A Microsoft Hyper-V Shielded VM is a security feature of Windows Server 2016 that protects a Hyper-V second-generation virtual machine (VM) from access or tampering by using a combination of Secure Boot, BitLocker encryption, virtual Trusted Platform Module (TPM) and the Host Guardian Service.
A shielded VM requires Windows Server 2012 or Windows 8 or a higher operating system. When created, the shielded VM has a virtual TPM assigned and BitLocker encryption applied to allow only designated owners to access the VM. The shielded VM will not run unless the Hyper-V host is on the Host Guardian Service. Secure Boot prevents access to the shielded VM on boot.
An administrator without full rights to the shielded VM can power it on and power it off but cannot alter its settings or view the contents. BitLocker encryption protects the shielded VM's data at rest and when the VM is moving across the network during a Live Migration.