在 VMM 中佈建受防護主機Provision guarded hosts in VMM

重要

已不再支援此版本的 Virtual Machine Manager (VMM),建議升級至 VMM 2019This version of Virtual Machine Manager (VMM) has reached the end of support, we recommend you to upgrade to VMM 2019.

本文說明如何在 System Center - Virtual Machine Manager (VMM) 計算網狀架構中部署受防護的 Hyper-V 主機。This article describes how to deploy guarded Hyper-V hosts in a System Center - Virtual Machine Manager (VMM) compute fabric. 深入了解受防護網狀架構。Learn more about guarded fabric..

有幾種方式可以設定 VMM 網狀架構中的受防護 Hyper-V 主機。There are a couple of ways to set up guarded Hyper-V hosts in a VMM fabric.

  • 將現有的主機設定為受防護主機︰您可以設定現有的主機來執行受防護的 VM。Configure an existing host to be a guarded host: You can configure an existing host to run shielded VMs.
  • 新增或佈建一部新的受防護主機︰這個主機可能是︰Add or provision a new guarded host: This host could be:
    • 現有的 Windows Server 電腦 (不論有無 Hyper-V 角色)An existing Windows Server computer (with or without the Hyper-V role)
    • 裸機電腦A bare-metal computer

您可以如下所示在 VMM 網狀架構中設定受防護主機:You set up guarded hosts in the VMM fabric as follows:

  1. 設定全域性 HGS 設定:VMM 會將所有的受防護主機連線到相同的 HGS 伺服器,以便您可以在主機間成功移轉受防護的 VM。Configure global HGS settings: VMM connects all guarded hosts to the same HGS server so that you can successfully migrate shielded VMs between the hosts. 雖然您可以指定適用於所有受防護主機的全域性 HGS 設定,但也可以指定會覆寫全域設定的主機特定設定。You specify global HGS settings that apply to all guarded hosts, although you can specify host-specific settings that override the global settings. 設定包括:Settings include:

    • 證明 URL︰主機用來連線到 HGS 證明服務的 URL。Attestation URL: The URL that the host uses to connect to the HGS attestation service. 此服務會授權主機執行受防護的 VM。This service authorizes a host to run shielded VMs.
    • 金鑰保護伺服器 URL︰主機會使用此 URL 來擷取將 VM 解密所需的金鑰。Key protection server URL: The URL that the host uses to retrieve the key needed to decrypt VMs. 主機必須通過證明,才能擷取金鑰。The host must pass attestation in order to retrieve keys.
    • 程式碼完整性原則︰程式碼完整性原則會限制可在受防護主機上執行的軟體。Code integrity policies: A code integrity policy restricts the software that can run on a guarded host. 當 HGS 設定為使用 TPM 證明時,必須設定受防護主機使用 HGS 伺服器授權的程式碼完整性原則。When HGS is configured to use TPM attestation, guarded hosts must be configured to use a code integrity policy authorized by the HGS server. 您可以在 VMM 中指定程式碼完整性原則的位置,並將這些原則部署到您的主機。You can specify the location of code integrity policies in VMM and deploy them to your hosts. 這是選用的選項,不需要管理受防護網狀架構。This is optional and not required to manage a guarded fabric.
    • VM 的防護協助程式 VHD︰特別準備的虛擬硬碟,可用來將現有的 VM 轉換成受防護的 VM。VM shielding helper VHD: A specially-prepared virtual hard disk that is used to convert existing VMs to shielded VMs. 如果您想要防護現有的 VM,您必須進行這項設定。You must configure this setting if you wish to shield existing VMs.
  2. 設定雲端︰如果VMM 雲端中會包含受防護主機,您必須啟用雲端以支援受防護的 VM。Configure the cloud: If the guarded host will be included in a VMM cloud, you need to enable the cloud to support shielded VMs.

在您開始使用 Intune 之前Before you start

請確定您已部署並設定主機守護者服務,再繼續進行。Make sure you have deployed and configured the Host Guardian Service before proceeding. 在 Windows Server 文件中深入了解如何設定 HGS。Learn more about configuring HGS in the Windows Server documentation.

此外,請確定將成為受防護主機的任何主機都符合受防護主機的必要條件:Additionally, ensure any hosts which will become guarded hosts meet the guarded host prerequisites:

  • 作業系統︰主機伺服器必須執行 Windows Server Datacenter。Operating system: Host servers must run Windows Server Datacenter. 建議針對受防護主機使用 Server Core。It is recommended to use Server Core for guarded hosts.
  • 角色與功能:主機伺服器應該執行 Hyper-V 角色與主機守護者 Hyper-V 支援功能。Role and features: Host servers should be running the Hyper-V role and the Host Guardian Hyper-V Support feature. 主機守護者 Hyper-V 支援可讓主機與 HGS 通訊,以證明其健全狀況,並要求受防護 VM 的金鑰。Host Guardian Hyper-V Support lets the host communicate with HGS to attest to its health and request keys for shielded VMs. 如果您的主機執行 Nano 伺服器,則應該安裝 Compute、SCVMM-Package、SCVMM-Compute、SecureStartup 和 ShieldedVM 套件。If your host is running Nano Server, it should have the Compute, SCVMM-Package, SCVMM-Compute, SecureStartup, and ShieldedVM packages installed.
  • TPM 證明︰如果您的 HGS 已設定為使用 TPM 證明,主機伺服器必須:TPM-attestation: If your HGS is configured to use TPM attestation, the host servers must:
    • 使用 UEFI 2.3.1c 和 TPM 2.0 模組Use UEFI 2.3.1c and a TPM 2.0 module
    • 以 UEFI 模式開機 (而非 BIOS 或「傳統」模式)Boot in UEFI mode (not BIOS or "legacy" mode)
    • 啟用安全開機Enable Secure Boot
  • HGS 註冊:Hyper-V 主機必須向 HGS 註冊。HGS registration: Hyper-V hosts must be registered with HGS. 其註冊方式取決於 HGS 使用 AD 或 TPM 證明。How they’re registered depending on whether HGS is using AD or TPM attestation. 深入了解Learn more
  • 即時移轉︰如果您想要即時移轉受防護的 VM,您必須部署兩部或多部受防護主機。Live migration: If you want to live migrate shielded VMs, you need to deploy two or more guarded hosts.
  • 網域:受防護主機和 VMM 伺服器必須位於相同網域中,或位於具有雙向信任的網域中。Domain: Guarded hosts and the VMM server must be in the same domain, or in domains with a two-way trust.

設定通用 HGS 設定Configure global HGS settings

您必須使用網狀架構的主機守護者服務資訊來設定 VMM,才能將受防護主機新增至您的 VMM 計算網狀架構。Before you can add guarded hosts to your VMM compute fabric, you must configure VMM with information about the Host Guardian Service for the fabric. 受 VMM 管理的所有受防護主機都會使用相同的 HGS。The same HGS will be used for all guarded hosts managed by VMM.

  1. 向您的 HGS 系統管理員取得網狀架構的證明和金鑰保護 URL。Obtain the attestation and key protection URLs for your fabric from your HGS administrator.

  2. 在 VMM 主控台中,按一下 [設定] > [主機守護者服務設定] 。In the VMM console, click Settings > Host Guardian Service Settings.

  3. 在對應欄位中輸入證明和金鑰保護 URL。Enter the attestation and key protection URLs in the respective fields. 您目前不需要設定程式碼完整性原則和 VM 的 [防護協助程式 VHD] 區段。You do not need to configure the code integrity policies and VM shielding helper VHD sections at this time.

    通用 HGS 設定視窗

  4. 按一下 [完成] 儲存設定。Click Finish to save the configuration.

新增或佈建一部新的受防護主機Add or provision a new guarded host

  1. 新增主機:Add the host:
    • 如果您想要新增執行 Windows Server 的現有伺服器作為受防護的 Hyper-V 主機,請將它新增至網狀架構If you want to add an existing server running Windows Server as a guarded Hyper-V host, add it to the fabric.
    • 如果您想要從裸機電腦佈建 Hyper-V 主機,請遵循這些先決條件和指示If you want to provision a Hyper-V host from a bare-metal computer, follow these prerequisites and instructions. 請注意,您可以在佈建主機時,將其部署為受防護主機 ([新增資源精靈] > [作業系統設定] > [設定為受防護的主機] )。Note that you can deploy the host as guarded when you provision it (Add Resource Wizard > OS Settings > Configure as guarded host.
  2. 繼續進行下一節,以將主機設定為受防護主機。Continue on to the next section to configure the host as a guarded host.

將現有的主機設定為受防護主機Configure an existing host to be a guarded host

若要將受 VMM 管理的現有 Hyper-V 主機設定為受防護主機,請完成下列步驟:To configure an existing Hyper-V host managed by VMM to be a guarded host, complete the following steps:

  1. 將主機置於維護模式Place the host in maintenance mode.

  2. 在 [所有主機] ,以滑鼠右鍵按一下該主機 > [內容] > [主機守護者服務] 。In All Hosts, right-click the host > Properties > Host Guardian Service.

    啟用主機作為受防護主機

  3. 選取以啟用 [主機守護者 Hyper-V 支援] 功能並設定主機。Select to enable the Host Guardian Hyper-V Support feature and configure the host. 請注意:Note that:

    • 這將會在主機上設定全域證明與金鑰保護伺服器 URL。The global attestation and key protection server URLs will be set on the host.
    • 如果您在 VMM 主控台外修改這些 URL,您也必須在 VMM 中予以更新。If you modify these URLs outside the VMM console, you need to update them in VMM too. 若不這樣做,URL 再次相符之前,VMM 都不會在主機上放置受防護的 VM。If you don't, VMM will not place shielded VMs on the host until the URLs match again. 您也可以取消核取並重新核取 [啟用] 方塊,以使用 VMM 中設定的 URL 重新設定主機。You can also uncheck and re-check the "Enable" box to reconfigure the host with the URLs configureed in VMM.
  4. 如果您使用 VMM 來管理程式碼完整性原則,您可以啟用第二個核取方塊,並為系統選取適當的原則。If you're using VMM to manage code integrity policies, you can enable the second checkbox and select the appropriate policy for the system.

  5. 按一下 [確定] 以更新主機的組態。Click OK to update the host's configuration.

  6. 讓主機離開維護模式。Take the host out of maintenance mode.

VMM 會在您新增主機,還有每次重新整理主機狀態時,檢查其是否通過證明。VMM checks that the host passes attestation when you add it, and every time that the host status is refreshed. VMM 只會在通過證明的主機上部署和移轉受防護的 VM。VMM only deploys and migrates shielded VMs on hosts that have passed attestation. 您可以在 [內容] > [狀態] > [HGS 用戶端整體] 中,檢查主機的證明狀態。You can check the attestation status of a host in Properties > Status > HGS Client Overall.

啟用 VMM 雲端上的受防護主機Enable guarded hosts on a VMM cloud

啟用雲端以支援受防護主機︰Enable a cloud to support guarded hosts:

  1. 在 VMM 主控台中,按一下 [VM 和服務] > [雲端] 。In the VMM console click VMs and Services > Clouds. 以滑鼠右鍵按一下雲端名稱 > [內容] 。Right-click the cloud name > Properties.
  2. 在 [一般] > [受防護的 VM 支援] ,請選取 [此私人雲端中可支援] 。In General > Shielded VM support, select Supported on this private cloud.

使用 VMM 管理和部署程式碼完整性原則Manage and deploy code integrity policies with VMM

在設定為使用 TPM 證明的受防護網狀架構中,每部主機都必須設定受主機守護者服務信任的程式碼完整性原則。In guarded fabrics configured to use TPM attestation, each host must be configured with a code integrity policy that is trusted by the Host Guardian Service. 為了簡化程式碼完整性原則的管理,您可以選擇性地使用 VMM 將新的或更新的原則部署到受防護主機。To ease the management of code integrity policies, you can optionally use VMM to deploy new or updated policies to your guarded hosts.

若要將程式碼完整性原則部署到受 VMM 管理的受防護主機,請完成下列步驟:To deploy a code integrity policy to a guarded host managed by VMM, complete the following steps:

  1. 為您的環境中的每部參考主機建立程式碼完整性原則Create a code integrity policy for each reference host in your environment. 您的受防護主機的每個唯一硬體和軟體設定,都需要不同的 CI 原則。You will need a different CI policy for each unique hardware and software configuration of your guarded hosts.
  2. 將 CI 原則儲存在安全的檔案共用中。Store the CI policies in a secure file share. 每個受防護主機的電腦帳戶都需要共用的讀取權限The computer accounts for each guarded host require read access to the share. 只有信任的系統管理員才能有寫入權限。Only trusted administrators should have write access.
  3. 在 VMM 主控台中,按一下 [設定] > [主機守護者服務設定] 。In the VMM console, click Settings > Host Guardian Service Settings.
  4. 在 [程式碼完整性原則] 區段下,按一下 [新增] 並指定 CI 原則的易記名稱和路徑。Under the Code Integrity Policies section, click Add and specify a friendly name and the path to a CI policy. 針對每個唯一的 CI 原則重複此步驟。Repeat this step for each unique CI policy. 請務必將您的原則命名成可協助您識別哪些原則應該套用至哪些主機。Be sure to name your policies in a manner that will help you identify which policy should be applied to which hosts. 新增程式碼完整性原則Add a code integrity policy
  5. 按一下 [完成] 儲存設定。Click Finish to save the configuration.

現在,針對每部受防護主機,完成下列步驟來套用程式碼完整性原則:Now, for each guarded host, complete the following steps to apply a code integrity policy:

  1. 將主機置於維護模式Place the host in maintenance mode.

  2. 在 [所有主機] ,以滑鼠右鍵按一下該主機 > [內容] > [主機守護者服務] 。In All Hosts, right-click the host > Properties > Host Guardian Service.

    套用程式碼完整性原則

  3. 選取以啟用選項,設定主機使用程式碼完整性原則,然後為系統選取適當的原則。Select to enable the option to configure the host with a code integrity policy, then select the appropriate policy for the system.

  4. 按一下 [確定] 套用設定變更。Click OK to apply the configuration change. 主機可能會重新啟動,以套用新的原則。The host may restart to apply the new policy.

  5. 讓主機離開維護模式。Take the host out of maintenance mode.

警告

請務必為主機選取正確的程式碼完整性原則。Be sure to select the correct code integrity policy for the host. 如果將不相容的原則套用至主機,某些應用程式、驅動程式或作業系統元件可能無法再運作。If an incompatible policy is applied to the host, some applications, drivers, or operating system components may no longer work.

如果您更新檔案共用中的程式碼完整性原則,而且也想要更新受防護主機,您可以藉由完成下列步驟來執行這項操作:If you update the code integrity policy in the file share and wish to also update the guarded hosts, you can do so by completing the following steps:

  1. 將主機置於維護模式Place the host in maintenance mode.
  2. 在 [所有主機] 中,以滑鼠右鍵按一下主機 > [套用最新的程式碼完整性原則] 。In All Hosts, right-click the host > Apply Latest Code Integrity Policy.
  3. 讓主機離開維護模式。Take the host out of maintenance mode.

後續步驟Next steps