Home News Microsoft: Shielded VM local mode and HGS mode

Microsoft: Shielded VM local mode and HGS mode

Microsoft: Shielded VM local mode and HGS mode

With the new capability in Windows 10, version 1709, Windows Client can host shielded VMs while using remote Host Guardian Service (HGS) attestation. This caused some confusion as people stated they have already been running shielded VMs on client. This blog post is intended to clarify things and explain how to run them side by side.

In Windows 10, when you create a VM, you can optionally attach a virtual TPM (vTPM) to it. It offers similar protection to the VM as a physical TPM does for the physical device. vTPM state is encrypted and the encryption key can be either stored locally (a.k.a. local mode) or stored remotely on a HGS server (a.k.a HGS mode).  There are several strong security measures in HGS mode such as validating boot measurements and code integrity policies. For more information on what HGS mode measures, check out my previous blog post on Privileged Access Workstations here.

The mode–local mode vs. HGS mode–is a configuration setting on the physical host so it knows where to get the key to unlock the vTPM. When the host is running in HGS mode, it will get the key from HGS server (assuming it qualifies as healthy); when the host is running in local mode, it will look for the key locally. Previously, Windows Client only supported local mode; HGS mode support was added in the Windows 10, version 1709 release.

Read the entire article here, Shielded VM local mode and HGS mode – Datacenter and Private Cloud Security Blog

Via the fine folks at Microsoft.


Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services, devices and solutions that help people and businesses realize their full potential.

Share your view, leave a comment below:

Featured Resources:

Related Articles:


White Papers


      On-Demand Webinars

        Latest Videos

          Views All IT News on DABCC.com
          Views All IT Videos on DABCC.com
          Register Today for Disrupt End User Computing Forum 2018

          Visit Our Sponsors