Product : Microsoft, HyperV/2019, DataCenter
Feature : Security, Other, Management
Content Owner:  Roman Macek
Summary
Windows Security, Hyper-V Extensible Switch (DNSSEC, PVLANs, port ACLs, BitLocker etc., Shield VM)
Details
(No major change in WS2019)Server 2012 (maintained and enhanced in R2 - see http://bit.ly/19L1mmW) introduced a vast number of general security improvements that will therefore secure your virtual or cloud environment including Secure Boot (prevents boot code updates without appropriate digital certificates and signatures), early Anti-Malware launch, enhanced DNS security (DNSSEC), AppLocker and encrypted cluster volumes (BitLocker) etc.

The biggest virtualization / cloud related improvement has been provided through the new security and isolation capabilities through the Hyper-V Extensible Switch.
Windows Server 2012 / R2 provides the isolation and security capabilities for multi-tenancy by offering the following new features:
- Multitenant virtual machine isolation through private virtual LANs (PVLANs).
- Protection from Address Resolution Protocol/Neighbour Discovery (ARP/ND) poisoning (also called spoofing).
- Protection against DHCP snooping and DHCP guard (DHCP Guard: drops DHCP server messages from unauthorized virtual machines pretending to be DHCP servers, Router Guard: drops Router Advertisement and Redirection messages from unauthorized virtual machines pretending to be routers)
- Isolation and metering using virtual port access control lists (ACLs).
- The ability to trunk traditional VLANs to virtual machines.

In addition to the above WS2012 and WS2012 R2s enhancements in the area of network virtualization can arguably improve network security related aspects (see Network Virtualization)

For a list of most Security and Protection related enhancements in W2 2012 and WS 2012R2 see: http://bit.ly/19L1mmW

In Windows Server 2016, Microsoft brings the Shield VM which are VM protected by a Host Guardian. THe protected VM have their virtual disk encrypted. This system can leverage TPM 2.0 chip or certificate. (https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)

In Windows Server 2016, we are able to add virtual TPM to VM.