With Windows Server 2019, Microsoft is adding resiliency and redundancy enhancements to the Shielded Virtual Machines security controls it introduced with Windows Server 2016.
Shielded VMs originally provided a way to protect virtual machine assets by isolating them from the hypervisor infrastructure and could also help prove to auditors that systems were adequately isolated and controlled. Now Shielded VM enhancements in Window Server 2019 provide real-time failback configurations and host- and policy-based security improvements.
Host key attestation
Under Windows Server 2016, key authentication was based on trusted platform module (TPM) cryptoprocessors and Microsoft Active Directory authentication. Both of these are great solutions but were limited when it comes to extensibility and redundancy.
Host key attestation that’s been added to Windows Server 2019 provides a certificate-based solution that allows organizations to store keys using standard certificate-storage mechanisms. Organizations that want to isolate Shielded VMs to TPM-based systems can continue with TPM-based attestation.
No longer limited by the extent of an Active Directory or TPM-based environment, host key attestation has opened up new scenarios for Shielded VMs. These include scaling up Shielded VMs as well as improving the redundancy of Shielded VMs.
Host guardian service (HGS) in Windows Server 2016 was introduced to configure guarded hosts and Shielded VMs, and provides attestation and key protection needed to run Shielded VMs. When HGS is inaccessible, and a Shielded VM system needs to boot, failback configuration in Windows Server 2019 provides an additional layer for HGS redundancy. The Shielded VM environment can be configured to have a primary and a secondary HGS server so that if the primary is down, the Shielded VM reaches out to the secondary HGS server to authenticate the boot process.
This can address remote/branch office scenarios in which a significant outage causes servers to shut down, and upon reboot the local HGS server is not online yet or possibly in a critical failed state, yet the remote office needs to get its systems booted up and running.
With failback configuration, when branch office systems try to authenticate to the local HGS server and fail, the systems will reach across the WAN to the main data-center HGS servers for authentication so the boot can proceed. This resiliency is an optional configuration.
Improved tools and policies for Shielded VMs
Shielded VM in Windows Server 2019 includes a number of improvements in the tools and policies available.