Shielding a VM with Windows Server 2016 on Dell PowerEdge 13G Servers

Shielding a VM with Windows Server 2016 on Dell PowerEdge 13G Servers

Disclaimer: Dell does not offer support for Windows Server 2016 at this time. Dell is actively testing and working closely with Microsoft on Windows Server 2016, but since it is still in development, the exact hardware components/configurations that Dell will fully support are still being determined. The information divulged in our online documents prior to Dell launching and shipping Windows Server 2016 may not directly reflect Dell supported product offerings with the final release of Windows Server 2016. We are, however, very interested in your results/feedback/suggestions. Please send them to

This blog was originally written by Dell engineers Shubhra Rana and Vinay Patkar.

As the adoption of server-virtualization into small, medium and large enterprise business has grown, there are frequent cyber security breaches coming into the limelight. Security has become one of the most important concerns when it comes to public/private cloud service adoption by users. Many cloud veterans and security specialists have come up with innovative solutions that can help curb the security incidents and make cloud services more secure for both individual as well as enterprise adoption. Microsoft has come up with an enhancement in virtualization layer that prevents unauthorized access into Tenants/Users virtual machines. This offering includes a role called Host Guardian Service (HGS) and the concept of shielding the virtual machines. This blog aims at providing insight into this offering and also highlights DELL’s role in supporting the feature in the PowerEdge 13G line of servers.

Host Guardian Service, Guarded Host and Shielded VMs:

Let us understand basics of Host Guardian Service and Shielded VMs. Shielded VMs are the encrypted virtual machines that can run only on certain Hosts called Guarded Hosts which are authorized to run the shielded VMs and manage their state. These Guarded hosts must be identified prior to be trusted. While Guarded Hosts are capable of running Shielded VMs or in other words can manage entire lifecycle of Shielded VM’s, there is a need for service that authenticates Guarded Host as trusted Host. For this purpose we need Host Guardian Service. HGS provides attestation and key distribution service so that guarded host can run shielded VMs. All these features are applicable only for Generation 2 VMs, since they boot from virtual UEFI mode giving the benefit of secure boot functionality along with BitLocker disk encryption using vTPM (virtual TPM, new feature introduced in Windows Server 2016).

Need for HGS:

The Shielded VM and Guarded Fabric concepts in a datacenter and/or public and private clouds provides many security guarantees and overcomes many security gaps that were present in WS2012 R2. Also, it protects the sensitive workloads running on the VMs from being tampered by unknown parties.

Following are the assurances provided by shielded VMs:

  • Encrypted virtual hard disks ensures that there is no unauthorized access to the underlying data. Only the attested hosts can launch a Shielded Virtual Machine.
  • The concept of having a virtualized instance of TPM (vTPM) which does not depend on physical hardware (i.e. physical TPM) ensures the stringent security measures are applicable even during VM migration across hosts.
  • Shielded VMs prevent code injection and any insecure code execution and hence safeguards against malware injection attacks.

HGS deployment mode and Pre-Requisites:

HGS role supports two attestation mechanisms i.e., Active directory based (Admin-based) and Hardware based. The main difference between these two methods lie in the way attestation is performed for the trusted (guarded) hosts. Hardware based attestation mechanism provide much better security guarantees than admin trusted mode by including mechanisms like code integrity, measured boot process and hardware rooted trust.

The Pre-requisites for HGS deployment are:

  • BIOS 1.5.3 and above, TPM 1.2 or TPM 2.0 chip with firmware version
  • UEFI (2.3.1 or more) mode with secure boot enabled
  • Virtualization Extensions (Intel VT-x and AMD-v)
  • IOMMU (Intel VT-D)

Though TPM 2.0 chip is not a mandatory requirement to host the HGS service, however it is a must requirement for the Guarded Hosts for hardware based attestation.

Few notable things when it comes to Active Directory based attestation, Hardware based attestation and TPM,

  • It is recommended to run HGS (Host Guardian Service) on the encrypted HDDs with BitLocker to add additional security measure, for which TPM 1.2 is sufficient, however we recommend the usage of TPM 2.0 for better security. If customers prefer not to encrypt HDDs on Host Guardian Service node then TPM chip is not mandatory.
  • Both Host Guardian Service and Guarded Host should run on separate dedicated Active Directories. Access to these domains should be restricted. This is to ensure that the Host Guardian service is isolated from the Guarded Fabric (containing the guarded hosts).
  • In case of hardware based attestation TPM 2.0 is mandatory for Guarded Hosts, AD based attestation for Guarded Host doesn’t require TPM chip.
  • Shielded VMs can run only on the Guarded Hosts.

Dell’s Role in TPM 2.0 enablement:

Currently TPM 2.0 chips are supported across the following Dell PowerEdge Servers: PE R530xd, PE M830, PE FC630, PE FC430, PE R430, PE FC830, PE M630, PE R730, PE T430, PE R530, PE T630, PE C4130 and PE R630.

As Windows Server 2016 is still under development, to provide a smooth customer experience of running Shielded Virtual Machines features on Dell PE servers, we have done good amount of testing for this feature in our lab on physical Servers. We require minimum 3 Dell PE 13G Servers (one for each role/service - Host Guardian service, Guarded Host and at least one tenant).

We have covered basic test scenario that included Dell PE R730 server with the HGS server role enabled, 2 guarded hosts (Dell PE R730XD, Dell PE T630) and one tenant (Dell PE R730). Our test scenario covered a wide range of testing starting from creation and running of shielded VM up to the migration of the shielded VMs across trusted and untrusted hosts. The corresponding enablement of the security features have been verified.

Note: that for test scenario purpose we have chosen Dell PE R730, PE R730XD and PE T630 Servers not in any particular order, though the exact configuration details are yet to be decided.

Enablement of TPM2.0 on Dell 13G PowerEdge servers:

The enablement required two steps:

  • In the System BIOS settings under System Security, there is TPM Security field. The field needs to be turned on. Below the TPM Security tab, we have "TPM advanced" sub menu. On entering it, enable the TPM PPI ByPass Clear field.
Security in System Setup

Figure 1: Security in System Setup

TPM Advanced tab in System Setup ->Security

Figure 2: TPM Advanced tab in System Setup ->Security

  • From within the OS, press (Windows+R) and then enter TPM management GUI by typing tpm.msc. The TPM status should display "ready to use".
TPM status in TPM.msc

Figure 3: TPM status in TPM.msc

This blog describes the specific settings required for DELL PowerEdge servers to host shielded VMs. After you have logged into the OS, we need to configure the HGS node, Guarded Hosts and Tenants with required roles and features. For detailed documentation regarding Guarded Fabric and Shielded Virtual Machines. For step by step deployment procedure refer Microsoft guide Shielded-VMs-and-Guarded-44176db3.


Article ID: SLN311416

Last Date Modified: 08/17/2018 04:23 AM

Rate this article

Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.