Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Secure the Hyper-V host operating system, the virtual machines, configuration files, and virtual machine data. Use the following list of recommended practices as a checklist to help you secure your Hyper-V environment.
Keep the host OS secure.
Use a secure network.
Secure storage migration traffic.
Use SMB 3.0 for end-to-end encryption of SMB data and data protection tampering or eavesdropping on untrusted networks. Use a private network to access the SMB share contents to prevent man-in-the-middle attacks. For more information, see SMB Security Enhancements.
Configure hosts to be part of a guarded fabric.
For more information, see Guarded fabric.
Secure devices.
Secure the storage devices where you keep virtual machine resource files.
Secure the hard drive.
Use BitLocker Drive Encryption to protect resources.
Harden the Hyper-V host operating system.
Use the baseline security setting recommendations described in the Windows Server Security Baseline.
Grant appropriate permissions.
Configure anti-virus exclusions and options for Hyper-V.
Windows Defender already has automatic exclusions configured. For more information about exclusions, see Recommended antivirus exclusions for Hyper-V hosts.
Don't mount unknown VHDs. This can expose the host to file system level attacks.
Don't enable nesting in your production environment unless it's required.
If you enable nesting, don't run unsupported hypervisors on a virtual machine.
For more secure environments:
Use hardware with a Trusted Platform Module (TPM) 2.0 chip to set up a guarded fabric.
For more information, see System requirements for Hyper-V on Windows Server 2016.
Create generation 2 virtual machines for supported guest operating systems.
For more information, see Generation 2 security settings.
Enable Secure Boot.
For more information, see Generation 2 security settings.
Keep the guest OS secure.
Use a secure network.
Make sure virtual network adapters connect to the correct virtual switch and have the appropriate security setting and limits applied.
Store virtual hard disks and snapshot files in a secure location.
Secure devices.
Configure only required devices for a virtual machine. Don't enable discrete device assignment in your production environment unless you need it for a specific scenario. If you do enable it, make sure to only expose devices from trusted vendors.
Configure antivirus, firewall, and intrusion detection software within virtual machines as appropriate based on the virtual machine role.
Enable virtualization based security for guests that run Windows 10 or Windows Server 2016 or later.
For more information, see the Device Guard Deployment Guide.
Only enable Discrete Device Assignment if needed for a specific workload.
Due to the nature of passing through a physical device, work with the device manufacturer to understand if it should be used in a secure environment.
For more secure environments:
Deploy virtual machines with shielding enabled and deploy them to a guarded fabric.
For more information, see Generation 2 security settings and Guarded fabric.
Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowTraining
Certification
Microsoft Certified: Azure Virtual Desktop Specialty - Certifications
Plan, deliver, manage, and monitor virtual desktop experiences and remote apps on Microsoft Azure for any device.
Documentation
Guarded Fabric and Shielded VMs overview
Learn more about: Guarded fabric and shielded VMs overview
Guarded fabric and shielded VMs
Learn more about: Guarded fabric and shielded VMs
Plan for Hyper-V scalability in Windows Server
Lists the maximum supported number for components you can add to or remove from Hyper-V and virtual machines, like how much memory, and how many virtual processors, in Windows Server.