Best Practice for secure HyperV configuration

I think it depends on your infrastructure scale and architecture. :smileyhappy: Having domain joined Hyper-V Host allows centralized management with ease but it definitely cannot stop user that has admin privileges to make a silly mistake to take down the environment.

In a large environment, we can have an infrastructure.contoso.com forest and corporate.contoso.com forest with forest trust between forests, review and lock down the privileges but this can be complex arhitecture for small environment.

I suppose for small environment, it will be best to review the privileges and ensure that there is limited privileges for average user to access the Hyper-V Host storage through shared folders or UNC paths so that ransomware initiation cannot reach those files and encrypt them. If possible, get the Hyper-V host into Server Core mode and as for Windows Server 2016, deploy Nano Server with Hyper-V role because its the way to go.