Part 2 of this review at VMM 2016 TP3 will look at shielded VM support in VMM and its required infrastructure.

In Part 1 of this look at VMM 2016 TP3, we saw how VMM will support new Windows Server 2016 technologies “straight out of the gate.” Here, we’ll look at networking improvements, shielded VMs, and the required building blocks for deploying them.

Networking enhancements

Setting up Hyper-V network virtualization, and working with the logical switch in VMM in general, has always been challenging. A consistent request has been to make this process easier (and work more like it does in vCenter). TP3 offers a streamlined wizard for creating logical switches as well as the ability to set up a standard vSwitch on a host and then transform that into a VMM logical switch. Furthermore, if there’s a hitch when applying a logical switch to a host and something goes wrong, all settings are wound back to the original state.

Shielded VMs

One of the big headline features of Hyper-V in Windows Server 2016 will be shielded VMs. We looked at the technology in depth from a Hyper-V perspective, but it’s of course in VMM where the management will happen.

Three scenarios are accommodated:

  1. Creating new VMs from a shielded VM template
  2. Shielding existing VMs
  3. Auto shield VMs when they’re created

Option 2 gives the least assurance because, if a VM is already compromised and you shield it, very little has been achieved. In addition, BitLocker will not be applied to the VMs’ virtual disks automatically, leaving them susceptible to “copy and mount offline” attacks. The third option is similar because it doesn’t base the creation on a provisioning key file. Option 1 is clearly the most attractive, but it does require some preparation.

The building blocks needed are a disk catalog of prepared virtual disks; these are hashed to attest that they haven’t been tampered with, and they’re also digitally signed. Built on the disk catalog are VM templates specifically for shielded VMs. And encrypted provisioning key files, called PDKs, provide the answers to the customization questions that you normally enter during VM creation, such as domain join and administrator account and password. The files are also linked to the disk sources they can be used with.

Importing shielding data file

Importing shielding data file

PDK files have an owner and one or more guardians. A guardian can read some information from a PDK but not alter the content of the file. So, as a tenant in your cloud, I create one or more PDK files and specify you as a guardian. You can then use my PDK file to provision new VMs.

This is all integrated in the new VM creation workflow in VMM. No generation option is offered because shielded VMs have to be generation 2 and there are fewer customization options because they’re provided in the PDK file.

The hosts make up the other side of the coin. When TP3 was released, no built-in way existed to deploy a Host Guardian Service (HGS) server through VMM, but it would happily manage them once you created them. The VMM team very recently released a service template, a couple of scripts, and guidance on deploying HGS servers directly from VMM.

Host Guardian Service template

Host Guardian Service template

Once you have one or more HGS servers (these require TPM 1.2 chips and strong physical security), you can set up Hyper-V servers that can host shielded VMs. There are two modes for hosts. The first one is basic AD attestation mode, where membership in an AD group is sufficient. The other is full hardware attestation, where the host OS comes with guarantees of not having been tampered with through TPM 2.0 chips and a Code Integrity policy that defines exactly what software can and can’t run on the server.


I think Hyper-V in 2016 will bring real improvements to what’s already the best server virtualization platform available, and it’s exciting to see how VMM incorporates these improvements. With the easiest cluster upgrade story to date, adopting Hyper-V 2016 and VMM 2016 should be a relatively easy project to sell to your business, especially with the plethora of new features that are coming.

Now if we could just have Nano Server support, please? I can’t wait for TP4.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account