Shielded VMs Add Tenant Security Features

Windows Server 2016 Hyper-V introduces shielded virtual machines (VMs), which improve security for tenant VMs and isolate them from host infrastructure administrators. Service providers and private cloud administrators can use shielded VMs to offer services to tenants with security or confidentiality requirements that prohibit access to VMs by fabric administrators. However, fully implementing shielded VMs will require new server hardware, and Windows Server 2016 per-core licensing will increase costs.

Improved Security for Tenant VMs

Administrators of the physical servers, storage, and networking that make up a host fabric normally have extensive access to hosted workloads, including VMs, making it difficult to isolate and secure tenants. Shielded VMs protect the data within a VM from being accessed by malicious or compromised fabric administrators, who manage hosting infrastructure. The system relies on the shielded VMs themselves, the Host Guardian Service (HGS), and Virtual Machine Manager (VMM).