Shielded Virtual Machines
You are already planning your deployment of WS2016 if security is important to you. Some features have made their way over from Windows 10 Enterprise; Credential Guard hides LSASS in a special Hyper-V partition called VSM, protecting stored administrator rights from malware behind a hardware-supported security boundary. Device Guard protects critical parts of the kernel against rogue software, ensuring that what is running is what is meant to be running.
Those that are running Hyper-V in a sensitive environment can deploy some very interesting functionality. A Host Guardian Service (HGS) can be deployed into an isolated environment; this enables a Hyper-V feature called shielded virtual machines. A host is checked for health (for example, root kit malware) when it boots up, and virtual machines are only allowed to start on or live migrate to healthy and authorized hosts — this prevents virtual machines being run on unauthorized or compromised environments. Shielding can also prevent KVPs (host-guest integrations) and console access to a virtual machine. Owners of virtual machines might be sensitive to unwanted or unauthorized peeking by administrators; virtual TPM allows the tenant to encrypt their virtual machine’s disks using BitLocker so that no one without guest admin rights can peek at the OS, programs, or data in the virtual hard disk files.