Safeguard IT with Microsoft Windows Server 2016


2017-03-10 Windows Server 2016 security features blog.jpgThe Hewlett Packard Enterprise and Microsoft partnership combines technologies to help businesses reach their full potential and operate with increased agility, extra layers of security, and higher resiliency. When customers run Microsoft Windows Server 2016 on HPE ProLiant servers, they get robust security with layers of redundancy. Today, we will look at a few key security features of Microsoft Windows Server 2016 that help safeguard valuable data (on-premise or in the cloud), helping your customers mitigate their risk and avoid costly business disruption.


Just-in-time & Just-enough Administration (JEA) assigns single-use, task-based administrative rights and privileges. Using Just-In-Time and Just-Enough Administration, administrators can request the specific privileges they need for the exact window of time required.

Benefit: Gives greater control and enhances server management and administration. With Just-in-time & Just-enough Administration, users rights are determined by, and limited to, chosen areas of responsibility and can be granted for one-time use while logging actions.
- Reduces the number of administrators on the machines
- Enhances security control of particular tasks
- Improves auditing and reporting of activities


Shielded Virtual Machines include a virtual TPM device, which enables organizations to apply BitLocker to the virtual machines and ensure they run only on trusted hosts to help protect against compromised storage, network, and host administrators.

Benefit: Content of Virtual Machine (VM) –such as IP, data, and account info—is secure from VM theft and unauthorized fabric admin intrusion—VM will not unlock and cannot be accessed on or mounted off premises, unless required keys are provided through Host Guardian Services.
- Improves admin security and access managed to applications and data (especially high security/regulated businesses)
- Offers significant overall security enhancements made across multiple components (including Hyper-V)

NOTE: Shielded Virtual Machines are an exclusive feature of Windows Server 2016 Datacenter edition.


Host Guardian Service: Alongside Shielded VMs, the Host Guardian Service is an essential component for creating a secure virtualization fabric. Its job is to assess the health of a Hyper-V host before it will allow a Shielded Virtual Machine to boot or to migrate to that host. It holds the keys for Shielded Virtual Machines and will not release them until the security health is assured.

Benefit: Hyper-V host validation; encryption keys to start live migrate a shielded VM are released through a secure layer controlled by the tenant only to the authorize Hyper-V host server(s) with a verified secure boot and untampered OS
- Helps keep trust and isolation boundary between the cloud infrastructure and guest OS layer
- Manages and authorizes the release of the encryption keys used to shield virtual machines


Windows Defender works hand-in-hand with Device Guard and Control Flow Guard to prevent malicious code of any kind from being installed on your servers. It is turned on by default – the administrator does not need to take any action for it to start working. Windows Defender is also optimized to support the various server roles in Windows Server 2016.

Benefit: Available at first initialization of OS and with Internet connectivity, provides automated updates to malware definitions for continuous protection
- Immediate protection minimizes security exposure during first-run and scheduled updates
- Always-on protection monitors and scans all downloads or applications


Want to learn more about Windows Server 2016 and how these features work with HPE Servers? Download the Implementing Microsoft® Windows Server® 2016 using HPE ProLiant Servers, Storage, and Options whitepaper from HPE and the Windows Server 2016 Security whitepaper from Microsoft.

Then, check out these other helpful resources:
Datasheet: HPE OEM Windows Server 2016
Support & Certification Matrices: HPE Servers and Windows Server 2016
WS2016 Licensing FAQ: HPE OEM Windows Server 2016

Don’t forget to follow Coffee Coaching on Twitter, Facebook, YouTube, and LinkedIn and let us know if you have any questions we can answer!

0 Kudos
About the Author


Willa manages the HPE | Microsoft Coffee Coaching program. Follow along to learn more about the latest HPE OEM Microsoft product releases and how the HPE Microsoft partnership can benefit partners and customers.