Reading Time: < 1 minute

Guarded fabric can run three types of virtual machines:

Unprotected virtual machines: These virtual machines are standard Generation 1 or Generation 2 virtual machines that do not have any additional level of protection. Such virtual machines can run on any Hyper-V host and not only on guarded fabric.

Encryption-supported virtual machines: These are Generation 2 virtual machines that have vTPM that a virtual machine can use to encrypt the content of its virtual hard disk. You also can encrypt state and migration traffic for encryption-supported virtual machines. A virtualization administrator can access these virtual machines in the same way as accessing unprotected virtual machines and can run them on Hyper-V hosts that are not part of a guarded fabric. A Hyper-V host can present virtual TPM to encryption-supported virtual machines without requiring physical TPM on the Hyper-V host.

Shielded virtual machines: Shielded virtual machines include all the protection of encryption supported virtual machines and additional protection. Shielded virtual machines can start only if you run it on the Hyper-V host that is part of guarded fabric and it meets attestation requirements. You can access shielded virtual machines only over a network, for example by using Remote Desktop Connection you cannot access them by using Virtual Machine Connection or PowerShell Direct.

More posts on Windows Server 2016 Virtualization: