Using shielded VMs in a cluster

Q. Can I use shielded VMs in a cluster?

A. Windows Server 2016 Hyper-V introduces shielded VMs as explained at http://windowsitpro.com/hyper-v/super-secure-hyper-v-environments-shielded-vms-2016 and initially it may seem like these won't work in a clustered environment where VMs move between hosts. However this is not the case when you look in detail at how the shielded VM functionality actually works. There is no direct link between the virtual TPM of a VM and the TPM of the Hyper-V host.

The vTPM content is stored in the VMs runtime state data file (VMRS file) and access to this is enabled through keys that are gained from the Host Guardian Service once the Hyper-V host has proven its health and right to access. One of these ways is through TPM-based attestation that utilizes the TPM in the Hyper-V host however there is still no direct link between its TPM and the vTPM of the VM. This means VMs can move between hosts in a cluster even when protected by shielded VM functionality.