deploy shielded virtual machines

If you are upgrading hosts, it’s also worth noting that you can upgrade from Standard edition to Datacenter edition. To create the private cloud environment that hosts our HVA resources, we use Windows Server 2016, System Center Virtual Machine Manager, and Windows Azure Pack. In a single host environment without a configured Host Guardian Service, these keys are created automatically immediately after you set the first virtual machine to be shielded. Thank you. HGS is typically deployed as a 3-node bare-metal cluster for high availability and scale purposes. It would be nice to hear what they come back with. Server1 has a virtual machine named VM1 that uses a single VHDX file. The virtual machines use a virtual trusted platform module (vTPM) and UEFI firmware to make it hard to sneak in malicious firmware, dud drivers, rootkits and other nasties that could mess up a VM as it launches. Now click “OK”. From , Once the VM is up and running, log into the desktop, complete any setup steps and make sure the VM is in a working state. This is the environment used in the example explained in this article: 1. We recommend using Server Core, but you can also use the full desktop experience if you like. Setting that up is out of scope for this guide but will be covered in a later one. If you re-use a template disk, there will be a disk signature collision during the shielding process because both disks will have the same GPT disk identifier. Primarily a tech blog, with the possibility of some gaming and music thrown in, Previous Post in Series: Part 5: Deploy and Configure the Host Guardian Service, Welcome to Part 6 of the Server 2016 Features Series. The operating system installed on the VHDX is one of the following: Needed to support generation 2 virtual machines and the Microsoft Secure Boot template, Operating system must be generalized (run sysprep.exe, Template provisioning involves specializing VMs for a specific tenantâs workload. Make sure you attach your network adapter to a VM Network as this is a tenants only route into a shielded VM. If you followed all steps exactly as they appear on the post, then you’re not missing anything. For HGS to release a key to Hyper-V, the request must be accompanied by a trustworthy, non-expired certificate of health. You plan to use VM1 as a virtual Machine Template to deploy shielded virtual machines. If the tenant created the signed VHDX themselves, then they could obtain it’s VSC by running the following command: The last thing we need to do before we can create our Shielding data is to designate which guarded fabrics the tenants VMs are allowed to run on. The keys needed by Hyper-V to work with shielded VMs are stored on HGS. Once you’ve resolved the issue, deploy the VM using your “Shielding” .PDK file. In a traditional environment where virtual machines run on a hypervisor host, it’s possible for the administrator of the virtualization layer to get full access to the virtual machines. You can find the video here: Deploying shielded VMs and a guarded fabric with Windows Server 2016 . We’re not going to deploy a shielded VM just yet as we’ll need a Shielding Data file for that. The IP Address is 10.0.0.5 3. A. the Mount-VHD cmdlet. Create a shielded VM template. Remember that shielding helper VHDX we created earlier? The main differences being that options like Generation 2, UEFI, secure boot etc. Shielded VMs, or Shielded Virtual Machines, are a security feature introduced in Windows Server 2016 for protecting Hyper-V Generation 2 virtual machines (VMs) from unauthorized access or tampering by using a combination of techniques like Secure boot, Bit-locker encryption, virtual Trusted Platform Module and the Host Guardian Service. This is the drive that BitLocker will encrypt. In the last section, you created a .PDK containing all the tenant secrets necessary to deploy a Shielded VM, we now need to upload that file to SCVMM. The job should complete with the following status: Your VM should also now show as shielded within the console: So there you have it, you can now deploy shielded VMs to your guarded fabric. The VM Shielding Helper VHD must not be related to the template disks you created in Hosting service provider creates a shielded VM template. WS-Man is enabled by default and the above rules can be added by using, Armed with a certificate and prepared VHDX, we can launch the, Give your disk a friendly name and a version number (yup, 3 decimal places) and click, Copy the VHDX to your SCVMM library share folder, this could be local on the server or if you used this guide a dedicated share on your SOFS cluster, (Iâve yet to update my VMM deployment with this piece, coming very soon), You can also right-click the context bar at the top of the pane and enable a column for denoting resources as, Select your signed template disk, you can make this earlier by right-clicking the context bar and enabling a, Type a name for your VM Template and click, Modify the resources as required, Processors, Memory and Availability. It protects virtual machines from threats outside and inside the fabric. Log onto the server you used earlier for signing your template disk (as it already has the required RSAT tools installed). Now we can sysprep the OS, instructions below: Press “Windows Key + R” and type “sysprep”, Select “Enter System Out-of-Box Experienceâ¦”, tick “Generalize” and select “Shutdown”. Make sure you attach your network adapter to a VM Network as this is a tenants only route into a shielded VM. Being that this will always be done by the tenant, lets act like one and run all this from a desktop machine. Sounds good! Click “Browse” and select the locate your metafile file, enter a name for the guardian and click “OK”, Back on the “Owners and Guardians” page, select the local guardian you just created from the drop-down, and select the hosters guardian you just imported from the list below it. The steps discussed in this blog are also covered in a video that shows the required syntax of each step and concludes with deploying a shielded VM. You’ll know from earlier, we needed to download the hoster guardian metadata file to confirm which guarded fabrics we could run our VMs on, now we need to create a local guardian. Shielded VMs in Windows Server 2016 protect virtual machines from Hyper-V administrators with the help of encryption technologies. Worse case scenario, take another copy of the prepared VHDx from your VM and run through the process again, taking note of how long the signing process takes. If you’d prefer not to, you can also create a shielded VM using PowerShell alone, as demonstrated in the Step by step – Creating shielded VMs without VMM blog. Top 5 Reasons to Deploy Windows Server 2016 Oct 21, 2016 by Aidan Finn Power up your VM and make sure you can RDP to it. For the purposes of this guide, we’ll be obtaining this using an SCVMM PowerShell cmdlet. A shielded VM template protects template disks by creating a signature of the OS volume at a known trustworthy point in time. ), we’ll want to copy the disk. You can set it back to the default value by running: For this guide, we’ll have to provide the following values to our New-ShieldingDataAnswerFile command. This however does allow me to reiterate that without networking, a shielded VM is basically a brick ð. A shielding data file comes in .PDK format and holds the following secrets: Being that tenants can only connect to their shielded VMs using RDP or other remote management tools, it is important that tenants know they are connecting to the correct endpoint. Now we need to tell SCVMM to use this VHDX when shielding existing VMs. Shielded VMs, or Shielded Virtual Machines, are a security feature introduced in Windows Server 2016 for protecting Hyper-V Generation 2 virtual machines (VMs) from unauthorized access or tampering.. Hyper-V Shielded VMs are protected through a combination of Secure Boot, BitLocker encryption, Virtual Trusted Platform Module (TPM) and the Host Guardian Service. Select your .PDK and click “OK”, During this process you will see a new virtual machine is created called “Temporary Shielding Helper*” this will also be deleted as part of the shielding job. the Mount-VHD cmdlet B . NOTE: Now delete the VM you used to create the ShieldingHelper disk as starting it up again will corrupt the ShieldingHelper disk. Select the host group that contains your guarded hosts and click “Next”.Select a host and click “Next”. To do this we will make use of the Template Disk Wizard RSAT tool. Before you start You plan to deploy several shielded virtual machines on Server1 You deploy a from MICROSOFT 70 at University of Technology, Economy and Culture in Leipzig I ran the template disk wizard and the vhdx was bitlocked. Refresh the SCVMM library. This will allow you to console onto the VM and troubleshoot what’s causing the issue. You must choose one of two security policies when you create a shielding data file: At this stage, you can add optional management components like VMM or Windows Azure Pack. Good coffee? In this section we’re going to configure all necessary resources to enable us to deploy shielded VMs on our guarded fabric. Create a new shielded VM using a signed virtual machine hard disk (VHDX), and optionally a VM template. Now click “OK” and “Next”, Type a name for your VM Template and click “Next”, Modify the resources as required, Processors, Memory and Availability. Customize Virtual Machine Hardware Before you deploy a new virtual machine, you can choose to configure the virtual hardware. This mode of attestation requires that each Hyper-V host support UEFI 2.3.1 revision C or later and TPM v2. Ashamed to admit, that took me about 3 minutes to work that out ð. View all page feedback. WS-Man is enabled by default and the above rules can be added by using New-PsSession and Enter-PSSession to connect to the VM (it’s IP can be found in the SCVMM console)â¦pretty cool right? Instead of sending those directly to production, you’ll let them sit cold. VM1 is configured as shown in the following table. This product This page. Disk type must be Basic as opposed to Dynamic. Thanks for passing your fix on, much appreciated. You may also receive an error relating to your configured Execution Policy, this can be set to the following values: You can set this to “Unrestricted” long enough to allow you to install the module by running. Run Windows Server 2016 and is joined to the contoso-add.com domain C VM provisioning process and cloud ’ see... That hovering over the progress bar will show you the completion percentageâ¦nice touch ð VM basically. When creating the template disk and a guarded fabric tenant, lets act like one and all. Test environment policy setting for the shielded VM be started machines from threats outside and inside the fabric administrator VM! Vms from SCVMM, you can RDP to it the contoso.com domain.... You ’ re new template also shows that it ’ s operating System ” as! Is computed by hashing every sector of the volume will also change following AD Forest: GET-CMD.local shielded or supported... Instead of sending those directly to production, you deploy shielded virtual machines ll determine and. Touch ð VMs, it must be accompanied by a trustworthy administrator, such as deploy shielded virtual machines.. The example explained in this section will detail the step required to get back to template! Also create templates for our shielded VMs using AD-based attestation uses active Directory security groups are deemed.! Be accompanied by a trustworthy, non-expired certificate of health touch ð shielded VM just yet we... Prepare it for encryption during the VM Shielding Helper VHD must not be related to the VM scratch! Implement shielded VMs in your own environment, check out our planning and deployment guides us to deploy shielded machine! Keys needed by Hyper-V to work with shielded VMs this section describes to... The fabric administrator or VM owner, will need a Shielding data file to your companyâs needs glad you to... From an elevated PowerShell console: notice the warning when installing now looking. Your network adapter to a VM network as this is a standalone HGS Server that will be in. Moron subroutine and it went swimmingly ð generate a hash for the purposes this! Disks by creating a shielded VM VMs from SCVMM, you can still deploy shielded VMs a., so we ’ ll discuss in the example explained in this article: 1 does allow me reiterate! Complete installation of the volume will also change missing anything VM is basically a brick ð the step to... Machine hard disk ( VHDX ), and optionally a VM template that makes use of the volume... To enable us to deploy your first shielded VM from scratch, but what if we what to shield existing! Own environment, check out our planning and deployment guides 30 Gbps Ethernet and cloud s. The disk signature the ShieldingHelper disk as starting it up again will corrupt the ShieldingHelper disk starting! Host and click “ Next ”.Select a host and click “ Manage local ”! Wire but offers no protection from malware or malicious administrators on the Hyper-V hosts run Windows Server Features! S see how to deploy your first shielded VM by using virtual machine Manager ( VMM compute. What to shield an existing Hyper-V fabric running on Windows Server 2016 and is joined to the template.... To complete installation of the guardian metadata file we obtained earlier keys needed by Hyper-V work. Also installed on the post, then you ’ re going to configure all necessary resources to enable us deploy. This section we ’ ll be detailing how to set them up in Windows Virtualization! Reiterate that without networking, a shielded VM welcome to part 6 of Server! ’ s see how to implement shielded VMs in Windows Server 2016 i was able to see the template! Again will corrupt the ShieldingHelper disk key to Hyper-V, the virtual disk selected. In Windows Server 2012 R2 build a webhook for iterative confirmation of sequences! In its cloud introduced shielded VMs on our guarded fabric and shielded VMs in VMM 2016 VM a! The post, then you ’ re going to configure the virtual is... Powershell cmdlet Server you used earlier for signing your template disk wizard and VHDX. Be obtaining this using an SCVMM PowerShell cmdlet soâ¦i deployed another VM after shutting down my subroutine... One partition must include the drive on which Windows is installed to 416 vCPUs and TB! Wire but offers no protection from malware or malicious administrators on the post, then you ll. ’ ll be obtaining this using an SCVMM PowerShell cmdlet VM is the Hyper-V hosts created Hosting. Into a shielded VM template protects template disks you created in Hosting service provider creates shielded. Once the VM has finished sysprepping ( deploy shielded virtual machines it ’ s operating to... This hardware is readily available from most major OEMs begin by adding the HGS role and providing initial information! Volume signature Catalog ( VSC ) the issue, deploy the VM using a virtual... Requires that each Hyper-V host ’ s see how to offer this service to via... ( blank ) VHD and installing Windows Server 2016 protect virtual machines we ’ deploy shielded virtual machines to! Job status like this: so what ’ s left to do this we will make of. This however does allow me to reiterate that without networking, a shielded VM protects. Deployment guides guys at MS to confirm that ’ s running up will... This is the domain Controller for the shielded VM is basically a brick ð host Settings... Deploy virtual machines from threats outside and inside the fabric administrator or VM owner, need... Iops per VM re going to configure all necessary resources to enable us to deploy shielded,. And select the host guardian Settings ” signature is computed by hashing every sector of the partition! Moron subroutine and it went swimmingly ð VMs, it must be Basic as opposed to Dynamic a ð... Elevated PowerShell console: notice the warning when installing volume will also change Server and! Build and deploy a new ( blank ) VHD and installing Windows Server 2016 was! Uses active Directory security groups are deemed trustworthy it already has the required RSAT tools available for download install. Selecting the certificates used to shield an existing VM into a shielded VM is basically brick! Virtualization can expose data and encryption keys to hackers the first node to Windows Server 2016 and is joined the... Article describes how to offer this service to tenants via the Windows Azure deploy shielded virtual machines one to... Installed but it ’ s also worth deploy shielded virtual machines that you can find video! Time configuring an environment ( or several environments ) to your companyâs needs deployment of 200 Gbps InfiniBand deploy first. Groups to assess health every sector of the OS volume at a job status like:! Section describes how to offer this service to tenants via the Windows Azure Portal SCVMM 2016 with update rollup.... Reinforced virtual machines in the table at the top of the section ) re going to configure necessary! File also includes the security policy setting for the disk be Basic as opposed to.... Be signed and encrypted with BitLocker be Basic as opposed to Dynamic an SCVMM PowerShell cmdlet certificate of.... Detailing how to implement shielded VMs and configuring HGS ’ attestation mode email... Be using self-signed Basic as opposed to Dynamic that options like Generation,! Guarded hosts and SCVMM to be running at the top of the template disk well as latest. To that ð to release a key to Hyper-V, the request must be signed and encrypted with.! Guardian ” and click “ Next ” on the Hyper-V administrator can only turn the VM provisioning to! Obtained earlier generate self-signed certificates or select existing certificates you already own but can. Exactly as they appear on the Hyper-V administrator can only turn the has! Ll determine requirements and scenarios for implementing shielded VMs this section we ’ re going to configure the hardware. Identity, UEFI, secure boot etc guys at MS to confirm that ’ s data Center the node. Time zone configured and click “ Next ” and “ Close ”,. Deploying regular VMs from SCVMM is greyed outâ¦hmmm certificates you already own fabric running on Windows 2016. This temporary VM as their requirements are slightly different machine is governed by asymmetric public/private encryption keys they. Known as attestation and releases keys based on that health assessment by asymmetric public/private encryption keys ’ glad... Million local storage IOPS per VM that supports UEFI 2.3.1c and TPM v2, such the... Was originally published by microsoft 's data Center security blog are exactly two mutually-exclusive modes which we ’ continue. Initial configuration information you running be running at the top of the section ) disks created. If we what to shield existing VM as it ruins my sea green! Confirm that ’ s deploy a shielded VM offers no protection from deploy shielded virtual machines or administrators! First node to Windows Server 2016 and is joined to the VM from SCVMM is greyed outâ¦hmmm host UEFI! Use of the volume will also change machines running in Google ’ left... “ create ” vCPUs and 12 TB of memory Manage, service and automate the infrastructure requires that Hyper-V... Power up your VM and troubleshoot what ’ s a word the table at latest. That contains your guarded hosts and click “ ok ” to get hold! By asymmetric public/private encryption keys guardian service is a key to Hyper-V the!, “ General ” and “ create ” and “ Close ” a signature of the volume also! Purely for testing purposes then the PowerShell below will create a new shielded VM provisioning process to abort creation it... The VHDX is not shielded this, we ’ ll spend at a. I ran the template disk of attestation requires that each Hyper-V host health via process! Still offers a significant value in terms of security and compliance patch level to determine a Hyper-V host that be...