创建受防护的 Windows VM 模板磁盘Create a Windows shielded VM template disk

适用于: Windows Server (半年通道) ,Windows Server 2016,Windows Server 2019Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2019

与常规 Vm 一样,你可以创建 VM 模板 (例如, Virtual Machine Manager (VMM 中的 vm 模板) ) ,使租户和管理员可以轻松地使用模板磁盘在构造上部署新的 vm。As with regular VMs, you can create a VM template (for example, a VM template in Virtual Machine Manager (VMM)) to make it easy for tenants and administrators to deploy new VMs on the fabric using a template disk. 由于受防护的 Vm 是安全敏感资产,因此还需要执行其他步骤来创建支持防护的 VM 模板。Because shielded VMs are security-sensitive assets, there are additional steps to create a VM template that supports shielding. 本主题介绍在 VMM 中创建受防护的模板磁盘和 VM 模板的步骤。This topic covers the steps to create a shielded template disk and a VM template in VMM.

若要了解本主题如何适应部署受防护的 Vm 的整个过程,请参阅为受保护的主机和受防护的 Vm 托管服务提供商配置步骤To understand how this topic fits in the overall process of deploying shielded VMs, see Hosting service provider configuration steps for guarded hosts and shielded VMs.

准备操作系统 VHDXPrepare an operating system VHDX

首先准备要通过受防护的模板磁盘创建向导运行的 OS 磁盘。First prepare an OS disk that you will then run through the Shielded Template Disk Creation Wizard. 此磁盘将用作租户的 Vm 中的 OS 磁盘。This disk will be used as the OS disk in your tenant's VMs. 你可以使用任何现有工具创建此磁盘,例如 Microsoft Desktop Image Service Manager (DISM) ,或者手动设置具有空白 VHDX 的 VM,并将操作系统安装到该磁盘。You can use any existing tooling to create this disk, such as Microsoft Desktop Image Service Manager (DISM), or manually set up a VM with a blank VHDX and install the OS onto that disk. 设置磁盘时,必须遵守特定于第2代和/或受防护 Vm 的以下要求:When setting up the disk, it must adhere to the following requirements that are specific to generation 2 and/or shielded VMs:

VHDX 的要求Requirement for VHDX 原因Reason
必须是 (GPT) 磁盘的 GUID 分区表Must be a GUID Partition Table (GPT) disk 需要用于第2代虚拟机以支持 UEFINeeded for generation 2 virtual machines to support UEFI
磁盘类型必须是基本磁盘,而不是动态磁盘。Disk type must be Basic as opposed to Dynamic.
注意:这是指逻辑磁盘类型,而不是 Hyper-v 支持的 "动态扩展" VHDX 功能。Note: This refers to the logical disk type, not the "dynamically expanding" VHDX feature supported by Hyper-V.
BitLocker 不支持动态磁盘。BitLocker does NOT support dynamic disks.
磁盘至少有两个分区。The disk has at least two partitions. 一个分区必须包含安装 Windows 的驱动器。One partition must include the drive on which Windows is installed. 该驱动器是 BitLocker 将进行加密的驱动器。This is the drive that BitLocker will encrypt. 其他分区是活动分区,其中包含引导程序并保持未加密状态,以便可以启动计算机。The other partition is the active partition, which contains the bootloader and remains unencrypted so that the computer can be started. BitLocker 需要Needed for BitLocker
文件系统为 NTFSFile system is NTFS BitLocker 需要Needed for BitLocker
在 VHDX 上安装的操作系统是以下项之一:The operating system installed on the VHDX is one of the following:
-Windows Server 2019、Windows Server 2016、Windows Server 2012 R2 或 Windows Server 2012- Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012
-Windows 10、Windows 8.1、Windows 8- Windows 10, Windows 8.1, Windows 8
需要支持第2代虚拟机和 Microsoft 安全启动模板Needed to support generation 2 virtual machines and the Microsoft Secure Boot template
必须 (运行 sysprep.exe 通用化操作系统) Operating system must be generalized (run sysprep.exe) 模板预配涉及特定租户工作负荷的专用 VmTemplate provisioning involves specializing VMs for a specific tenant's workload


如果使用 VMM,请不要在此阶段将模板磁盘复制到 VMM 库中。If you use VMM, do not copy the template disk into the VMM library at this stage.

在模板操作系统上运行 Windows 更新Run Windows Update on the template operating system

在模板磁盘上,验证操作系统是否安装了所有最新的 Windows 更新。On the template disk, verify that the operating system has all of the latest Windows updates installed. 最近发布的更新会提高端到端防护过程的可靠性,如果模板操作系统不是最新版本,则可能无法完成此过程。Recently released updates improve the reliability of the end-to-end shielding process - a process that may fail to complete if the template operating system is not up-to-date.

利用模板磁盘向导准备和保护 VHDXPrepare and protect the VHDX with the template disk wizard

若要将模板磁盘与受防护的 Vm 一起使用,必须使用受防护的模板磁盘创建向导来准备磁盘并使用 BitLocker 对其进行加密。To use a template disk with shielded VMs, the disk must be prepared and encrypted with BitLocker by using the Shielded Template Disk Creation Wizard. 此向导将为磁盘生成哈希,并将其添加到 (VSC) 的卷签名目录。This wizard will generate a hash for the disk and add it to a volume signature catalog (VSC). 使用指定的证书对 VSC 进行签名,并在预配过程中使用该证书,以确保为租户部署的磁盘未被更改或替换为租户不信任的磁盘。The VSC is signed using a certificate you specify and is used during the provisioning process to ensure the disk being deployed for a tenant has not been altered or replaced with a disk the tenant does not trust. 最后,还会在磁盘的操作系统 (上安装 BitLocker,如果在 VM 预配期间还没有) 准备磁盘进行加密。Finally, BitLocker is installed on the disk's operating system (if it is not already there) to prepare the disk for encryption during VM provisioning.


模板磁盘向导将修改就地指定的模板磁盘。The template disk wizard will modify the template disk you specify in-place. 在运行该向导之前,您可能希望复制不受保护的 VHDX,以便以后更新该磁盘。You may want to make a copy of the unprotected VHDX before running the wizard to make updates to the disk at a later time. 你将不能修改使用模板磁盘向导保护的磁盘。You will not be able to modify a disk that has been protected with the template disk wizard.

在运行 Windows Server 2016、Windows 10 (与远程服务器管理工具、安装了 RSAT) 或更高版本的计算机上执行以下步骤 (不需要是受保护的主机或 VMM 服务器) :Perform the following steps on a computer running Windows Server 2016, Windows 10 (with Remote Server Management Tools, RSAT installed) or later (does not need to be a guarded host or a VMM server):

  1. 将在准备操作系统 VHDX中创建的通用 VHDX 复制到服务器(如果尚未存在)。Copy the generalized VHDX created in Prepare an operating system VHDX to the server, if it is not already there.

  2. 若要在本地管理服务器,请从服务器上的远程服务器管理工具安装受防护的 VM 工具功能。To administer the server locally, install the Shielded VM Tools feature from Remote Server Administration Tools on the server.

    Install-WindowsFeature RSAT-Shielded-VM-Tools -Restart

    你还可以从已安装Windows 10 远程服务器管理工具的客户端计算机管理服务器。You can also administer the server from a client computer on which you have installed the Windows 10 Remote Server Administration Tools.

  3. 获取或创建一个证书,以便为要成为新的受防护 Vm 的模板磁盘的 VHDX 签名 VSC。Obtain or create a certificate to sign the VSC for the VHDX that will become the template disk for new shielded VMs. 此证书的详细信息将在租户创建其防护数据文件并授权它们信任的磁盘时显示给租户。Details about this certificate will be shown to tenants when they create their shielding data files and are authorizing disks they trust. 因此,请务必从你和你的租户信任的证书颁发机构获取此证书。Therefore, it is important to obtain this certificate from a certificate authority mutually trusted by you and your tenants. 在同时作为主机和租户的企业方案中,可能会考虑从 PKI 颁发此证书。In enterprise scenarios where you are both the host and tenant, you might consider issuing this certificate from your PKI.

    如果要设置测试环境,而只是想要使用自签名证书来准备模板磁盘,请运行类似于以下内容的命令:If you are setting up a test environment and just want to use a self-signed certificate to prepare your template disk, run a command similar to the following:

    New-SelfSignedCertificate -DnsName publisher.fabrikam.com
  4. 从 "开始" 菜单上的 "管理工具" 文件夹中或在命令提示符下键入TemplateDiskWizard.exe启动模板磁盘向导Start the Template Disk Wizard from the Administrative Tools folder on the Start menu or by typing TemplateDiskWizard.exe into a command prompt.

  5. 在 "证书" 页上,单击 "浏览" 以显示证书列表。On the Certificate page, click Browse to display a list of certificates. 选择要用于准备磁盘模板的证书。Select the certificate with which to prepare the disk template. 单击 “确定”,然后单击 “下一步”Click OK and then click Next.

  6. 在 "虚拟磁盘" 页上,单击 "浏览" 选择已准备的 VHDX,并单击 "下一步"。On the Virtual Disk page, click Browse to select the VHDX that you have prepared, then click Next.

  7. 在 "签名目录" 页上,提供友好磁盘名称版本。On the Signature Catalog page, provide a friendly disk name and version. 提供这些字段是为了帮助你在准备好磁盘后对其进行标识。These fields are present to help you identify the disk once it has been prepared.

    例如,对于磁盘名称,可以为版本键入_WS2016_ , example, for disk name you could type WS2016 and for Version,

  8. 在向导的 "查看设置" 页上查看您的选择。Review your selections on the Review Settings page of the wizard. 单击 "生成" 后,向导将在模板磁盘上启用 BitLocker,计算磁盘的哈希值,并创建卷签名目录,该目录存储在 VHDX 元数据中。When you click Generate, the wizard will enable BitLocker on the template disk, compute the hash of the disk, and create the Volume Signature Catalog, which is stored in the VHDX metadata.

    等待准备过程完成,然后再尝试装载或移动模板磁盘。Wait until the prep process has finished before attempting to mount or move the template disk. 完成此过程可能需要一段时间,具体取决于磁盘的大小。This process may take a while to complete, depending on the size of your disk.


    模板磁盘只能用于安全防护的 VM 预配过程。Template disks can only be used with the secure shielded VM provisioning process. 尝试使用模板磁盘启动常规 (无屏蔽) VM 可能会导致停止错误 (蓝屏) 并且不受支持。Attempting to boot a regular (unshielded) VM using a template disk will likely result in a stop error (blue screen) and is unsupported.

  9. 在 "摘要" 页上,将显示有关磁盘模板、用于对 VSC 进行签名的证书和证书颁发者的信息。On the Summary page, information about the disk template, the certificate used to sign the VSC, and the certificate issuer is shown. 单击“关闭”退出向导。Click Close to exit the wizard.

如果使用 VMM,请按照本主题的其余部分中的步骤将模板磁盘合并到 VMM 中的受防护的 VM 模板。If you use VMM, follow the steps in the remaining sections in this topic to incorporate a template disk into a shielded VM template in VMM.

将模板磁盘复制到 VMM 库Copy the template disk to the VMM Library

如果使用 VMM,则在创建模板磁盘后,需要将其复制到 VMM 库共享中,以便主机可以在预配新 Vm 时下载并使用该磁盘。If you use VMM, after you create a template disk, you need to copy it to a VMM library share so hosts can download and use the disk when provisioning new VMs. 使用以下过程将模板磁盘复制到 VMM 库中,然后刷新库。Use the following procedure to copy the template disk into the VMM library and then refresh the library.

  1. 将 VHDX 文件复制到 VMM 库共享文件夹。Copy the VHDX file to the VMM library share folder. 如果使用了默认的 VMM 配置,请将模板磁盘复制到_ \ \MSSCVMMLibrary\VHDs_。If you used the default VMM configuration, copy the template disk to \\MSSCVMMLibrary\VHDs.

  2. 刷新库服务器。Refresh the library server. 打开 "" 工作区,展开 "库服务器",右键单击要刷新的库服务器,然后单击 "刷新"。Open the Library workspace, expand Library Servers, right-click on the library server that you want to refresh, and click Refresh.

  3. 接下来,为 VMM 提供有关模板磁盘上所安装操作系统的信息:Next, provide VMM with information about the operating system installed on the template disk:

    a.a. 在库服务器上的 "" 工作区中找到新导入的模板磁盘。Find your newly imported template disk on your library server in the Library workspace.

    b.b. 右键单击该磁盘,然后单击 "属性"。Right-click the disk and then click Properties.

    c.c. 对于 "操作系统",请展开列表,并选择磁盘上安装的操作系统。For operating system, expand the list and select the operating system installed on the disk. 选择操作系统将向 VMM 指示 VHDX 不为空。Selecting an operating system indicates to VMM that the VHDX is not blank.

    d.d. 更新了属性之后,单击“确定”****。When you have updated the properties, click OK.

磁盘名称旁边的小盾牌图标将磁盘表示为受防护的 Vm 的准备好的模板磁盘。The small shield icon next to the disk's name denotes the disk as a prepared template disk for shielded VMs. 也可以右键单击列标题,并切换受防护的列,以查看指示磁盘是用于常规 VM 部署还是受防护 VM 部署的文本表示形式。You can also right click the column headers and toggle the Shielded column to see a textual representation indicating whether a disk is intended for regular or shielded VM deployments.

受防护的 vm 模板磁盘

使用准备好的模板磁盘在 VMM 中创建受防护的 VM 模板Create the shielded VM template in VMM using the prepared template disk

使用 VMM 库中的已准备好的模板磁盘,你可以为受防护的 Vm 创建 VM 模板。With a prepared template disk in your VMM library, you are ready to create a VM template for shielded VMs. 受防护的 vm 的 VM 模板略有不同于传统 VM 模板,因为某些设置已修复 (第2代 VM、UEFI 和安全启动,等等) ,其他设置不可用 (租户自定义仅限于少数几个选择 VM) 的属性。VM templates for shielded VMs differ slightly from traditional VM templates in that certain settings are fixed (generation 2 VM, UEFI and Secure Boot enabled, and so on) and others are unavailable (tenant customization is limited to a few, select properties of the VM). 若要创建 VM 模板,请执行以下步骤:To create the VM template, perform the following steps:

  1. 在 "" 工作区中,单击顶部 "主文件夹" 选项卡上的 "创建 VM 模板"。In the Library workspace, click Create VM Template on the home tab at the top.

  2. 在“选择源”**** 页上,单击“使用现有 VM 模板或库中存储的虚拟硬盘”****,然后单击“浏览”****。On the Select Source page, click Use an existing VM template or a virtual hard disk stored in the library, and then click Browse.

  3. 在出现的窗口中,从 VMM 库中选择一个准备好的模板磁盘。In the window that appears, select a prepared template disk from the VMM library. 若要更轻松地识别哪些磁盘已准备就绪,请右键单击列标题,并启用受防护的列。To more easily identify which disks are prepared, right-click a column header and enable the Shielded column. 单击 "确定" ,然后单击 "确定"。Click OK then Next.

  4. 指定 VM 模板名称和说明(可选),然后单击 "下一步"。Specify a VM template name and optionally a description, and then click Next.

  5. 在 "配置硬件" 页上,指定从此模板创建的 vm 的功能。On the Configure Hardware page, specify the capabilities of VMs created from this template. 确保 VM 模板上至少有一个可用的 NIC。Ensure that at least one NIC is available and configured on the VM template. 租户连接到受防护的 VM 的唯一方式是通过远程桌面连接、Windows 远程管理或其他通过网络协议工作的预配置远程管理工具。The only way for a tenant to connect to a shielded VM is through Remote Desktop Connection, Windows Remote Management, or other pre-configured remote management tools that work over networking protocols.

    如果选择在 VMM 中利用静态 IP 池,而不是在租户网络上运行 DHCP 服务器,则需要向此配置发出警报。If you choose to leverage static IP pools in VMM instead of running a DHCP server on the tenant network, you will need to alert your tenants to this configuration. 当租户提供其防护数据文件(其中包含 VMM 的无人参与文件)时,他们将需要为静态 IP 池信息提供特殊的占位符值。When a tenant supplies their shielding data file, which contains the unattend file for the VMM, they will need to provide special placeholder values for the static IP pool information. 有关租户无人参与文件中的 VMM 占位符的详细信息,请参阅创建应答文件For more information about VMM placeholders in tenant unattend files, see Create an answer file.

  6. 在 "配置操作系统" 页上,VMM 将仅为受防护的 vm 显示几个选项,包括产品密钥、时区和计算机名称。On the Configure Operating System page, VMM will only show a few options for shielded VMs, including the product key, time zone, and computer name. 某些安全信息(如管理员密码和域名)由租户通过防护数据文件 ( 来指定。PDK 文件) 。Some secure information, such as the administrator password and domain name, is specified by the tenant through a shielding data file (.PDK file).


    如果选择在此页上指定产品密钥,请确保其对于模板磁盘上的操作系统有效。If you choose to specify a product key on this page, ensure it is valid for the operating system on the template disk. 如果使用了不正确的产品密钥,则 VM 创建将失败。If an incorrect product key is used, the VM creation will fail.

创建模板后,租户可以使用它来创建新的虚拟机。After the template is created, tenants can use it to create new virtual machines. 需要验证 VM 模板是否为 VMM 中租户管理员用户角色 (的资源之一,用户角色位于 "设置" 工作区) 中。You will need to verify that the VM template is one of the resources available to the Tenant Administrator user role (in VMM, user roles are in the Settings workspace).

使用 PowerShell 准备和保护 VHDXPrepare and protect the VHDX using PowerShell

作为运行模板磁盘向导的替代方法,可以将模板磁盘和证书复制到运行 RSAT 的计算机,然后运行TemplateDisk以启动签名过程。As an alternative to running the Template Disk Wizard, you can copy your template disk and certificate to a computer running RSAT and run Protect-TemplateDisk to initiate the signing process. 下面的示例使用_TemplateName_和_version_参数指定的名称和版本信息。The following example uses the name and version information specified by the TemplateName and Version parameters. 你向此参数提供的 VHDX -Path 会被更新的模板磁盘覆盖,因此请确保在运行该命令之前进行复制。The VHDX you provide to the -Path parameter will be overwritten with the updated template disk, so be sure to make a copy before running the command.

# Replace "THUMBPRINT" with the thumbprint of your template disk signing certificate in the line below
$certificate = Get-Item Cert:\LocalMachine\My\THUMBPRINT

Protect-TemplateDisk -Certificate $certificate -Path "WindowsServer2019-ShieldedTemplate.vhdx" -TemplateName "Windows Server 2019" -Version

你的模板磁盘现在可以用于预配受防护的 Vm。Your template disk is now ready to be used to provision shielded VMs. 如果使用 System Center Virtual Machine Manager 部署 VM,现在可以将 VHDX 复制到 VMM 库中。If you are using System Center Virtual Machine Manager to deploy your VM, you can now copy the VHDX to your VMM library.

你可能还希望从 VHDX 提取卷签名目录。You may also want to extract the volume signature catalog from the VHDX. 此文件用于向要使用模板的 VM 所有者提供有关签名证书、磁盘名称和版本的信息。This file is used to provide information about the signing certificate, disk name, and version to VM owners who want to use your template. 他们需要将此文件导入到防护数据文件向导中,以授权你(拥有签名证书的模板作者)为其创建此类和将来的模板磁盘。They need to import this file into the Shielding Data File Wizard to authorize you, the template author in possession of the signing certificate, to create this and future template disks for them.

若要提取卷签名目录,请在 PowerShell 中运行以下命令:To extract the volume signature catalog, run the following command in PowerShell:

Save-VolumeSignatureCatalog -TemplateDiskPath 'C:\temp\MyLinuxTemplate.vhdx' -VolumeSignatureCatalogPath 'C:\temp\MyLinuxTemplate.vsc'

后续步骤Next step

其他参考Additional References