Virtualization is also the underlying technology Microsoft’s confidential computing servicesproviding a way to work with encrypted data securely, ensuring protection in storage, in motion and in operation. Nesting encrypted virtual environments on top of traditional hypervisors works well enough, although it limits the operating system functions accessible in a trusted execution environment.

Extending the hypervisor

This is where an alternative approach to virtualization comes in, what Microsoft calls “paravisor.” It is based on the concept of paravirtualization, which provides multiple links between the host and virtualized environments. This approach requires the client operating system to be virtualization aware, with a defined set of APIs and drivers that can use those APIs when needed. It allows the client operating system to manage isolated computing and the host operating system to share I/O and other common services between the host and virtualized processes.

If you use virtualization-based security features in Windows, use a VM that supports paravirtualization. This ensures that secure operations have the same priority and hardware access as their non-secure counterparts, avoiding performance bottlenecks and giving users the same experience whether they are inside or outside the trust boundaries of a secure process.