Introduction to Hyper-V Shielded VMs
Shielded VMs are a Windows Server 2019 Hyper-V security feature that protects virtual machine data from administrators with physical or Hyper-V host access. A shielded VM’s virtual hard disk is encrypted with BitLocker, its state is sealed by virtual TPM (vTPM), and it can only run on hosts that have been attested as trustworthy by a Host Guardian Service (HGS). This protects VM workloads from rogue Hyper-V admins, exfiltrated VHD files, and unauthorized host cloning—delivering a fabric-level security model where the VM owner is protected even from the infrastructure team.
Architecture Components
The Host Guardian Service (HGS) is a separate, highly secured Windows Server 2019 forest that acts as the attestation and key release authority. Guarded Hosts are Hyper-V servers that have been approved by HGS and receive encryption keys only after passing attestation. Shielding Data Files (.pdk) contain the tenant’s secrets—encryption certificates, unattend answers, and allowed guardian definitions—packaged by the VM owner and never accessible to the hosting fabric admin.
Step 1: Deploy the Host Guardian Service
# Install HGS on a dedicated Windows Server 2019 Server Core cluster
# HGS runs in its own new forest - do not join to your production domain
Install-WindowsFeature -Name HostGuardianServiceRole -IncludeManagementTools
# Initialize HGS as a new forest (creates its own AD domain)
$hgsPass = ConvertTo-SecureString 'HGSAdmin!P@ss2024' -AsPlainText -Force
Install-HgsServer `
-HgsDomainName 'hgs.bastion' `
-SafeModeAdministratorPassword $hgsPass
# After the server reboots, initialize the HGS service
# Choose attestation mode: AD-based (v2, easier) or TPM-based (v3, more secure)
# TPM-based is recommended for production
# TPM-based attestation
Initialize-HgsAttestation -HgsServiceName 'HGS' -TrustTpm
# AD-based attestation (simpler, for testing/legacy hardware without TPM 2.0)
# Initialize-HgsAttestation -HgsServiceName 'HGS' -TrustActiveDirectory
# Initialize HGS key protection service
Initialize-HgsKeyProtection
# Get the HGS configuration
Get-HgsServer
Get-HgsClientConfiguration
Step 2: Configure a Guarded Host (Hyper-V Server)
# On the Windows Server 2019 Hyper-V host that will run shielded VMs
# Install the Host Guardian Client feature
Install-WindowsFeature -Name HostGuardian
# Configure the HGS server URL on the Hyper-V host
Set-HgsClientConfiguration `
-AttestationServerUrl 'https://HGS.hgs.bastion/Attestation' `
-KeyProtectionServerUrl 'https://HGS.hgs.bastion/KeyProtection'
# For TPM-based attestation: collect and submit host artifacts to HGS
# Step 1: Collect TPM identifier from the host
$tpmPlatformCert = Get-PlatformIdentifier -Name 'HyperV-Host01'
# Step 2: Capture Secure Boot policy from the host
$uefiPolicy = Get-UefiSignatureList -Path 'C:HGSUefiSignatureList.xml'
# Step 3: Capture Code Integrity policy
ConvertFrom-CIPolicy -XmlFilePath 'C:HGSSiPolicy.xml' -BinaryFilePath 'C:HGSSiPolicy.p7b'
New-CIPolicyRule -FilePathRule 'C:Windows' -UserWriteable $false |
New-CIPolicy -FilePath 'C:HGSSiPolicy.xml' -UserPEs
# On the HGS server: register the host artifacts
# Add-HgsAttestationTpmHost -Name 'HyperV-Host01' -Path 'C:HGSHyperV-Host01.xml'
# Add-HgsAttestationUefiSignatureList -Name 'UefiPolicy01' -Path 'C:HGSUefiSignatureList.xml'
# Add-HgsAttestationCiPolicy -Name 'BaselinePolicy' -Path 'C:HGSSiPolicy.p7b'
# Test that the host can attest successfully
Get-HgsClientConfiguration | Select-Object IsHostGuarded, SecureBoot, IOMMU, AttestationStatus
Step 3: Create HGS Signing and Encryption Certificates
# On the HGS server, create or import signing and encryption certificates
# For production: use certificates from internal CA
# For testing: create self-signed certificates on HGS
$signingCert = New-SelfSignedCertificate `
-DnsName 'HGS-Signing' `
-CertStoreLocation 'Cert:LocalMachineMy' `
-KeyUsage DigitalSignature `
-NotAfter (Get-Date).AddYears(3)
$encryptionCert = New-SelfSignedCertificate `
-DnsName 'HGS-Encryption' `
-CertStoreLocation 'Cert:LocalMachineMy' `
-KeyUsage KeyEncipherment, DataEncipherment `
-NotAfter (Get-Date).AddYears(3)
# Add the certificates to HGS
Add-HgsKeyProtectionCertificate -CertificateThumbprint $signingCert.Thumbprint `
-CertificateType Signing -IsPrimary
Add-HgsKeyProtectionCertificate -CertificateThumbprint $encryptionCert.Thumbprint `
-CertificateType Encryption -IsPrimary
# Get HGS guardian metadata (needed to create shielding data)
$guardian = Get-HgsGuardian -Name 'HGS'
Export-HgsGuardian -InputObject $guardian -Path 'C:HGSHGSGuardian.xml'
Step 4: Create Shielding Data File
The shielding data file (.pdk) is created by the VM owner (tenant) and contains the VM’s secrets. The fabric admin (Hyper-V admin) never sees the contents of this file:
# Import the HGS guardian (received from the fabric team)
Import-HgsGuardian -Path 'C:PDKHGSGuardian.xml' -Name 'ProductionHGS' -AllowExpired
# Create an owner guardian (represents the VM tenant's identity)
$ownerGuardian = New-HgsGuardian -Name 'TenantOwner' -GenerateCertificates
# Prepare the unattend answer file for the shielded VM
# This contains domain join information and admin password - stays encrypted in the PDK
$unattendPath = 'C:PDKUnattend.xml'
# Create the Volume Signature Catalog from the golden VHDX template
$templateVHDX = 'C:TemplatesWS2019-Core-Template.vhdx'
Save-VolumeSignatureCatalog -TemplateDiskPath $templateVHDX `
-VolumeSignatureCatalogPath 'C:PDKVSC.vsc'
# Create the shielding data file
$pdkPassword = ConvertTo-SecureString 'TenantP@ssword2024' -AsPlainText -Force
New-ShieldingDataFile -ShieldingDataFilePath 'C:PDKProduction.pdk' `
-Owner $ownerGuardian `
-Guardian (Import-HgsGuardian -Path 'C:PDKHGSGuardian.xml' -Name 'ProductionHGS' -AllowExpired) `
-VolumeIDQualifier (New-VolumeIDQualifier -VolumeSignatureCatalogFilePath 'C:PDKVSC.vsc' -VersionRule Equals) `
-WindowsUnattendFile $unattendPath `
-Policy Shielded `
-AnswerFile $unattendPath
Write-Output "Shielding data file created at C:PDKProduction.pdk"
Step 5: Deploy a Shielded VM
# On a guarded Hyper-V host, create a shielded VM
# The fabric admin provides the template VHDX and receives the PDK from the tenant
# Create the VM with Generation 2 (required for Shielded VMs)
New-VM -Name 'ShieldedVM01' `
-Generation 2 `
-MemoryStartupBytes 4GB `
-VHDPath 'D:VMsShieldedVM01OSDisk.vhdx' `
-SwitchName 'vSwitch-Production'
# Enable vTPM on the VM (required for shielded VMs)
Enable-VMTPM -VMName 'ShieldedVM01'
# Enable shielding on the VM (this is typically done via VMM or PowerShell)
Set-VMSecurityPolicy -VMName 'ShieldedVM01' -Shielded $true
# Provision the shielded VM using the PDK
# This decrypts the template and seals it with the tenant's vTPM
# In a VMM-managed environment, this is done via the provisioning wizard
# Or using the pdkcreate tool and Initialize-ShieldedVM
Initialize-VMFromTemplate -VMName 'ShieldedVM01' `
-TemplateDiskPath 'C:TemplatesWS2019-Core-Template.vhdx' `
-ShieldingDataFilePath 'C:PDKProduction.pdk' `
-Wait
# Start the VM
Start-VM -Name 'ShieldedVM01'
Monitoring Shielded VM Health
# Check VM security state
Get-VMSecurity -VMName 'ShieldedVM01' | Select-Object Shielded, VirtualizationBasedSecurityOptOut, BindToHostTpm
# Check host attestation status
Get-HgsClientConfiguration | Format-List
# Check HGS attestation health on the HGS server
Get-HgsTrace -RunDiagnostics
# View shielded VM key protector
Get-VMKeyProtector -VMName 'ShieldedVM01' |
ConvertTo-Json | ConvertFrom-Json | Select-Object KeyProtectorType
# HGS event log
Get-WinEvent -LogName 'Microsoft-Windows-HostGuardianService-Client/Admin' -MaxEvents 20 |
Select-Object TimeCreated, LevelDisplayName, Message
Conclusion
Hyper-V Shielded VMs on Windows Server 2019 provide a cryptographic guarantee that VM contents cannot be accessed by Hyper-V host administrators, backup tools, or anyone who exfiltrates the VHDX file. The Host Guardian Service establishes a hardware-rooted trust chain from the TPM through HGS attestation to key release, ensuring that encrypted VMs can only start on approved, policy-compliant hosts. This makes Shielded VMs the appropriate choice for multi-tenant hosted environments, regulated workloads, and any scenario where the infrastructure team must be kept out of the tenant’s data.
