메인 콘텐츠로 이동
  • 빠르고 간편하게 주문
  • 주문 보기 및 배송 상태 추적
  • 제품 목록을 생성 및 액세스

Shielded VM Enhancements in Windows Server 2019

요약: This article provides information about enhancements to shielded virtual machines (VMs) in Windows Server 2019.

이 문서는 다음에 적용됩니다. 이 문서는 다음에 적용되지 않습니다. 이 문서는 특정 제품과 관련이 없습니다. 모든 제품 버전이 이 문서에 나와 있는 것은 아닙니다.

지침

Shielded VM is a unique security feature introduced by Microsoft in Windows Server 2016. It has undergone a lot of enhancements in Windows Server 2019. This article discusses improvements to the feature. For an introduction to the feature and detailed steps for deployment, see the following link:  

Attestation Modes

The feature initially supported two attestation modes: Active Directory-based attestation and TPM-based attestation. TPM-based attestation provides enhanced security protections, as it uses a Trusted Platform Module (TPM) as a hardware root of trust. It supports measured boot and code integrity. Key mode attestation is a new addition, supplanting AD-based attestation, which is still present but deprecated from Windows Server 2019 onwards. The following link contains information about setting up the Host Guardian Service (HGS) node using key mode attestation:
https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-initialize-hgs-key-mode-default This hyperlink is taking you to a website outside of Dell Technologies.
Key mode attestation is preferred when TPM hardware is unavailable. It is easier to configure but comes with some security risks, as it does not involve a hardware root of trust. For the most stringent security, using TPM-based attestation along with a TPM 2.0 chip is recommended.
 

HGS Backup Feature

Since the HGS cluster is a critical piece of the shielded VM solution, Microsoft has provided an enhancement to incorporate a second set of HGS URLs. If the primary HGS server is unresponsive, Hyper-V guarded hosts can attest and launch the shielded VMs without any downtime. This requires two HGS servers to be set up, with the VMs independently attested with both the servers during deployment. The following command is used to enable the VMs to be attested by both HGS clusters.
 
# Replace https://hgs.primary.com and https://hgs.backup.com with your own domain names and protocols
Set-HgsClientConfiguration -KeyProtectionServerUrl 'https://hgs.primary.com/KeyProtection' -AttestationServerUrl 'https://hgs.primary.com/Attestation' -FallbackKeyProtectionServerUrl 'https://hgs.backup.com/KeyProtection' -FallbackAttestationServerUrl 'https://hgs.backup.com/Attestation'

For the Hyper-V host to pass attestation with both primary and fallback servers, attestation information must be up to date on both HGS clusters.
 

Offline Mode

Offline mode allows shielded VMs to start even when the HGS cluster is unreachable. To enable this mode, run the following command on an HGS node:
Set-HgsKeyProtectionConfiguration –AllowKeyMaterialCaching:$true

After running the command, restart all VMs to enable the cacheable key protector.
Note: Any security configuration change on the Hyper-V causes this offline mode to become invalid. The host must attest with an HGS server before VMs can start in offline mode again.
 

Linux Shielded VM

Microsoft supports shielded VMs running Linux as the guest OS. For more details on which Linux distributions and versions can be used, see the following link:
https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-create-a-linux-shielded-vm-template This hyperlink is taking you to a website outside of Dell Technologies.


Important Guidelines

There are a few important guidelines to be followed when deploying shielded VMs:
  1. When upgrading from Windows Server 2016 to Windows Server 2019, clear all security configurations. Apply them again after the upgrade on the HGS and the guarded hosts for the solution to work seamlessly.
  2. Template disks can only be used with the secure shielded VM provisioning process. Attempting to boot a regular (unshielded) VM using a template disk will likely result in a stop error (blue screen) and is unsupported.

해당 제품

Microsoft Windows Server 2019
문서 속성
문서 번호: 000175495
문서 유형: How To
마지막 수정 시간: 19 7월 2024
버전:  6
다른 Dell 사용자에게 질문에 대한 답변 찾기
지원 서비스
디바이스에 지원 서비스가 적용되는지 확인하십시오.