update the article when we receive an answer.