WEBVTT

00:05.620 --> 00:13.810
In Windows Server 2016 Microsoft introduced a new protection for Windows virtual machines shielded v

00:13.830 --> 00:21.940
M's utilized a host Guardian service to protect virtual machines from each other and even from admins

00:21.940 --> 00:23.800
on the host machine.

00:23.800 --> 00:26.570
That last one is important for two reasons.

00:26.590 --> 00:33.070
First in a multi tenant environment it may not be up to the hosts server admin to look after the guest

00:33.070 --> 00:41.260
machines someone running a hosting service may offer space on high power servers and various clients

00:41.260 --> 00:44.500
would place their virtual servers on that hardware.

00:44.500 --> 00:50.270
In this case the host machine shouldn't have rights over the guest machine.

00:50.280 --> 00:57.660
The second reason has more to do with potential breaches in the form of someone accessing the host machine

00:58.990 --> 01:04.720
if a hack or exploit gains remote administrative rights to a hyper v host.

01:04.720 --> 01:12.120
The host Guardian service keeps the guest machines secure all of this was included in Windows Server

01:12.120 --> 01:22.730
2016 but only for Windows workstations and servers as the guest v Ms sense Windows Server 2016 was released.

01:22.740 --> 01:29.370
We've seen several moves from Microsoft that have more completely integrated Linux solutions into Windows

01:29.370 --> 01:38.900
networks Windows Server 20 19 carries that growth into the shielded VM feature the host Guardian service

01:39.200 --> 01:47.080
can now protect Linux virtual machines as well Ubuntu Red Hat Enterprise and Sousse enterprise servers

01:47.530 --> 01:55.230
can be installed as type 2 virtual machines and take advantage of the host Guardian service a server

01:55.230 --> 02:01.500
in the network configured as the host Guardian will maintain this security each time a shielded virtual

02:01.500 --> 02:08.190
machine boots up the HD yes will verify the protected status and allow it to run behind the protected

02:08.190 --> 02:14.980
shield but there is a potential risk with this arrangement one that has already been addressed in server

02:15.000 --> 02:19.800
2019 if the host Guardian server is unavailable.

02:20.050 --> 02:25.540
By default a virtual machine protected by this shield would be blocked from starting.

02:25.840 --> 02:32.440
The alternative was to start the machine without protection at all but that erases the benefits of configuring

02:32.440 --> 02:39.970
shielded VMs to begin with off line mode allows virtual machines that have run shielded VMS in the past

02:40.450 --> 02:41.590
to boot up.

02:41.590 --> 02:48.250
Even if the host Guardian service is not available they use the most recent security configurations

02:48.700 --> 02:55.520
and so have the same protections they had the last time that they booted there may be some who write

02:55.520 --> 03:01.200
this improvement off as unimportant because their windows network is Windows only.

03:01.280 --> 03:07.340
I would remind you that not too many years ago we didn't think we would be integrating Android and Apple

03:07.340 --> 03:09.200
phones into our windows networks.

03:09.230 --> 03:11.180
But today many of us do.

03:11.180 --> 03:12.720
Things change.

03:12.740 --> 03:17.420
Microsoft has taken steps to make sure that hyper v will grow with you as they do.