Difference between a Shielded VM and Encryption Supported VM

Difference between a Shielded VM and Encryption Supported VM

Q. What is the difference between a shielded VM and an encryption supported VM?

A. Actually very little. Both leverage a key protector, both provide a vTPM to enable BitLocker in a secure fashion, both have a hardened VM worker process (VMWP.exe) to encrypt live migration and state information. The difference is a shielded VM enforces other restrictions such as no local console, no PowerShell Direct, no guest file copy integration component, no insecure virtual devices etc while with encryption supported these restrictions are not enabled by default (but can be turned on if desired on an individual basis).

I think of it as use shielded when you don't trust the fabric or administrators and use encryption supported when you do trust the fabric and the administrators and need encryption for compliance purposes, such as in a private cloud on-premises and still want the convenience of features like console access and PowerShell Direct.

When implementing once you have a key protector the difference between shielded and encryption supported is one word:

Set-VMKeyProtector –VMName $VMName –KeyProtector $KP.RawData
Set-VMSecurityPolicy -VMName $VMName -Shielded <$true for shielded or $false for encryption supported>
Enable-VMTPM -VMName $VMName

Everything else is the same.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.