Shielded VMs: A conceptual review of the components and steps necessary to deploy a guarded fabric

[This post was authored by Dean Wells, Principal Program Manager on the Windows Server team] If you’re anything like me, you probably find it immensely helpful having an end-to-end conceptual view of what you’re doing before actually doing it–that’s the purpose of this blog. Deploying a guarded fabric involves several new concepts so, in this…

0

Join Host Guardian Servers to an existing bastion forest

Shielded VM prevents unauthorized access from the host. To achieve this security assurance, there must be a role separation between the fabric admins (who manage the Guarded Hosts) and the HGS admins (who manage the Host Guardian Servers). By default, when you install the first HGS server, it will create its own forest, this will…


Step by Step: Shielding existing VMs without VMM

Continuing on the topic of Shielded VMs from my last blog on creating shielded VMs, this blogpost will share my learnings from validating the scenario. This blogpost doesn’t dive deep in terminologies which are fully explained in the Shielded VM deployment guide. A side note, System Center VMM has built-in functionality to support shielding existing VMs to make the process…


Step-by-step: Quick reference guide to deploying guarded hosts

My original blog post on the topic of deploying Shielded VMs without VMM included the instructions to deploy guarded hosts.  Based on feedback around keeping the blog posts short and scenario-focused, I split the content into 2. This blog serves as a quick reference to deploy guarded hosts. Once again, I highly recommend you read…


Step by Step – Shielded VM Recovery

Shielded VMs protect the data and state of a Virtual Machine against inspection, theft and tampering from malware and datacenter administrators and they do so both at rest and in-flight. One of the ways we achieve is to block the features in Hyper-V that are there for an administrator’s convenience, e.g. we block console access…


Step by step – Creating Shielded VMs without VMM

Hi, I’m Jane, one of the newest members of the Windows Server Security Product Team. My very first hands-on experience is to deploy Shielded VMs with the minimum amount of hardware. It was fun and a great learning experience. I followed the comprehensive TP5 deployment guide on Shielded VM and Guarded Fabric guide with one…


A closer look at shielded VMs in Windows Server 2016

[This blog post was originally published in the Windows Server Blog] This post was authored by Jeff Woolsey, Principal Program Manager, Windows Server. On this week’s Microsoft Mechanics show, we bring you Dean Wells and Matt McSpirit to demonstrate Shielded VMs – another reason why you should be evaluating Windows Server 2016. A little backstory…


Overview of Host Guardian Service (HGS) Diagnostics

[This post is authored by Jim Hughes, Software Engineer for the Windows Server Team] The Host Guardian Service (HGS) is a principal component in enabling Hyper-V to host Shielded VMs in Windows Server 2016. Shielded VMs are your typical Hyper-V virtual machines, but protected from tampering and inspection by platform administrators and malicious actors. The initial deployment of HGS…


Step by Step – Configuring Key Protection for the Host Guardian Service in Windows Server 2016

[This post is authored by Sumesh Kumar, Program Manager for the Enterprise and Security Product Team] The “Key Protection Service” (KPS) is one of the two services that run as part of a Windows Server role called the Host Guardian Service (or HGS). The second of those two services is called Attestation and will be…


Step by Step – Creating Shielded VMs

[This post is authored by Dean Wells, Principal Program Manager for the Windows Server Security Product Team] In this blog, we’ll walk through the steps necessary to create a shielded VM and briefly discuss each of the prerequisite pieces. For the purposes of the blog, we’ll walk through the end-to-end experience from the perspective of…