Shielded VM
Windows Server 2016 Hyper-V introduces the ability to create a Shielded VM. This new feature leverages the vTPM in a Generation-2 VM. The vTPM enables the use of BitLocker on the boot volume of the VM, to secure the data at rest. Shielded VMs also have many other key characteristics, which make the running VMs much more resilient to malicious administrators and malware.
Shielded VMs run within a guarded fabric, and this is typically comprised of the Host Guardian Service (HGS), this is normally a three-node cluster running the Windows Server 2016 role, and one or more guarded hosts, running Windows Server 2016 Hyper-V. The HGS has two components, and they perform the following functions:
Attestation Service – This component evaluates the validity or health of the guarded host
Key Protection Service – This component decides whether to release a key to start a VM or Live Migrate a VM to another host
Getting ready…
Before you deploy a guarded fabric, you have to decide which type...