兼容硬件与基于 Windows Server 虚拟化的代码完整性保护Compatible hardware with Windows Server Virtualization-based protection of Code Integrity

适用于: Windows Server 2019、Windows Server (半年频道) 、Windows Server 2016Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016

Windows Server 2016 引入了新的基于虚拟化的代码保护,以帮助保护物理计算机和虚拟机免受修改系统代码的攻击。Windows Server 2016 introduced a new Virtualization-based code protection to help protect physical and virtual machines from attacks that modify system code. 为了实现这一高保护级别,Microsoft 将与计算机硬件制造商 (原始设备制造商或 Oem) ,以防止恶意写入系统执行代码。To achieve this high protection level, Microsoft works in tandem with the computer hardware manufactures (Original Equipment Manufacturers, or OEMs) to prevent malicious writes into system execution code. 此保护可以应用于任何系统,并用作构建基块之一,用于实现受防护虚拟机 (Vm) 的 Hyper-v 主机运行状况。This protection can be applied to any system and is being used as one of the building blocks for implementing the Hyper-V host health for shielded virtual machines (VMs).

与任何基于硬件的保护一样,某些系统可能不合规,因为有一些问题(如内存页标记错误)作为可执行文件或在运行时实际尝试修改代码,这可能会导致意外失败,包括数据丢失或蓝屏错误 (也称为 "停止错误) "。As with any hardware based protection, some systems might not be compliant due to issues such as incorrect marking of memory pages as executables or by actually trying to modify code at run time, which may result in unexpected failures including data loss or a blue screen error (also called a stop error).

若要兼容并完全支持新的安全功能,Oem 需要实现在 2.6 2016 年1月发布的 UEFI 中定义的内存地址表。To be compatible and fully support the new security feature, OEMs need to implement the Memory Address Table defined in UEFI 2.6, which was published in Jan. 2016. 采用新的 UEFI 标准需要一些时间;同时,为了防止客户遇到问题,我们需要提供有关已使用此功能设置的系统和配置以及我们知道不兼容的系统的信息。The adoption of the new UEFI standard takes time; meanwhile, to prevent customers encountering issues, we want to provide information about systems and configurations that we have tested this feature set with as well as systems that we know to be not compatible.

不兼容的系统Non-compatible systems

已知以下配置与基于虚拟化的代码完整性保护不兼容,并且无法用作受防护的 Vm 的主机:The following configurations are known to be non-compatible with Virtualization-based protection of code integrity and cannot be used as a host for Shielded VMs:

兼容系统Compatible systems

这些是我们和我们的合作伙伴在我们的环境中进行测试的系统。These are the systems we and our partners have been testing in our environment. 请确保在您的环境中验证系统是否正常工作:Please make sure that you verify the system works as expected in your environment:

  • 虚拟机–可以在从 Windows Server 2016 开始的 Hyper-v 主机上运行的虚拟机上,启用基于虚拟化的代码完整性保护。Virtual Machines – You can enable Virtualization-based protection of code integrity on virtual machines that run on a Hyper-V host beginning with Windows Server 2016.