Microsoft will introduce 2 new security features in windows server 2016 insight Azure improvements:
BitLocker Drive Encryption, Trusted Platform Module (TPM) is a requirement., you can work around this requirement by setting the “Allow BitLocker without a compatible TPM” setting, but you’re then required to use either a USB drive or a password to boot the system. both options make encrypting an Azure VM’s boot volume a problem because you don’t have access to the console and you can’t connect a USB drive. absence of a TPM within VMs means encryption of the boot volume simply isn’t supported inside virtual machines
The release of Windows Server 2016 will finally fix that shortcoming by introducing Virtual TPMs. This addition means that fully encrypting VMs within Azure will likely be supported at some future point.
If the VHD files for all of your Azure VMs (including boot volumes) are fully encrypted, offline access to the data inside those files is impossible without the BitLocker Recovery Passwords. Even if an employee’s Azure credentials are stolen or someone otherwise gains unauthorized access to your Azure Storage blobs, your data at rest remains fully secure.
Microsoft currently supports encrypting Azure VMs using CloudLink from EMC. However, this solution requires additional infrastructure inside Azure as well as the need to install third-party software inside each encrypted VM. Additionally, Azure Site Recovery doesn’t support BitLocker encrypted volumes. That limitation could potentially be overcome by a completely native solution using the Virtual TPM.
Shielded virtual machines:
Hyper-V feature called Shielded Virtual Machines. Shielded VMs are protected from Hyper-V administrators (whether that be the fabric, storage, network, or host server administrator); the Hyper-V administrator can only power the VMs on and off. Hyper-V administrators have practically zero access to the VM; they can’t access the disks, run arbitrary code, or even see the console video output.