šāØ Are you ready for a power-packed, productive, and inspiring October? āØš
Here we go, friends! š The October Calendar is officially here, right on time, as always! šļøšÆ This month, weāre bringing you a lineup of world-class sessions designed to help you: š Explore the https://www.linkedin.com/company/101186090/admin/page-posts/published/?share=true# ecosystem from new perspectives š” Gain practical skills you can apply immediately š¤ Connect with experts and a global community of learners š Stay ahead with the latest innovations in Azure, AI, Power Platform, Security, and beyond. What makes this calendar stand out is the incredible diversity of voices and expertise it brings together. š Youāll hear from global speakers who share not just theory, but real-world experiences across different industries, giving you insights that truly matter. And the best part? ā° No matter where you are in the world, the sessions are scheduled across multiple time zones so you can always join in. Even better, everything is completely free and open, because learning and growth should be accessible to everyone. š š Check out the full list of sessions, register today, and prepare yourself for an amazing month of learning, networking, and growth. š„ This isnāt just another calendar, itās your chance to grow, connect, and be inspired alongside thousands of passionate learners across the globe. š Letās make October unforgettable together in the https://www.linkedin.com/company/101186090/admin/page-posts/published/?share=true# way! š š¢ https://www.linkedin.com/in/kaspersvenmozartjohansen/ š October 4, 2025 06:00 PM CET š Get started with a modern zero trust remote access solution: Microsoft Global Secure Access šļø https://streamyard.com/watch/3APZGyZFRyQS?wt.mc_id=MVP_350258 š¢ https://www.linkedin.com/in/akanksha-malik/ š October 7, 2025 19:00 PM AEST š October 7, 2025 10:00 AM CET š Unlocking Document Insights with Azure AI šļø https://streamyard.com/watch/M6qvUYdv58tt?wt.mc_id=MVP_350258 š¢ https://www.linkedin.com/in/rexdekoning/ š October 11, 2025 06:00 PM CET š Azure Functions and network security.. Can it be done? šļø https://streamyard.com/watch/RHzXr5bpYHFY?wt.mc_id=MVP_350258 š¢ https://www.linkedin.com/in/jeevarajankumar/ š October 7, 2025 18:00 PM AEST š October 19, 2025 09:00 AM CET š D365 Field Service 101 šļø https://streamyard.com/watch/RtDkftSxhn7P?wt.mc_id=MVP_350258 š¢ https://www.linkedin.com/in/priyankashah/ š October 21, 2025 19:00 PM AEST š October 21, 2025 10:00 AM CET š FSI and Gen AI: Wealth management advisor with Azure Foundry Agents and MCP šļø https://streamyard.com/watch/Vb5rUWMBN9YN?wt.mc_id=MVP_350258 š¢ https://www.linkedin.com/in/monaghadiri/ š October 25, 2025 06:00 PM CET š The Role of Sentence Syntax in Security Copilot: Structured Storytelling for Effective Defence šļø https://streamyard.com/watch/EtPkn2EZkauD?wt.mc_id=MVP_350258Partner Blog | Security, growth, and trust: Introducing the FY26 Security solution plays
With cybersecurity threats becoming more frequent and complex, one question underpins every conversation we have with our Microsoft partners and customers: how do we keep our data and systems safe while driving innovation? Thatās the challenge weāve committed to tackling with the Secure Future Initiative (SFI), and itās why we recently introduced SFI patterns and practices to support partners and customers as they turn their security learnings into action. As part of our commitment, weāve been consistently reinforcing our AI-first security platformāwhich spans identity, threat protection, data security, and complianceāso our customers can safely and confidently innovate with AI. And our partners play a critical role in customer success. With over a million customers already using Microsoft Security solutions, thereās a significant opportunity for Microsoft partners like you to further differentiate your business and grow. Our extensive threat intelligence gives us visibility into more than 84 trillion security signals daily, as well as a deeper understanding of the evolving threat landscape and how our solutions can better protect customers. Add in your proven capabilities, plus those of our 15,000 partners with specialized security expertise, 3 and weāre more prepared than ever to secure our future together. Continue reading hereShielded VM Template Creation in a Hyper-V Guarded Fabric
To set up a shielded virtual machine template on a Hyper-V guarded fabric, you need to prepare a secure environment (Host Guardian Service, guarded hosts) and then create a BitLocker-protected, signed template disk. This document assumes that all Windows Server instances used are running Windows Server 2022 or Windows Server 2025. Prerequisites and Environment Setup Host Guardian Service (HGS): Deploy an HGS cluster (typically 3 nodes for high availability) in a separate Active Directory forest dedicated to HGS. For production, HGS should run on physical (or highly secured) servers, ideally as a three-node cluster. Ensure the HGS servers have the Host Guardian Service role installed and are up to date with software updates. Attestation Mode: TPM-Based: Ensure that HGS is configured for TPM-trusted attestation. In TPM mode, HGS uses each hostās TPM 2.0 identity (EKpub) and measured boot sequence to verify the hostās health and authenticity. This requires capturing each Hyper-V hostās TPM identifier and establishing a security baseline: TPM 2.0 and Boot Measurements: On each Hyper-V host, retrieve the TPMās public endorsement key (EKpub) and add it to the HGS trust store (e.g. using Get-PlatformIdentifier on the host and Add-HgsAttestationTpmHost on HGS). HGS will also require a TPM baseline (PCR measurements of the hostās firmware/boot components) and a Code Integrity (CI) policy defining allowed binaries. Generate these from a reference host and add them to HGS so that only hosts booting with the approved firmware and software can attest successfully. Host Requirements: Each guarded host (Hyper-V host) must meet hardware/OS requirements for TPM attestation. This includes TPM 2.0, UEFI 2.3.1+ firmware with Secure Boot enabled, and support for IOMMU/SLAT (for virtualization-based security). On each host, enable the Hyper-V role and install the Host Guardian Hyper-V Support feature (available in Datacenter edition). This feature enables virtualization-based protection of code integrity (ensuring the host hypervisor only runs trusted code), which is required for TPM attestation. (Test this configuration in a lab first as VBS/CI can affect some drivers). Guarded Fabric Configuration: Join Hyper-V hosts to the fabric domain and configure networking so that guarded hosts can reach the HGS servers (set up DNS or DNS forwarding between the fabric domain and HGS domain). After setting up HGS and adding host attestation data, configure each Hyper-V host as a guarded host by pointing it to the HGS cluster for attestation and key retrieval (using Set-HgsClientConfiguration to specify the HGS attestation and key protection URLs and any required certificates). Once a host attests successfully, it becomes an authorized guarded host able to run shielded VMs. HGS will release the necessary decryption keys only to those hosts that pass health attestation. Step 1: Create and Configure the Template VM (Gen 2) Prepare a Generation 2 VM: On a Hyper-V host (it can be a regular host or even a non-guarded host for template creation), create a new Generation 2 virtual machine. Generation 2 with UEFI is required for Secure Boot and virtual TPM support. Attach a blank virtual hard disk (VHDX) for the OS. Install Windows Server on this VM using standard installation media. Partition and File System Requirements: When installing the OS on the template VM, ensure the VHDX is initialized with a GUID Partition Table (GPT) and that the Windows setup creates the necessary partitions: there should be at least a small System/EFI boot partition (unencrypted) and the main OS partition (which will later be BitLocker-encrypted). The disk must be a basic disk (not dynamic within the guest OS) and formatted with NTFS to support BitLocker. Using the default Windows setup on a blank drive typically meets these requirements (the installer will create the EFI and OS partitions automatically on a GPT disk). Configure the OS: Boot the VM and perform any baseline configuration needed. Do not join this VM to any domain and avoid putting sensitive data on it as it should be a generic base image. Apply the latest Windows Updates and install any required drivers or software that should be part of the template OS (e.g. common management agents). Ensuring the template OS is fully updated is important for a reliable shielding process. Enable Remote Management: Because shielded VMs can only be managed remotely (no console access), consider configuring the template to enable Remote Desktop and/or PowerShell WinRM, and ensure the firewall is configured accordingly. You may also install roles/features that many VMs will need. However, do not configure a static IP or unique machine-specific settings in this template as those will be supplied via an answer file during provisioning. Step 2: Generalize the VM with Sysprep Run Sysprep: In the VM, open an elevated Command Prompt and run: C:\Windows\System32\Sysprep\Sysprep.exe /oobe /generalize /shutdown Choose āEnter System Out-of-Box Experience (OOBE)ā, check āGeneralizeā, and set Shutdown option to āShutdownā if using the GUI. This strips out machine-specific details and prepares the OS for first-boot specialization. The VM will shut down upon completion. Do Not Boot After Sysprep: Leave the VM off after it shuts down. The OS on the VHDX is now in a generalized state. Do not boot this VM again (doing so will boot into OOBE and break its generalized state). At this point you have a prepared OS disk (the VHDX) ready for sealing. (Optional) Backup the VHDX: Itās a good idea to make a copy of the sysprepāed VHDX at this stage. After the next step (sealing the template), the disk will be BitLocker-encrypted and cannot be easily modified. Keeping an unencrypted copy allows you to easily update the template image in the future if needed. Step 3: Protect and Seal the Template Disk (Shielded Template Wizard) Next, seal the template VMās OS disk using the Shielded VM Template Disk Creation process. This will encrypt the disk (preparing it for BitLocker) and produce a signed catalog so that the diskās integrity can be verified later. Install Shielded VM Tools: On a machine with GUI (this can be a management server or even Windows 11 with RSAT), install the Shielded VM Tools component. On Windows Server, use PowerShell: Install-WindowsFeature RSAT-Shielded-VM-Tools -IncludeAllSubFeature (and reboot if prompted). This provides the Template Disk Wizard (TemplateDiskWizard.exe) and PowerShell cmdlets like Protect-TemplateDisk. Obtain a Signing Certificate: Acquire a certificate to sign the template diskās Volume Signature Catalog (VSC). For production, use a certificate issued by a trusted CA that both the fabric administrators and tenants trust (e.g. an internal PKI or a certificate from a mutually trusted authority). The certificateās public key will be referenced later by tenants to trust this template. (For a lab or demo, you can use a self-signed cert, but this is not recommended for production.) Import the certificate into the local machineās certificate store if itās not already present. Launch the Template Disk Wizard: Open Template Disk Wizard (found in Administrative Tools after installing RSAT, or run TemplateDiskWizard.exe). This wizard will guide you through protecting the VHDX: Certificate: Select the signing certificate obtained in the previous step. This certificate will be used to sign the templateās catalog. Virtual Disk: Browse to and select the generalized VHDX from Step 2 (the sysprepāed OS disk). Signature Catalog Info: Provide a friendly name and version for this template disk (e.g. Name: āWS2025-ShieldedTemplateā, Version: 1.0.0.0). These labels help identify the disk and version to tenants. Proceed to the final page and Generate. The wizard will now: o Enable BitLocker on the OS volume of the VHDX and store the BitLocker metadata on the disk (but it does not encrypt the volume yet as encryption will finalize when a VM instance is provisioned with this disk). o Compute a cryptographic hash of the disk and create a Volume Signature Catalog (VSC) entry (which is stored in the diskās metadata) signed with your certificate. This ensures the diskās integrity can be verified; only disks matching this signed hash will be recognized as this template. Wait for the wizard to finish (it may take some time to initialize BitLocker and sign the catalog, depending on disk size). Click Close when done. The VHDX is now a sealed template disk. Itās marked internally as a shielded template and cannot be used to boot a normal VM without going through the shielded provisioning process (attempting to boot it in an unshielded way will likely cause a blue screen). The diskās OS volume is still largely unencrypted at rest (encryption will complete when a VM is created), but itās protected by BitLocker keys that will be released only to an authorized host via HGS. Extract the VSC File (for Tenant Use): Itās recommended to extract the templateās Volume Signature Catalog to a separate file. This .vsc file contains the diskās identity (hash, name, version) and the signing certificate info. Tenants will use it to authorize this template in their shielding data. Use PowerShell on the RSAT machine: Save-VolumeSignatureCatalog -TemplateDiskPath "C:\path\WS2022-ShieldedTemplate.vhdx" -VolumeSignatureCatalogPath "C:\path\WS2022-ShieldedTemplate.vsc" This saves the .vsc file separately. Share this .vsc with the VM owners (tenants) or have it available for the shielding data file creation in the next step. Alternatively to the wizard, you can use PowerShell: after installing RSAT, run Protect-TemplateDisk -Path <VHDX> -Certificate <Cert> -TemplateName "<Name>" -Version <X.Y.Z.W> to seal the disk in one step. The wizard and PowerShell achieve the same result. Step 4: Create the Shielding Data File (PDK) A shielding data file (with extension .pdk) contains the sensitive configuration and keys required to deploy a shielded VM from the template. This includes the local administrator password, domain join credentials, RDP certificate, and the list of guardians (trust authorities) and template disk signatures the VM is allowed to use. For security, the shielding data is created by the tenant or VM owner on a secure machine outside the fabric, and is encrypted so that fabric admins cannot read the contents. Prerequisites for Shielding Data: Obtain the Volume Signature Catalog (.vsc) file for the template disk (from Step 3) to authorize that template. If the VM should use a trusted RDP certificate (to avoid man-in-the-middle when connecting via RDP), obtain a certificate (e.g. a wildcard certificate from the tenantās CA) to include. This is optional; if the VM will join a domain and get a computer certificate or if youāre just testing, you may skip a custom RDP certificate. Prepare an unattend answer file or have the information needed to create one (admin password, timezone, product key, etc.). Use the PowerShell function New-ShieldingDataAnswerFile to generate a proper unattend XML for shielded VMs. The unattend will configure the VMās OS on first boot (e.g. set the Administrator password, optionally join a domain, install roles, enable RDP, etc.). Ensure the unattend enables remote management (e.g. turn on RDP and firewall rules, or enable WinRM) because console access is not available for shielded VMs. Also, do not hardcode any per-VM values in the unattend that should differ for each instance; use placeholders or plan to supply those at deployment time. Creating the .PDK file: On a secure workstation (not on a guarded host) with RSAT Shielded VM Tools installed, launch the Shielding Data File Wizard (ShieldingDataFileWizard.exe). This tool will collect the needed info and produce an encrypted PDK file. Owner and Guardian Keys: First, set up the guardians. āGuardiansā are certificates that represent who owns the VM and which fabrics (HGS instances) are authorized to run it. Typically: The Owner Guardian is a key pair that the tenant/VM owner possesses (the private key stays with the tenant). Create an Owner guardian (if not already) via the wizardās Manage Local Guardians > Create option. This generates a key pair on your machine. Give it a name (e.g. āTenantOwnerā). The Fabric Guardian(s) correspond to the HGS of the hosting fabric. Import the HGS guardian metadata file provided by the hoster (this is an XML with the HGS public key, exported via Export-HgsGuardian on the HGS server). In the wizard, use Manage Local Guardians > Import to add the hosterās guardian(s) (for example, āContoso HGSā). For production, you might import multiple datacenter guardians if the VM can run in multiple cloud regions, include each authorized fabricās guardian. After adding, select all the guardian(s) that represent fabrics where this VM is allowed to run. Also select your Owner guardian (the wizard may list it separately). This establishes that the VM will be owned by your key and can only run on hosts approved by those fabric guardians. Template Disk (VSC) Authorization: The wizard will prompt to add Volume ID Qualifiers or trusted template disks. Click Add and import the .vsc file corresponding to the template disk prepared in Step 3. You can usually choose whether the shielding data trusts only that specific version of the template or future versions as well (Equal vs. GreaterOrEqual version matching). Select the appropriate option based on whether you want to allow updates to the template without regenerating the PDK. This step ensures the secrets in the PDK will only unlock when that specific signed template disk is used. Unattend and Certificates: Provide the answer file (Unattend.xml) for the VMās specialization. If you created one with New-ShieldingDataAnswerFile, load it here. Otherwise, the wizard may have a simplified interface for common settings (depending on version, it may prompt for admin password, domain join info, etc.). Also, if using a custom RDP certificate, import it at this stage (so the VM will install that cert for remote desktop). Create the PDK: Specify an output file name for the shielding data (e.g., MyVMShieldingData.pdk) and finish the wizard. It will create the .pdk file, encrypting all the provided data. The Owner guardianās private key is used to encrypt secrets, and the Fabric guardianās public key ensures that HGS (holding the corresponding private key) is needed to unlock the file. The PDK is now ready to use for provisioning shielded VMs. (You can also create PDKs via PowerShell with New-ShieldingDataFile for automation.) Note the PDK is encrypted such that only the combination of the ownerās key and an authorized fabricās HGS can decrypt it. Fabric admins cannot read sensitive contents of the PDK, and an unauthorized or untrusted host cannot launch a VM using it. Keep the PDK file safe, as it contains the keys that will configure your VM. Step 5: (Optional) Prepare a Shielding Helper VHDX In some scenarios, especially if you need to convert an existing VM into a shielded VM or if you are not using SCVMM for provisioning, a Shielding Helper disk is used. The Shielding Helper is a special VHDX containing a minimal OS that helps encrypt the template disk and inject the unattend inside a VM without exposing secrets to the host. SCVMM can automate this, but if you need to do it manually or for existing VMs, prepare the helper disk as follows: Create a Helper VM: On a Hyper-V host (not necessarily guarded), create a Gen 2 VM with a new blank VHDX (do not reuse the template disk to avoid duplicate disk IDs). Install a supported OS (Windows Server 2016 or higher, a Server Core installation is sufficient) on this VM. This VM will be temporary and its VHD will become the helper disk. Ensure you can log into it (set a password, etc.), then shut it down. Initialize the Helper Disk: On a Hyper-V host with RSAT Shielded VM Tools, run the PowerShell cmdlet: Initialize-VMShieldingHelperVHD -Path "C:\VMs\ShieldingHelper.vhdx" This command should point to the VHDX of the helper VM. This injects the necessary provisioning agent and settings into the VHDX to make it a shielding helper disk. The VHDX is modified in-place (consider making a backup beforehand). Do Not Boot the Helper VM Again: After initialization, do not start the helper VM from Step 1. The VHDX is now a specialized helper disk. You can discard the VMās configuration. Only the VHDX file is needed going forward. Reuse for Conversions / Non-VMM Deployments: For manually shielding an existing VM, you would attach this helper VHDX to the VM and use PowerShell (e.g. ConvertTo-ShieldedVM or a script) to encrypt the VMās OS disk using the helper. The helper boots in place of the VMās OS, uses the PDK to apply BitLocker and the unattend to the OS disk, then shuts down. The VM is then switched to boot from its now-encrypted OS disk with a virtual TPM. (Note: Each initialized helper VHDX is typically one-time-use for a given VM; if you need to shield multiple VMs manually, create or copy a fresh helper disk for each to avoid BitLocker key reuse). Step 6: Prepare the Template Disk and PDK on the Host Copy the VHDX and PDK: Transfer the sealed template .vhdx and the .pdk file to the HyperāV host (or a cluster shared volume if the host is part of a HyperāV cluster). For example, place them in C:\ShieldedVM\templates\ on the host. This ensures the host can read the files during VM provisioning. Verify File Trust: (Optional) Double-check that the template diskās signature is recognized by the tenantās shielding data. The templateās .vsc file (volume signature catalog) should have been used when creating the PDK, so the PDK will ātrustā that specific template hash. Also verify that the HGS guardian in the PDK matches your fabricās HGS public key. These must align, or the VM provisioning will be rejected by HGS. Note: The PDK is encrypted and cannot be opened by the fabric admin as itās designed so that only HGS (and the VM owner) can decrypt its contents. The host will use it as-is during provisioning. Make sure you do not modify or expose the PDKās contents. PowerShell to finalize the shielded VM setup. Set up the key protector on the existing VM. For a clean process, you can use New-ShieldedVM on the guarded host: New-ShieldedVM -Name "Finance-App1" ` -TemplateDiskPath "C:\ShieldedVM\Templates\WS2025-ShieldedTemplate.vhdx" ` -ShieldingDataFilePath "C:\ShieldedVM\Templates\TenantShieldingData.pdk" -Wait This single command will create a new VM named āFinance-App1ā using the specified template disk and shielding data file. It automatically configures the VMās security settings: attaches a vTPM, injects the Key Protector (from the PDK) into the VMās security settings, and attaches the shielding helper disk to boot and apply the unattend. The -Wait flag tells PowerShell to wait until provisioning is complete before returning. Note: Ensure the VM name is unique in your Hyper-V inventory. The New-ShieldedVM cmdlet requires the GuardedFabricTools module and will fail if the host isnāt a guarded host or if guardians are not properly configured. It uses the hostās configured HGS connection to request keys when provisioning. If your shielding dataās unattend file included placeholders for unique settings (for example, a static IP address, custom computer name, etc.), you can supply those values with the -SpecializationValues parameter on New-ShieldedVM. This takes a hashtable mapping the placeholder keys to actual values. For instance: $specVals = @{ "@ComputerName@" = "Finance-App1" "@IP4Addr-1@" = "10.0.0.50/24" "@Gateway-1@" = "10.0.0.1" } New-ShieldedVM -Name "Finance-App1" -TemplateDiskPath C:\ShieldedVM\Templates\WS2025-ShieldedTemplate.vhdx ` -ShieldingDataFilePath C:\ShieldedVM\Templates\TenantShieldingData.pdk -SpecializationValues $specVals -Wait This would replace placeholders like @ComputerName@ in the unattend with āFinance-App1ā, etc. Use this only if the unattend (inside the PDK) was set up with such tokens. In many cases, the shielding data might already contain all required settings, so specialization values are optional. Step 7: Monitoring Provisioning and First Boot Once the shielded VM deployment is initiated (either by WAC or PowerShell), the provisioning process begins on the guarded host. This process is automatic and involves several stages behind the scenes: The host registers a new Key Protector for the VM (containing the VMās BitLocker key, sealed to the VMās virtual TPM and the fabricās HGS). It then contacts the HGS. HGS verifies the hostās health (attestation) and, if the host is authorized and healthy, releases the key protector to the host. The VM is initially started using a temporary shielding helper OS (often a small utility VHD). This helper OS boots inside the new VM and uses the unattend file from the PDK to configure the main OS disk. It injects the administrator password, domain or network settings, enables RDP/WinRM, and then finalizes BitLocker encryption of the VMās OS volume using the VMās vTPM. This encryption locks the OS disk so it can only be decrypted by that VMās vTPM (which in turn is only released by HGS to trusted hosts). When specialization is complete, the VM will shut down automatically. This shutdown is a signal that provisioning is finished. The helper disk is then automatically detached, and the VM is now fully shielded. As an administrator, you should monitor this process to know when the VM is ready: In Windows Admin Centerās VM list, you may see the VMās state change (it might show as āOffā or āStoppedā after the provisioning shutdown). You may not get a detailed status in WAC during provisioning. Refresh the view to see if the VM has turned off after a few minutes. Using PowerShell, you can query the status: run Get-ShieldedVMProvisioningStatus -VMName <Name> on the guarded host to check progress. This cmdlet shows stages or any errors during provisioning. (If the provisioning fails, the cmdlet or Hyper-V event logs will show error details. Common causes include guardian mismatches or unattend errors.) Once the VM has shut down indicating success, you can proceed to start it normally. In WAC, select the VM and click Start (or use Start-VM -Name <Name> in PowerShell). The VM will boot its now-configured OS. On first boot, it will go through final OS specialization (the standard Sysprep specialize/pass completion). Step 8: Post-Deployment Access and Management Your new VM is now running as a shielded VM. Key points for management: Limited Host Access: Because itās shielded, the Hyper-V host admin cannot view the VMās console or use PowerShell Direct on this VM. In WAC (or Hyper-V Manager), if you try to connect to the VMās console, it will be blocked (you might see a black screen or an error). This is expected as shielded VMs are isolated from host interference. All management must be done through the network. Accessing the VM: Use the credentials set in the unattend/PDK to log on to the VM via Remote Desktop (RDP) or another remote method (e.g. PowerShell Remoting). Ensure the VM is connected to a network and has an IP (via DHCP or the unattendās settings). The unattend should have enabled RDP or WinRM as configured earlier. For example, if the PDK joined the VM to a domain, you can RDP with a domain account; if not, use the local Administrator and the password from the shielding data. Verify Shielded Status: In WACās inventory, the VM should show as a generation 2 VM with a TPM. You can confirm itās shielded by checking VMās Security settings (they will show that the VM is using a Key Protector and is shielded, often the UI will have those options greyed-out/enforced). You can also use PowerShell: Get-VMSecurity -VMName <Name>. It should show Shielded: True and list the Key Protector ID, etc. Routine Management: You can manage the VM (start/stop/reset) in WAC like any other VM. Backups, replication, etc., should be done with shielded VM-compatible methods (e.g. use Hyper-V checkpoints or backup APIs as the VMās disks are encrypted but manageable through Hyper-V). Fabric admins cannot alter the VMās settings that would compromise its security (for instance, you cannot remove the vTPM or turn off shielding without the VM ownerās consent). Further Reading: Install HGS in a new forest | https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-install-hgs-default Guarded fabric and shielded VMs | https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node Capture TPM-mode information required by HGS | https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-tpm-trusted-attestation-capturing-hardware Guarded host prerequisites | https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-guarded-host-prerequisites Review HGS prerequisites | https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-prepare-for-hgs Create a Windows shielded VM template disk | https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-create-a-shielded-vm-template Shielded VMs for tenants - Creating shielding data to define a shielded VM | https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-tenant-creates-shielding-data Shielded VMs - Preparing a VM Shielding Helper VHD | https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-vm-shielding-helper-vhd
Updates to Data Security specialization (formerly Information Protection and Governance)
As of 8/26/2025, the Information Protection and Governance specialization is now updated to the Data Security specialization in response to partner feedback and evolving market conditions. In addition to a new name, the specialization also features updated skilling and performance requirements.September Calendar IS HERE!
šāØ Another month, another exciting calendar from the Microsoft Hero āØš From š different time zones, and š diverse topics, weāre bringing incredible sessions designed for everyone, whether youāre just starting your journey or already an expert in Microsoft and the cloud. This month, weāve packed the calendar with amazing speakers from across the globe š who will be sharing their invaluable knowledge and real-world experiences. š š” Join our live sessions, learn from inspiring experts, and take a step closer to transforming your career, boosting your skills, and making an impact in your organization. ā° Just like last month, weāre covering multiple time zones, from Australia š¦šŗ, to Europe šŖšŗ, to the Americas š, so no matter where you are, thereās a session waiting for you! š Donāt miss out, register today, get ready, and letās grow together from Zero to Hero! šŖš Santhoshkumar Anandakrishnan https://streamyard.com/watch/3CCPGbvGeEfZ?wt.mc_id=MVP_350258 September 4, 2025 11:00 AM CET September 4, 2025 07:00 PM AEST Arafat Tehsin https://streamyard.com/watch/Nyq7gkQEhXkm?wt.mc_id=MVP_350258 September 9, 2025 11:00 AM CET September 9, 2025 07:00 PM AEST Kim Berg https://streamyard.com/watch/6AyAT6PhD9xv?wt.mc_id=MVP_350258 September 13, 2025 06:00 PM CET Andrew O'Young https://streamyard.com/watch/qTvq25R7dfmu?wt.mc_id=MVP_350258 September 16, 2025 11:00 AM CET September 16, 2025 07:00 PM AEST Pam DeGraffenreid https://streamyard.com/watch/UmwbDn9Gimn8?wt.mc_id=MVP_350258 September 20, 2025 06:00 PM CET Anthony Porter https://streamyard.com/watch/8SFHqmDB3gxH?wt.mc_id=MVP_350258 September 29, 2025 09:00 AM CET September 29, 2025 05:00 PM AESTPartner Blog | Critical API changes for Microsoft partners: Take action now to avoid business disruption
With trust as the foundation of our business at Microsoft, security and compliance are at the heart of everything we do. Our partners play a key role in strengthening customer trust and enhancing the security posture of our entire ecosystem. Comprehensive security also presents a significant opportunity for every partner to drive efficiency, grow their business, and reach more customers. To make this opportunity a reality, weāre committed to enhancing the partner experience by providing you with ongoing updates and resources to help keep your organization (and customers) safe. By ensuring our partners are capable and compliant, we can continue to improve the way our customers do business with us and drive meaningful outcomesātogether. Continue reading here
Stand out in the marketplace with a Microsoft Copilot specialization
The Microsoft Copilot specialization demonstrates your experience and capabilities with Copilot, including Microsoft 365 Copilot, Copilot Chat, Copilot Studio, and agents. Partners with this specialization can help their customers: Explore AI Advisory Services for Microsoft Copilot. āÆ Adopt Copilot.āÆ Deliver data security and deployment.āÆ Enable extensibility with agentic focus.āÆāÆāÆ To earn this specialization, you must first attain one of three Solutions Partner designations: Business Applications, Modern Work, and/or Security. If your organization has already attained one or more of these designations, please review the Microsoft Copilot specialization criteriaāwhich include performance metrics, skilling requirements, and customer referencesāand begin to work toward meeting them. You can check whether you currently meet the requirements by viewing your Partner Center dashboard. The requirements include: Performance requirementsāÆ 1,000 monthly active users (MAU) growth of M365 Copilot in the trailing 12 months (TTM) (Claiming partner of record (CPOR), Cloud Solution Provider (CSP) Tier 1, CSP Tier 2) AND āÆ 5 net customer growth for Copilot in TTM (CPOR, CSP Tier 1, CSP Tier 2)āÆ Skilling requirementsāÆ 5 peopleāÆwithāÆMS-102: Microsoft 365 Certified: Enterprise Administrator ExpertāÆ AND 5 peopleāÆwith, cumulatively: SC-401: Implement information protection in Microsoft 365 ORāÆāÆ APL-4002: Prepare security and compliance to support Copilot AND 5 peopleāÆwith APL-7008: Create custom agents with Microsoft Copilot Studio Customer referencesāÆ Provide three customer references, which must include at least one example of transforming business processes with agent implementation.āÆ Learn more
