Panagiotis Gkatziroulis writing for the Blue Team Medium account has a very detailed article describing steps an organization can take to limit the effectiveness of various Mimikatz exploits. https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5
Even though that Microsoft introduced a security patch which can be applied even in older operating systems such as Windows 2008 Server still Mimikatz is effective and in a lot of cases it can lead to lateral movement and domain escalation. It should be noted that Mimikatz can only dump credentials and password hashes if it is executed from the context of a privilege user like local administrator.
The vTPM can also be used to store “sealed” drive encryption keys, making it difficult if not impossible to gain access to the contents of a virtual machine’s drives unless the operating system boots in a “known-good” state. If the VM’s operating system, boot loader, or firmware image is compromised, the system won’t reboot—so an attacker won’t be able to decrypt the virtual disks. The same would be true if a snapshot of the VM is moved into a different context by an attacker.
Source: Google launches “Shielded VMs” to protect cloud servers from rootkits, data theft | Ars Technica
I need to unpack this more but at first glance it sounds very promising for improving the reliability of cloud computing. This approach sounds very similar to Device Guard, Credential Guard and Secure Boot we deploy on modern workstations today.