Securing Virtual Machines in Windows 10


Trusted Platform Module (TPM)

A TPM is a specialized chip soldered on an endpoint device’s motherboard that provides hardware-based device authentication, tamper detection, and encryption key storage.
The TPM generates RSA encryption keys specific to the host system making it impossible to recover data from an encrypted hard drive in a different computer than the one in which it was originally installed.
Further, the TPM generates a unique digital signature from the motherboard in which it was originally embedded, foiling any attempts to move the TPM chip itself to another machine.
This secure cryptographic integrated circuit provides a hardware-based approach to manage user authentication, network access and data protection. The TPM can be used with any major operating system and works best in conjunction with other security technologies such as firewalls, antivirus software, smart cards and biometric verification.

Secure Boot

When you boot a modern Windows PC, the Secure Boot feature in the UEFI firmware checks the operating system loader and its drivers to ensure they’re signed by an approved digital signature. On Windows PCs, the UEFI Secure Boot feature generally checks to see if the low level software is signed by Microsoft or the computer’s manufacturer. This prevents low-level malware like rootkits from interfering with the boot process. Note that the latest versions of popular Linux distributions, including Ubuntu, Mint and Fedora, already install just fine on a Windows PC that has Secure Boot enabled.
Besides, Linux operating systems can now take advantage of secure boot in Generation 2 VMs in Hyper-V on Windows 10. Both Ubuntu 14.04 and SUSE Linux Enterprise Server 12 are currently supported, and this trend will widen over time. These Linux VMs must be configured to use the Microsoft UEFI Certificate Authority (CA) as a Secure Boot template.

Linux VM Secure Boot