Windows Server 2016 security gets a virtual boost from shielded VM technology and a Host Guardian Service.
Enterprises must protect VMs, which can be stolen either internally through data leakage tactics or externally by a hacker. A VM can run on any system -- belonging to anyone -- with a suitable hypervisor layer. With high levels of virtualization in enterprises, VM theft can equal significant data loss.
One way to prevent this scenario is to tie VMs to the host system. Microsoft Hyper-V shielded VMs are assigned to a virtual trusted platform module (TPM) and encrypted with BitLocker. The shielded VM will only operate on approved hosts within the business's network fabric, which is typically a cluster of three or more server nodes for service resilience.
The Host Guardian Service evaluates and authorizes guarded hosts -- servers that can run a shielded VM -- and uses a key management service to handle the encryption keys that secure each shielded VM on host servers. The Host Guardian Service provides the virtual TPM for shielded VM operation.
The Host Guardian Service can operate using hardware-based, TPM-trusted attestation for maximum physical security, but the servers must support TPM 2.0 hardware. Alternatively, the service can use admin-based attestation, which relies on Active Directory Domain Services.