{"id":9260,"date":"2021-11-08T08:41:25","date_gmt":"2021-11-08T16:41:25","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=9260"},"modified":"2026-04-06T08:31:44","modified_gmt":"2026-04-06T15:31:44","slug":"using-shielded-virtual-machines-to-help-protect-highvalue-assets","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/","title":{"rendered":"Using shielded virtual machines to help protect high-value assets"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"112\" class=\"size-medium wp-image-7498 alignright\" style=\"margin-top: 0px;\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png\" alt=\"Microsoft Digital technical stories\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories.png 500w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><em>We periodically update our stories, but we can\u2019t verify that they represent the full picture of our current situation at Microsoft. We leave them on the site so you can see what our thinking and experience was at the time.<\/em><\/p>\n<p>Microsoft Digital Employee Experience (MDEE) protects our high-value corporate assets\u2014beyond just the network. We use shielded virtual machines (shielded VMs) and Host Guardian Services (HGS) in Windows Server 2019 to isolate our data. This ensures that control and administration of infrastructure and environment remain completely isolated from control and administration of data and applications.<\/p>\n<h2>Critical data and high risk environments<\/h2>\n<p>At MDEE, we classify approximately one percent of the services and data that we host as High\u00a0Value\u00a0Assets\u00a0(HVAs). An HVA is a single isolated environment that provides a secure space for company workloads. Access to HVA data by unauthorized users could negatively affect Microsoft business in a significant way.<\/p>\n<p>In our organization, we host several HVAs for different business groups that need a highly secure environment to prevent unauthorized access or data leaks. Most data in an HVA is classified as highly confidential. HVAs also host data that\u2019s regulated by government policy or other legal restrictions, or that\u2019s physically isolated from other datacenter assets and from our corporate network. A typical HVA can be broken down into several components:<\/p>\n<ul class=\"c-list\">\n<li><strong>HVA fabric<\/strong> is the hosting environment for all HVAs. The HVA fabric encompasses the secure hosts, storage, computing, and network services used by all our internal HVA customers.<\/li>\n<li><strong>HVA stamp<\/strong> is a single instance of an HVA that\u2019s hosted on the HVA fabric. HVA stamps are also called HVA instances.<\/li>\n<li><strong>Tier 0<\/strong> holds highly privileged Active Directory resources (such as computer and user accounts) that can give an attacker significant access to the network. These resources include domain controllers, which host the Active\u00a0Directory database, and highly privileged accounts or groups, such as domain admins or enterprise admins.<\/li>\n<li><strong>Tier 1<\/strong> hosts privileged services and systems used by HVAs. These resources provide control over enterprise servers and applications. Tier 1 contains a significant amount of business value hosted in the assets.<\/li>\n<li><strong>Tier 2<\/strong> is also called the customer tier. It hosts services that are provided and managed by the internal customer who uses the HVA. Each HVA hosts a unique set of customers and services. Tier 2 services may be privileged in comparison to other systems, but within the scope of the specific HVA, they are the least-privileged services.<\/li>\n<\/ul>\n<h3>HVA topology<\/h3>\n<p>A standard HVA host includes the three-tier administrative model and uses the HVA fabric for storage, network, and related services. The components of an HVA are distributed and managed in highly secured datacenters. Each access tier gives a layer of protection against credential theft.<\/p>\n<p>The HVA system is multi-tenant. Each HVA stamp is an isolated environment that\u2019s built for a specific customer or isolated workload. We use isolation techniques to help create clear boundaries between HVA stamps. HVA stamps can be of mixed size (with a different number of virtual machines, different sizes of virtual machines, and so on) and can host a variety of environments. One HVA stamp might host a single Tier 2 service, and others might host full end-to-end environments that have hundreds of servers.<\/p>\n<p>The following figure shows a high-level view of an HVA environment with several HVA stamps.<\/p>\n<figure id=\"attachment_9266\" aria-describedby=\"caption-attachment-9266\" style=\"width: 967px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-9266 size-full\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image001-v2.png\" alt=\"The graphic depicts 3 HVA stamps, each with the same 3 tiers: Tier 0 Services (AD, PKI), Tier 1 Services, and Tier 2 (Customer) Services.\" width=\"967\" height=\"471\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image001-v2.png 967w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image001-v2-300x146.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image001-v2-768x374.png 768w\" sizes=\"auto, (max-width: 967px) 100vw, 967px\" \/><figcaption id=\"caption-attachment-9266\" class=\"wp-caption-text\">HVA topology<\/figcaption><\/figure>\n<h2>Using shielded VMs for HVA<\/h2>\n<p>To create the private cloud environment that hosts our HVA resources, we use Windows Server\u00a02019, System\u00a0Center Virtual\u00a0Machine\u00a0Manager, and Windows Azure Pack (WAP). Windows Server 2019 introduces the shielded VM feature in Hyper-V. It protects virtual machines from threats outside and inside the fabric. It does this by encrypting disk and virtual machine states so that only virtual machine admins or tenant admins can access them.<\/p>\n<p>By using System Center Virtual Machine Manager and Hyper-V host clusters in our private cloud environment, we can quickly and efficiently provision HVAs. We don\u2019t have to worry about provisioning specific hardware to host HVA resources. The Windows Azure Pack offers a familiar, browser-based interface that our internal customers can use to provision resources. When needed, we provision shielded VMs and provide the computing resources to host an HVA workload.<\/p>\n<h3>Guarded fabric health attestation and key release<\/h3>\n<p>Shielded VMs are part of the guarded fabric system in Windows Server 2019 Hyper-V. The guarded fabric consists of several layered components:<\/p>\n<ul class=\"c-list\">\n<li><strong>Code and boot integrity<\/strong> uses virtualization-based security to allow only approved code to run on the Hyper-V host from the moment it starts.<\/li>\n<li><strong>Virtualization-based security<\/strong> uses hardware security technology in Windows Server 2019 to create an area that\u2019s isolated from the Windows kernel and other applications to prevent external attacks.<\/li>\n<li><strong>Trusted Platform Module (TPM) 2.0<\/strong> is used to securely measure a Hyper-V host&#8217;s boot process and code integrity policy. These are then sent to the HGS as part of the health attestation process.<\/li>\n<li><strong>Host Guardian Service (HGS)<\/strong> acts as an arbitration point for the guarded fabric that contains shielded VMs. HGS provides health attestation for the Hyper-V hosts and key protection for the material that\u2019s required to run the shielded VMs.<\/li>\n<\/ul>\n<h4>Guarded host attestation<\/h4>\n<p>As illustrated in the figure below, HGS handles the attestation process for the guarded Hyper-V hosts on which the shielded\u00a0VMs reside, including key requests and health information. This process ensures the health of the host, the protection of the shielded VM, and the appropriate access for users.<\/p>\n<figure id=\"attachment_9267\" aria-describedby=\"caption-attachment-9267\" style=\"width: 954px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-9267 size-full\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image002-v2.png\" alt=\"The graphic depicts the process of attestation, with host guardian service on the left and guarded Hyper-V host on the right.\" width=\"954\" height=\"486\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image002-v2.png 954w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image002-v2-300x153.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image002-v2-768x391.png 768w\" sizes=\"auto, (max-width: 954px) 100vw, 954px\" \/><figcaption id=\"caption-attachment-9267\" class=\"wp-caption-text\">Guarded host attestation process with HGS<\/figcaption><\/figure>\n<p>The attestation process includes the following steps:<\/p>\n<ol class=\"c-list\">\n<li>The guarded Hyper-V host sends a key request to the HGS.<\/li>\n<li>The HGS replies that it can\u2019t verify that the Hyper-V host is a legitimate host.<\/li>\n<li>The Hyper-V host sends its endorsement key to HGS from its TPM module to establish identity, along with health baseline and code integrity policy.<\/li>\n<li>If HGS recognizes the identity of the Hyper-V host and considers the baseline and code integrity policy healthy, it supplies a certificate of health to the Hyper-V host.<\/li>\n<li>The Hyper-V host re-sends the key request and health certificate to the HGS.<\/li>\n<li>The HGS sends an encrypted response back to the Hyper-V host\u2019s virtualization-based security, and the response can be decrypted only by the host hardware security module, to start the shielded VM.<\/li>\n<\/ol>\n<h3>Implementing HVA fabric using shielded VMs<\/h3>\n<p>The implementation of HVAs using shielded VMs starts at the datacenter. All HVA servers should be in physically isolated and secure environments. Physical access to the datacenter requires two-person access, and it\u2019s limited to the HVA fabric team and the administrative team.<\/p>\n<h4>Physical access implementation<\/h4>\n<p>Best practices for implementing physical security components for the HVA include:<\/p>\n<ul class=\"c-list\">\n<li>Physical access to the hosting fabric hardware and datacenter floor should require two-person biometric access controls and smart card access to all server cages and racks.<\/li>\n<li>Physical access to the hosting fabric hardware and datacenter floor by an HVA team admin should require datacenter access tool tickets and a fabric admin escort.<\/li>\n<li>Datacenter floor access should be granted to only permanent employees.<\/li>\n<li>Cameras should be used to record all physical access to the datacenter floor and racks.<\/li>\n<li>The datacenter should have around-the-clock security guards on site\u2014they monitor the facility, datacenter floor, and all access paths.<\/li>\n<\/ul>\n<h4>Hardware implementation<\/h4>\n<p>We use only specifically configured hardware in our HVA fabric. Our host hardware runs Windows Server 2019 and Hyper-V. The following table lists the components and management responsibilities.<\/p>\n<p style=\"text-align: left;\"><em>Hardware components and management responsibilities<\/em><\/p>\n<table style=\"border: 1px solid black; border-collapse: collapse; padding: 5px;\">\n<thead>\n<tr>\n<th style=\"border: 1px solid black; padding: 5px; text-align: center;\">Component<\/th>\n<th style=\"border: 1px solid black; padding: 5px; text-align: center;\">Managed by<\/th>\n<th style=\"border: 1px solid black; padding: 5px; text-align: center;\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"border: 1px solid black; padding: 5px;\">Fabric host servers with TPM 2.0<\/td>\n<td style=\"border: 1px solid black; padding: 5px;\">Fabric admin team<\/td>\n<td style=\"border: 1px solid black; padding: 5px;\">Host servers are grouped into isolated racks, or pods, and they\u2019re managed by System Center Virtual Machine Manager. They belong to a separate fabric Active Directory Domain Services domain.<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid black; padding: 5px;\">Storage systems<\/td>\n<td style=\"border: 1px solid black; padding: 5px;\">Fabric admin team<\/td>\n<td style=\"border: 1px solid black; padding: 5px;\">These are grouped into the same pods as the server infrastructure. HVA fabric storage is provided by System Center Virtual Machine Manager.<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid black; padding: 5px;\">Network hardware<\/td>\n<td style=\"border: 1px solid black; padding: 5px;\">Network infrastructure services team in conjunction with the fabric admin team<\/td>\n<td style=\"border: 1px solid black; padding: 5px;\">Firewalls are configured between each layer of the HVA fabric.<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid black; padding: 5px; text-align: left;\">Hardware security modules<\/td>\n<td style=\"border: 1px solid black; padding: 5px; text-align: left;\">Network infrastructure services team in conjunction with the fabric admin team<\/td>\n<td style=\"border: 1px solid black; padding: 5px; text-align: left;\">These modules control access to each grouping of Hyper-V host servers that we call a pod. The hardware security modules host secured private keys that participate in the certificate services implementation in HGS. Any administrative function on a hardware security module requires a two-out-of-three security officer quorum.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The following graphic shows the HVA hosting fabric, including HGS, for two primary sites.<\/p>\n<figure id=\"attachment_9268\" aria-describedby=\"caption-attachment-9268\" style=\"width: 988px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-9268 size-full\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image003-v2.png\" alt=\"The HVA hosting fabric consists of two identical copies of the four-layer infrastructure: HSM, HGS, guarded Hyper-V hosts, and fabric DCs.\" width=\"988\" height=\"478\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image003-v2.png 988w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image003-v2-300x145.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339-image003-v2-768x372.png 768w\" sizes=\"auto, (max-width: 988px) 100vw, 988px\" \/><figcaption id=\"caption-attachment-9268\" class=\"wp-caption-text\">The HVA hosting fabric<\/figcaption><\/figure>\n<p>The architecture groups together pods of Hyper-V servers as pods, managed by System\u00a0Center Virtual\u00a0Machine\u00a0Manager and fabric domain controllers. The pods are controlled by a group of HGS servers, with access controlled by hardware security modules. We can use this layer separation to separate the administrators of the underlying virtualization fabric from the administrators of the applications and the administrators of the HGS.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"74\" class=\"alignnone size-medium wp-image-7448\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png\" alt=\"Key Takeaways\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways.png 500w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<h2>Moving forward with HVA using shielded VMs and HGS<\/h2>\n<p>We\u2019re experiencing several significant achievements in our HVA environment by using shielded VMs and HGS:<\/p>\n<ul class=\"c-list\">\n<li><strong>Dedicated hosting environment (HVA fabric)<\/strong> is a separate host environment for HVAs. It includes specialized configuration and staff who manage the day-to-day operations of all fabric systems. This hosting environment uses the latest and greatest security configurations and systems to help protect HVA customers and workloads.<\/li>\n<li><strong>HVA stamps isolation<\/strong> is a dedicated environment that holds all necessary services to support a designated workload. This isolated HVA stamp is built to protect itself from all outside threats.<\/li>\n<li><strong>Role separation<\/strong> keeps every tier of access throughout the fabric, HVA stamps, and related systems isolated. It provides role separation between admins of different functions or types. Fabric admins, network admins, and HVA stamp admins all have isolated credentials and access rights. Most systems also require at least two-person access to change the HVA hosting fabric.<\/li>\n<li><strong>Privilege elevation mitigation<\/strong> requires different credentials and remote access systems for each tier. IPsec, Group Policy, and silos prevent tier access cross-pollination.<\/li>\n<li><strong>Network isolation<\/strong> keeps each HVA stamp isolated. All inter-network connections are terminated through a physical firewall. Intra-network connections are protected by IPsec, Windows Firewall, and Group Policy configuration.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"81\" class=\"alignnone size-medium wp-image-7482\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png\" alt=\"Related links\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links.png 500w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<ul class=\"c-list\">\n<li><a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-extends-azure-management-to-the-private-cloud-with-azure-arc\/\">Microsoft extends Azure management to the private cloud with Azure Arc<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/insidetrack\/migrating-system-center-configuration-manager-on-premises-infrastructure-to-microsoft-azure\">Migrating System Center Configuration Manager on-premises infrastructure to Microsoft Azure<\/a><\/li>\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/data-center-security\/step-by-step-configuring-the-host-guardian-service-in-windows\/ba-p\/372193\" target=\"_blank\" rel=\"noopener\">Step by Step &#8211; Configuring the Host Guardian Service in Windows Server 2016 &#8211; Microsoft Tech Community<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>We periodically update our stories, but we can\u2019t verify that they represent the full picture of our current situation at Microsoft. We leave them on the site so you can see what our thinking and experience was at the time. Microsoft Digital Employee Experience (MDEE) protects our high-value corporate assets\u2014beyond just the network. We use [&hellip;]<\/p>\n","protected":false},"author":133,"featured_media":9262,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[115],"coauthors":[646],"class_list":["post-9260","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-microsoft-azure","program-microsoft-digital-technical-stories","m-blog-post"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft Protects Assets by Shielding Virtual Machines<\/title>\n<meta name=\"description\" content=\"Learn how Microsoft created secure, isolated environments for business groups that manage highly confidential, regulated, or restricted data.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Protects Assets by Shielding Virtual Machines\" \/>\n<meta property=\"og:description\" content=\"Learn how Microsoft created secure, isolated environments for business groups that manage highly confidential, regulated, or restricted data.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/\" \/>\n<meta property=\"og:site_name\" content=\"Inside Track Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-08T16:41:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-06T15:31:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339_hero.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1040\" \/>\n\t<meta property=\"og:image:height\" content=\"585\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Inside Track staff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Inside Track staff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/\"},\"author\":{\"name\":\"Inside Track staff\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/d87d5d73eed76dd055086299c842c17e\"},\"headline\":\"Using shielded virtual machines to help protect high-value assets\",\"datePublished\":\"2021-11-08T16:41:25+00:00\",\"dateModified\":\"2026-04-06T15:31:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/\"},\"wordCount\":1739,\"image\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2022\\\/12\\\/10339_hero.jpg\",\"keywords\":[\"Microsoft Azure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/\",\"name\":\"Microsoft Protects Assets by Shielding Virtual Machines\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2022\\\/12\\\/10339_hero.jpg\",\"datePublished\":\"2021-11-08T16:41:25+00:00\",\"dateModified\":\"2026-04-06T15:31:44+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/d87d5d73eed76dd055086299c842c17e\"},\"description\":\"Learn how Microsoft created secure, isolated environments for business groups that manage highly confidential, regulated, or restricted data.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2022\\\/12\\\/10339_hero.jpg\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2022\\\/12\\\/10339_hero.jpg\",\"width\":1040,\"height\":585,\"caption\":\"Microsoft Digital shares best practices for protecting virtual machines and assets in a hybrid environment.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Using shielded virtual machines to help protect high-value assets\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/\",\"name\":\"Inside Track Blog\",\"description\":\"How Microsoft does IT\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/d87d5d73eed76dd055086299c842c17e\",\"name\":\"Inside Track staff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g5b36aff6a325749e67e5cb253696fa6b\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g\",\"caption\":\"Inside Track staff\"},\"description\":\"Questions? Send us a note: msitstaff@microsoft.com\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/author\\\/insidetrack\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft Protects Assets by Shielding Virtual Machines","description":"Learn how Microsoft created secure, isolated environments for business groups that manage highly confidential, regulated, or restricted data.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft Protects Assets by Shielding Virtual Machines","og_description":"Learn how Microsoft created secure, isolated environments for business groups that manage highly confidential, regulated, or restricted data.","og_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/","og_site_name":"Inside Track Blog","article_published_time":"2021-11-08T16:41:25+00:00","article_modified_time":"2026-04-06T15:31:44+00:00","og_image":[{"width":1040,"height":585,"url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339_hero.jpg","type":"image\/jpeg"}],"author":"Inside Track staff","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Inside Track staff","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/"},"author":{"name":"Inside Track staff","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e"},"headline":"Using shielded virtual machines to help protect high-value assets","datePublished":"2021-11-08T16:41:25+00:00","dateModified":"2026-04-06T15:31:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/"},"wordCount":1739,"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339_hero.jpg","keywords":["Microsoft Azure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/","name":"Microsoft Protects Assets by Shielding Virtual Machines","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339_hero.jpg","datePublished":"2021-11-08T16:41:25+00:00","dateModified":"2026-04-06T15:31:44+00:00","author":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e"},"description":"Learn how Microsoft created secure, isolated environments for business groups that manage highly confidential, regulated, or restricted data.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/#primaryimage","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339_hero.jpg","contentUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339_hero.jpg","width":1040,"height":585,"caption":"Microsoft Digital shares best practices for protecting virtual machines and assets in a hybrid environment."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-shielded-virtual-machines-to-help-protect-highvalue-assets\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/insidetrack\/blog\/"},{"@type":"ListItem","position":2,"name":"Using shielded virtual machines to help protect high-value assets"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/","name":"Inside Track Blog","description":"How Microsoft does IT","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e","name":"Inside Track staff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g5b36aff6a325749e67e5cb253696fa6b","url":"https:\/\/secure.gravatar.com\/avatar\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g","caption":"Inside Track staff"},"description":"Questions? Send us a note: msitstaff@microsoft.com","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrack\/"}]}},"jetpack_featured_media_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/10339_hero.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9hcZA-2pm","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/users\/133"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/comments?post=9260"}],"version-history":[{"count":10,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9260\/revisions"}],"predecessor-version":[{"id":22985,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9260\/revisions\/22985"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media\/9262"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media?parent=9260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/categories?post=9260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/tags?post=9260"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/coauthors?post=9260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}