Pular para o conteúdo principal
  • Faça pedidos de forma rápida e simples
  • Visualize os pedidos e acompanhe o status de envio
  • Crie e acesse uma lista dos seus produtos

Shielded VM Enhancements in Windows Server 2019

Resumo: This article provides information about enhancements to shielded virtual machines (VMs) in Windows Server 2019.

Este artigo aplica-se a Este artigo não se aplica a Este artigo não está vinculado a nenhum produto específico. Nem todas as versões do produto estão identificadas neste artigo.

Instruções

Shielded VM is a unique security feature introduced by Microsoft in Windows Server 2016. It has undergone a lot of enhancements in Windows Server 2019. This article discusses improvements to the feature. For an introduction to the feature and detailed steps for deployment, see the following link:  

Attestation Modes

The feature initially supported two attestation modes: Active Directory-based attestation and TPM-based attestation. TPM-based attestation provides enhanced security protections, as it uses a Trusted Platform Module (TPM) as a hardware root of trust. It supports measured boot and code integrity. Key mode attestation is a new addition, supplanting AD-based attestation, which is still present but deprecated from Windows Server 2019 onwards. The following link contains information about setting up the Host Guardian Service (HGS) node using key mode attestation:
https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-initialize-hgs-key-mode-default This hyperlink is taking you to a website outside of Dell Technologies.
Key mode attestation is preferred when TPM hardware is unavailable. It is easier to configure but comes with some security risks, as it does not involve a hardware root of trust. For the most stringent security, using TPM-based attestation along with a TPM 2.0 chip is recommended.
 

HGS Backup Feature

Since the HGS cluster is a critical piece of the shielded VM solution, Microsoft has provided an enhancement to incorporate a second set of HGS URLs. If the primary HGS server is unresponsive, Hyper-V guarded hosts can attest and launch the shielded VMs without any downtime. This requires two HGS servers to be set up, with the VMs independently attested with both the servers during deployment. The following command is used to enable the VMs to be attested by both HGS clusters.
 
# Replace https://hgs.primary.com and https://hgs.backup.com with your own domain names and protocols
Set-HgsClientConfiguration -KeyProtectionServerUrl 'https://hgs.primary.com/KeyProtection' -AttestationServerUrl 'https://hgs.primary.com/Attestation' -FallbackKeyProtectionServerUrl 'https://hgs.backup.com/KeyProtection' -FallbackAttestationServerUrl 'https://hgs.backup.com/Attestation'

For the Hyper-V host to pass attestation with both primary and fallback servers, attestation information must be up to date on both HGS clusters.
 

Offline Mode

Offline mode allows shielded VMs to start even when the HGS cluster is unreachable. To enable this mode, run the following command on an HGS node:
Set-HgsKeyProtectionConfiguration –AllowKeyMaterialCaching:$true

After running the command, restart all VMs to enable the cacheable key protector.
Note: Any security configuration change on the Hyper-V causes this offline mode to become invalid. The host must attest with an HGS server before VMs can start in offline mode again.
 

Linux Shielded VM

Microsoft supports shielded VMs running Linux as the guest OS. For more details on which Linux distributions and versions can be used, see the following link:
https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-create-a-linux-shielded-vm-template This hyperlink is taking you to a website outside of Dell Technologies.


Important Guidelines

There are a few important guidelines to be followed when deploying shielded VMs:
  1. When upgrading from Windows Server 2016 to Windows Server 2019, clear all security configurations. Apply them again after the upgrade on the HGS and the guarded hosts for the solution to work seamlessly.
  2. Template disks can only be used with the secure shielded VM provisioning process. Attempting to boot a regular (unshielded) VM using a template disk will likely result in a stop error (blue screen) and is unsupported.

Produtos afetados

Microsoft Windows Server 2019
Propriedades do artigo
Número do artigo: 000175495
Tipo de artigo: How To
Último modificado: 19 jul. 2024
Versão:  6
Encontre as respostas de outros usuários da Dell para suas perguntas.
Serviços de suporte
Verifique se o dispositivo está coberto pelos serviços de suporte.