Best Practice for secure HyperV configuration

I agree with everyone so far and just to add a few more things to consider. Managing non domain joined machines, if not done correctly, can be less secure over all since you don't have a secure channel by default to work through. If you have not denied access to domain admins to everything in your enterprise except the domain controllers, you should start there. If you have not looked at LAPS, you should consider deploying and using that and removing all but a select few domain users and groups from local admin. No admins is preferred. Deploy your Hyper-V host configurations with PowerShell DSC and access them over PowerShell constrained endpoints using Just Enough Administration (JEA). If no one ever logs in interactively, admin or user, then the potential for malware execution is greatly reduced. In short how you configure and manage your servers is just as and sometime more important than the configuration itself.