There's a really good presentation, by a Microsoft Platform Security Engineer, detailing the lengths they went through to ensure only properly signed executables run on the Xbox One and really answers your question. One of the tools they developed, HVCI, was later incorporated into Windows Hyper-V.
VMware actually filed and was granted a patent for the same technique, years earlier, though to my knowledge they never used it for anything (not even for counter offensive purposes against MSFT :).
Microsoft would have had proof of using the technique earlier. It was designed into the Xbox 360, so it would have been already taped out by that priority date.
https://www.youtube.com/watch?v=U7VwtOrwceo