Shielded VM local mode and HGS mode

With the new capability in Windows 10, version 1709, Windows Client can host shielded VMs while using remote Host Guardian Service (HGS) attestation. This caused some confusion as people stated they have already been running shielded VMs on client. This blog post is intended to clarify things and explain how to run them side by…


Building VM template using Assigned Access

Since it took me a couple of attempts to create VM templates for Azure portal management and Remote Desktop (in order to make them available for the TAP evaluation), I thought it best to share the process, so you can build your own customized image.  My goal is to create a PAW VM that offers…


Why use shielded VMs for your privileged access workstation (PAW) solution?

It’s great to see customers trying out PAWs and it’s generating a lot of great questions. Many questions are related to shielded VMs so I’d like to focus this blog post on sharing our reasoning for building the PAW solution on shielded VMs. Running virtual machines (VMs) on Windows client is not new, but running…


Improved branch office support for shielded VMs in Windows Server, version 1709

Companies with large branch offices often must make a tradeoff between user experience and security. To increase employee productivity, it may make sense to deploy replicas of certain applications like Active Directory Domain Controllers or file servers in a branch office. But with limited — if any — IT resources at the remote location, how…

0

How to deploy a VM template for PAW

Continuing with the PAW series, after you followed the previous blog to build the PAW device, you can now deploy PAW VMs on it. There are two types of VMs you can create: Desktop VM: this is a standard VM, dedicated for user productivity workload. It is typically joined to your org production domain. You…


Frequently Asked Questions About HGS Certificates

The Host Guardian Service uses public key cryptography extensively to protect shielded VMs from attackers. Any time certificates with public-private key pairs come into play, there are bound to be many questions about how to properly set up and protect those certificates. This blog hopes to clarify the most common questions our team is asked…

0

Shielded VMs – additional considerations when running a guarded fabric

So you’ve deployed a guarded fabric and your VMs are running happily.  Having now reached that perfect steady state, let’s have a look at the operational and administrative differences relative to a regular fabric.  The purpose of this blog isn’t to exhaustively walk you through some mundane day-to-day set of administrative or operational duties, rather, I…

1

Shielded VMs: A conceptual review of the components and steps necessary to deploy a guarded fabric

[This post was authored by Dean Wells, Principal Program Manager on the Windows Server team] If you’re anything like me, you probably find it immensely helpful having an end-to-end conceptual view of what you’re doing before actually doing it–that’s the purpose of this blog. Deploying a guarded fabric involves several new concepts so, in this…

0

Join Host Guardian Servers to an existing bastion forest

Shielded VM prevents unauthorized access from the host. To achieve this security assurance, there must be a role separation between the fabric admins (who manage the Guarded Hosts) and the HGS admins (who manage the Host Guardian Servers). By default, when you install the first HGS server, it will create its own forest, this will…


Step by Step: Shielding existing VMs without VMM

Continuing on the topic of Shielded VMs from my last blog on creating shielded VMs, this blogpost will share my learnings from validating the scenario. This blogpost doesn’t dive deep in terminologies which are fully explained in the Shielded VM deployment guide. A side note, System Center VMM has built-in functionality to support shielding existing VMs to make the process…