Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Important
Before beginning these procedures, ensure that you have installed the latest cumulative update for Windows Server 2016 or are using the latest Windows 10 Remote Server Administration Tools. Otherwise, the procedures will not work.
This section outlines steps performed by a hosting service provider to enable support for converting existing VMs to shielded VMs.
To understand how this topic fits in the overall process of deploying shielded VMs, see Hosting service provider configuration steps for guarded hosts and shielded VMs.
The shielding process for existing VMs is only available for VMs that meet the following prerequisites:
On a machine with Hyper-V and the Remote Server Administration Tools feature Shielded VM Tools installed, create a new generation 2 VM with a blank VHDX and install Windows Server 2016 on it using the Windows Server ISO installation media. This VM should not be shielded and must run Server Core or Server with Desktop Experience.
Important
The VM Shielding Helper VHD must not be related to the template disks you created in Hosting service provider creates a shielded VM template. If you re-use a template disk, there will be a disk signature collision during the shielding process because both disks will have the same GPT disk identifier. You can avoid this by creating a new (blank) VHD and installing Windows Server 2016 onto it using your ISO installation media.
Start the VM, complete any setup steps, and log into the desktop. Once you have verified the VM is in a working state, shut down the VM.
In an elevated Windows PowerShell window, run the following command to prepare the VHDX created earlier to become a VM shielding helper disk. Update the path with the correct path for your environment.
Initialize-VMShieldingHelperVHD -Path 'C:\VHD\shieldingHelper.vhdx'
Once the command has completed successfully, copy the VHDX to your VMM library share. Do not start up the VM from step 1 again. Doing so will corrupt the helper disk.
You can now delete the VM from step 1 in Hyper-V.
In the VMM Console, open the settings pane and then Host Guardian Service Settings under General. At the bottom of this window, there is a field to configure the location of your helper VHD. Use the browse button to select the VHD from your library share. If you do not see your disk in the share, you may need to manually refresh the library in VMM for it to show up.
Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowTraining
Certification
Microsoft Certified: Azure Virtual Desktop Specialty - Certifications
Plan, deliver, manage, and monitor virtual desktop experiences and remote apps on Microsoft Azure for any device.
Documentation
Shielded VMs for tenants - Deploying a shielded VM by using Virtual Machine Manager
Learn more about: Shielded VMs for tenants - Deploying a shielded VM by using Virtual Machine Manager
Learn more about: Deploy shielded VMs
Quick start for guarded fabric deployment
Learn more about: Quick start for guarded fabric deployment