Finally :
Safeguard VMs so that VMs can only run on infrastructure you designate as your organization’s fabric and are
Protected VMs even from compromised administrators.
To do this, we are introducing Shielded VMs in Windows Server 2016. Shielded VMs protect virtual machines from compromised or malicious administrators in the fabric, such as storage admins, backup admins, etc. by encrypting disk and state of virtual machines so only VM or tenant admins can access it.
In addition, we are also protecting the fabric with a new Windows Server feature: the Host Guardian Service. When a shielded virtual machine is turned on, the Host Guardian Service (HGS) checks to see if the hosts are allowed to run the Shielded VM. This is accomplished through attestation and hardware based boot measurements along with a new feature: Code integrity to determine whether a host meets the criteria as a healthy host and may run the Shielded VM.
Here it MVA video courses that explain how deploying Shielded VMs and a Guarded Fabric with Windows Server 2016
More details:
A closer look at shielded VMs in Windows Server 2016
Guarded fabric and shielded VMs overview
Shielded VMs documentation
Shielded VMs infographic
<------------->
Here it is an interesting Microsoft Video about how securing VMs on 2016.
https://mva.microsoft.com/en-US/training-courses/deploying-shielded-vms-and-a-guarded-fabric-with-windows-server-2016-17131?l=WFLef7vUD_4604300474
MVA Course:
Wondering what it takes to go from a Windows Server 2012 fabric to a Windows Server 2016 guarded fabric? Need help setting up that guarded fabric? In this hour-long course, join experts for an end-to-end step-through of a live Windows Server 2016 guarded fabric deployment—hands-on, brick by brick. See how easy it is, with the right hardware and software, to set up this security.
1 | Deploying Shielded VMs in a Windows Server 2016 Guarded Fabric
Get an in-depth look at a live deployment of a Windows Server 2016 guarded fabric—hands-on, brick-by-brick, from the ground up.
