Disclaimer: Dell does not offer support for Windows Server 2016 at this time.  Dell is actively testing and working closely with Microsoft on Windows Server 2016, but since it is still in development, the exact hardware components/configurations that Dell will fully support are still being determined.  The information divulged in our online documents prior to Dell launching and shipping Windows Server 2016 may not directly reflect Dell supported product offerings with the final release of Windows Server 2016. We are, however, very interested in your results/feedback/suggestions. Please send them to WinServerBlogs@dell.com

One of the major challenges for customers to move their workloads to the virtualized datacenter or public cloud is the security concern due to their sensitivity of their workloads. To protect the tenant’s workloads from compromised storage, networks, host administrators, and malware, the upcoming Windows Server 2016 introduces the concept of Guarded Fabric to implement a new trust boundary between the tenant and the datacenter administrators or cloud service providers. Running shielded Virtual Machines on a Guarded Fabric provides the tenants security assurance for virtualizing their sensitive workloads such as Active Directory domain controllers.  

With Windows Server 2016 Technical Preview, the Guarded Fabric can be deployed by using Active-Directory-based attestation or using hardware-based attestation which requires the Trusted Platform Module (TPM) v2.0. TPM 2.0 is now available on the selected 13th Generation PowerEdge servers such as R730, R730XD, R630, T630, etc., as an orderable configuration option.

Prior to deploy the Guarded Fabric with the HW-based attestation, the following settings are needed in the system BIOS:

Boot Settings: UEFI
System Security > TPM Security: ON
System Security > TPM Advanced > TPM PPI(Physical Presence Interface) Bypass Clear: Enabled
System Security > TPM Advanced > TPM PPI Bypass Provision: Enabled
System Security > Secure Boot > Secure Boot Enabled

These system settings can be configured remotely via the integrated Dell Remote Access Controller (iDRAC) by using racadm included in the Dell OpenManage DRAC Tools package. Here are the related racadm commands under PowerShell:
First, define a variable for iDRAC IP address:
$ip = "<iDRAC IP>"

View the current settings on boot settings:
racadm -r $ip -u root -p calvin get BIOS.BiosBootSettings.Bootmode

View the current settings on TPM, secure boot:
racadm -r $ip -u root -p calvin get BIOS.syssecurity

Change the boot mode into UEFI:
racadm -r $ip -u root -p calvin set BIOS.BiosBootSettings.Bootmode Uefi

Enable the TPM Security:
racadm -r $ip -u root -p calvin set BIOS.SysSecurity.TpmSecurity On

Disable PPI pop-up for Clear TPM Task during POST:
racadm -r $ip -u root -p calvin set Bios.Tpmadvanced.TpmPpiByPassClear Enabled

Enable the secure boot:
racadm -r $ip -u root -p calvin set Bios.syssecurity.secureboot Enabled

All the changes are still in the pending state. Apply these changes:
racadm -r $ip -u root -p calvin jobqueue create BIOS.Setup.1-1 -r pwrcycle -s TIME_NOW -e TIME_NA

More detailed information is available in the attached document.