Bolster Hyper-V 2016 security with improved virtual hardware capabilities, secure boot features and a strict adherence to the latest patches and updates.
Generally, a secure guest VM starts with the use of Generation 2 VMs. Generation 2 VMs use advanced virtual hardware capabilities available with Windows Server 2012 R2 and later. Not only does this improve VM boot time and performance, it also supports the native use of Linux Secure Boot capabilities from the hypervisor rather than the lower-level Unified Extensible Firmware Interface. This helps prevent unknown or unauthorized OS or firmware code from running at boot time. Only known code that has been digitally signed can start on the Hyper-V host.
To boost Hyper-V 2016 security and protect the guest OS, it's usually prudent to install the latest patches and security updates for a guest OS before you turn the VM on in production. It's may also be worthwhile to harden the guest OS in each VM by installing the minimum components for the necessary role, configuring the OS to meet security practices, and only authorizing access to guest VMs and OSes to administrators.
For even stronger guest VM security, it's possible to connect guest VMs that use virtual private networks, but you should make sure that the virtual network adapters connect to the proper virtual switches with the appropriate security settings. You can combine secure networks with encryption to protect storage resources and guard data at rest and in flight.
VMs on later versions of Windows Server can use guarded fabric technology to create shielded VMs and deploy those shielded VMs to host systems using the host guardian service. This Hyper-V 2016 security technology encrypts VMs and ensures that VMs only decrypt, start and operate on known host systems that software or hardware attestation -- Active Directory or Trusted Platform Module 2.0, respectively -- have checked and approved. This way, a shielded VM only runs on a known, trusted host system.