https://blogs.technet.microsoft.com/windowsserver/2016/08/25/windows-serverscalability-and-more/
CONTAINERS AND NESTED VIRTUALIZATION
Containers provide a sandbox for creating applications; these containers can contain
the application, configuration, and details of dependencies such as libraries and
runtimes. This enables simple and consistent deployment of applications, isolation
from other applications, centralized management and storage, in addition to granular
resource control.
Containers have been available in Linux distributions for a while and have gained
adoption with Docker, which offered a standardized management solution, container
technology, and library. Windows Server 2016 brings container technology to
Windows for Windows applications in two types: Windows Containers and Hyper-V
Containers that, while utilizing the same container technology, enable a deployment
time choice to be made as to the level of isolation required for the application: user
mode or kernel mode isolation. Management can be performed using PowerShell or
Docker.
Enabling the kernel-mode isolation capability via Hyper-V Containers requires
creating virtual machines that previously would have been impossible if the container
host OS was a virtual machine, as creating a VM within a VM (nested virtualization)
was not possible. Windows Server 2016 enables nested virtualization for Hyper-V
Containers and general nested virtualization needs.
SHIELDED VMs
Shielded VMs provide protection for the data and state of the VM against inspection,
theft, and tampering from administrator privileges. Shielded VMs work for generation
2 VMs that provide the necessary Secure Boot, UEFI firmware, and virtual TPM
(Trusted Platform Module) (vTPM) 2 support required. While the Hyper-V hosts must
be running Windows Server 2016, the guest operating system in the VM can be
Windows Server 2012 or above and, shortly after the Windows Server 2016 release,
Linux guest VMs.
A new Host Guardian Service instance is deployed in the environment, which will
store the keys required to run shielded VMs for authorized Hyper-V hosts if they can
prove that they’re healthy through various types of attestation. A shielded VM
provides the following benefits:
BitLocker-encrypted disks
A hardened VM worker process (VMWP) that helps prevent inspection and
tampering
Automatically encrypted Live Migration traffic as well as encryption of its runtime
state file, saved state, checkpoints, and even Hyper-V Replica files
No console access in addition to blocking PowerShell Direct, Guest File Copy
Integration Components, and other services that provide possible paths from a