my personal blog about systemcenter

Shielded VM’s a new era for secured VM

With the preview of Windows Server 2016 , we have a new feature that can help improve security.

With Shielded VM’s we can add a Virtual TPM module to each VM and use that to encrypt the content of the Virtual Machine.

The step by step guide to add this is provided by Microsoft here

Its supported for VM’s and VM’s managed by Windows Azure Pack

For deployment there is supported for a dedicated AD forest or using hardware with TPM2.0 but the servers that support this as if this writing is hard to find (Surface works for testing) , so this have been testing in our playground using a dedicated AD forest

After initial setup of the dedicated forest and installation of the Host Guardian Server we need to add protection to the VM’s

So here we have a dedicated forest that holds the Host Guardian Servers and have a oneway trust to the forest where our Hyper-V hosts and VM’s are located , this will enable us to secure the VM in the hosted environment , this will prevent a Hyper-V administrator to access data within a VM , this is also the same for Backup Operators

For compliance and in environments where encryption is a requirement this is a very big step to ensuring security across the hypervisor

PS C:\> $KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian –AllowUntrustedRoot ( this is due to no dedicated PKI testing only)

PS C:\>
PS C:\> Set-VMTPM -vmname SECURE01 -Enabled $true -KeyProtector $KP.RawData
PS C:\> Set-VMTPM -vmname SECURE02 -Enabled $true -KeyProtector $KP.RawData


This add TPM information to the Virtual Machine and enforces Secure Boot , this works with Gen2 VM’s only


This is our VM before we enable vTPM


And this is our VM after vTPM have been enabled

If we then encrypt our VM with bitlocker and then try to open a “stolen” copy of the VM


We cant Smile

This was just a small teaser to show a area of Hyper-V 2016 Security Enhancements will dive a little deeper in the securing the enviroment using ShieldedVM’s later