Bookmark this! aka.ms/svm |Shielded VM resources

Shielded Virtual Machines (SVM)

A Shielded VM is a generation 2 (supported on Windows Server 2012 and later) that has a virtual TPM, is encrypted using BitLocker and can only run on healthy and approved hosts in a guarded fabric. Shielded VMs in a guarded fabric, enable Cloud Service Providers (CSP) or enterprise private cloud administrators to provide a more secure environment for tenant VMs. A guarded fabric is comprised of one Host Guardian Service (HGS)—typically, a cluster of 3 nodes—one or more guarded hosts, running a set of Shielded Virtual Machines.

Keep up-to-date on the latest announcements, which will be posted on the Datacenter and Private Cloud Security Blog.

Overviews

• Guarded Fabric and Shielded VMs
• What are Shielded VMs in Windows Server 2016 Hyper-V?
• Tip of the Day: Shielded VMs
• Code Intergrity Policies
• Shielding a VM with Windows Server 2016 on Dell PowerEdge 13G Servers
• MS Ignite May 2015:  Harden the Fabric: Protecting Tenant Secrets in Hyper-V

Demonstrations

• Shielded Virtual Machines in Windows Server - overview
• Channel 9 -  Harden the Fabric: Protecting Tenant Secrets in Hyper-V
•  A closer look at shielded VMs in Windows Server 2016 - Windows Server Blog

Implementation and Management

• System requirements for Hyper-V on Windows Server 2016 Technical Preview
• Step by Step – Configuring the Host Guardian Service in Windows Server 2016
• Guarded Fabric Deployment Guide for Windows Server 2016 TP5
• Shielded VMs and Guarded Fabric Operations Guide for Windows Server 2016
• Shielded VMs and Guarded Fabric Troubleshooting Guide for Windows Server 2016
• Host Guardian Service Server Cmdlets
• Manage Windows virtual machines with PowerShell Direct - blocked by SVMs!

Datacenter and Private Cloud Security Blog posts

• Step by Step – Configuring the Host Guardian Service in Windows Server 2016
• Step by Step – Configuring Key Protection for the Host Guardian Service in Windows Server 2016
• Step by Step – Creating Shielded VMs
• Step by Step – Configuring Guarded Hosts with Virtual Machine Manager 2016
• Overview of Host Guardian Service (HGS) Diagnostics

 

Technical Deep Dives

• What's new in Windows 10 security

Applicable to Server 2016 covering concepts of: VBS, HVCI, Credential Guard, Device Guard Code Integrity (CI), Measured Boot and remote attestation.

• TPM Key Attestation
• What's new in Credential Guard?
• Device Guard overview
• Device health attestation
• Protect derived domain credentials with Credential Guard (Covers VBS also...)

Hyper-V Generation 2 Overviews

Note: for this topic, Parts 1 and 6 are most relevant to the Guarded fabric discussion. Parts 8 and 10 may be useful to for migration scenarios to enable SVMs.

Part 1: Introduction to generation 2 virtual machines Part 2: Networking and boot order Part 3: Storage Part 4: Keyboard for Windows 8 & Windows Server 2012 Part 5: Kernel debugging Part 6: Secure Boot Part 7: FAQ Part 8: Manually migrating generation 1 virtual machines to generation 2 Part 9: Installing from ISO Part 10: Utility for converting generation 1 virtual machines to generation 2 (Convert-VMGeneration)