設定磁碟和 VM 範本來部署受防護的 VMSet up a disks and a VM template to deploy shielded VMs

重要

已不再支援此版本的 Virtual Machine Manager (VMM),建議升級至 VMM 2019This version of Virtual Machine Manager (VMM) has reached the end of support, we recommend you to upgrade to VMM 2019.

若要在 System Center - Virtual Machine Manager (VMM) 計算網狀架構中部署受防護的虛擬機器,必須使用已簽署的虛擬機器硬碟 (VHDX) 並選擇性地使用 VM 範本。You deploy shielded virtual machines in the System Center - Virtual Machine Manager (VMM) compute fabric using a signed virtual machine hard disk (VHDX), and optionally with a VM template. 本文說明如何在 VMM 中將已簽署的範本磁碟新增至 VMM、設定防護公用程式磁碟、部署新的受防護 VM,以及將現有的 VM 轉換成受防護的 VM。This article describes how to add signed template disks to VMM, configure a shielding utility disk, deploy new shielded VMs and convert existing VMs to shielded VMs in VMM.

在您開始使用 Intune 之前Before you start

  • 用於建立受防護的 VM 範本的已簽署範本磁碟,必須具有系列和版本標示。The signed template disk used to create the shielded VM template must have the family and version marked.
  • 要新增已簽署範本磁碟的 VMM 程式庫,必須可從將佈建受防護 VM 的雲端存取。The VMM library to which you add the signed template disk must be accessible to clouds from which shielded VMs will be provisioned.
  • 共用程式庫應加入將佈建受防護 VM 的雲端 (非唯讀模式)。The library shared should be added to clouds from which shielded VMs will be provisioned (not in read-only mode).

將受防護 VM 的已簽署範本磁碟新增至 VMM 程式庫Adding signed template disks for shielded VMs to the VMM library

您可以透過兩種方式來部署受防護的 VM︰直接從已簽署的範本磁碟進行部署,或將現有的 VM 轉換成受防護的 VM。Shielded VMs can be deployed in two ways: by deploying directly from a signed template disk or by converting an existing VM to a shielded VM. 已簽署的範本磁碟可向租用戶確保磁碟內容尚未經過修改,並讓租用戶將系統管理員密碼和憑證等部署密碼,以加密方式安全地傳送至 VM。Signed template disks assure tenants that the disk contents have not been modified and enable tenants to securely transfer deployment secrets like administrator passwords and certificates to the VM in an encrypted manner. 因此,最好從已簽署的範本磁碟部署受防護的 VM。For this reason, it is preferred to deploy shielded VMs from signed template disks.

若要準備將已簽署的範本磁碟新增至 VMM 程式庫,請完成下列步驟:To prepare and add a signed template disk to the VMM library, complete the following steps:

  1. 在執行 Windows Server 2016 和 [桌面體驗] 的電腦或已安裝遠端伺服器管理工具的 Windows 10 電腦上,準備好已簽署的範本磁碟Prepare a signed template disk on a machine running Windows Server 2016 with Desktop Experience, or Windows 10 with the Remote Server Administration Tools installed.

  2. 複製範本磁碟到資源庫共用 (預設為 \\<vmmserver>\MSSCVMMLibrary\VHDs),並重新整理資源庫伺服器。Copy the template disk to a library share (\\<vmmserver>\MSSCVMMLibrary\VHDs by default), and refresh the library server.

  3. 若要向 VMM 提供有關範本磁碟上作業系統的資訊,請在 [程式庫] 中以滑鼠右鍵按一下該磁碟 > [屬性] 。To provide VMM with information about the operating system on the template disk, in Library, right-click the disk > Properties.

  4. 在 [作業系統] 中,選取安裝在磁碟上的作業系統。In Operating system, select the operating system installed on the disk. 這會向 VMM 指出 VHDX 不是空白。This indicates to VMM that the VHDX isn't blank. 磁碟名稱旁邊的盾牌圖示,表示它為受防護的 VM 的已簽署範本磁碟。The shield icon next to the disk name denotes it as a signed template disk for shielded VMs. 提供磁碟之 [系列] 和 [版本] 的相關資訊,並在租用戶的 Azure 套件自助入口網站中提供這些資源 (選擇性)。Supply information about the Family and Release of the disk as well to make the resources available in the tenant Azure Pack self-service portal (optional).

    已簽署之範本磁碟的磁碟內容視窗

  5. 按一下 [確定] 儲存已簽署之範本磁碟的內容。Click OK to save the properties of the signed template disk.

建立受防護的 VM 範本Create a shielded VM template

您可以選擇性地使用已簽署的範本磁碟來建立受防護的 VM 範本。You can optionally create a shielded VM template using a signed template disk. VM 範本可定義虛擬機器資源,例如作業系統磁碟的 CPU 計數、RAM 和網路功能。VM templates define virtual machine resources such as CPU count, RAM, and networking for an OS disk.

受防護的 VM 範本與一般的 VM 範本稍微有些不同。Templates for shielded VMs vary slightly from a regular VM template. 已修正一些設定,例如 VM 必須是啟用安全開機的第 2 代 VM。Some settings are fixed – for example the VM must be a Generation 2 VM with Secure Boot enabled. 遵循下列步驟以建立 VM 範本︰Create the VM template as follows:

  1. 按一下 [程式庫] > [建立 VM 範本] 。Click Library > Create VM Template. 在 [選取來源] 中,按一下 [使用現有的 VM 範本] 或是已儲存在程式庫中的虛擬硬碟 > [瀏覽] 。In Select Source, click Use an existing VM template or a virtual hard disk stored in the library > Browse.
  2. 選取已簽署的範本磁碟,指定範本名稱與選擇性描述,然後按一下 [確定] 。Select the signed template disk, specify a template name and optional description, and click OK.
  3. 在 [設定硬體] 中,指定您從範本建立之 VM 的硬體內容。In Configure Hardware, specify the hardware properties for VMs you create from the template. 請確定至少已設定一個 NIC 且可以使用。Make sure there's at least one NIC configured and available. 透過遠端桌面連線、Windows 遠端管理或其他需要網路的遠端管理工具,連線到受防護 VM 的租用戶。Tenants connect to shielded VMs over Remote Desktop Connection, Windows Remote Management, or other remote management tools that require networking.
  4. 如果您想要在租用戶集區中使用靜態 IP 位址,您需要讓您的租用戶知道。If you want to use static IP addressing in the tenant pool, you need to let your tenants know. 租用戶需要提供回應檔案,其中包含針對租用戶特製化之受防護 VM 的值。Tenants need to provide an answer file with values that specializes a shielded VM for them. 必須有特殊、已知的預留位置值,才能支援靜態 IP 集區。There are special, well-known placeholder values required to support static IP pools.
  5. 在 [設定作業系統] 中,指定作業系統版本、電腦名稱、產品金鑰和時區。In Configure Operating System, specify the OS version, computer name, product key and time zone. 租用戶提供安全資訊,例如系統管理員在佈建新的 VM 時所提供之防護資料檔案 (.PDK) 中的系統管理員密碼。The tenant provides secure information such as the administrator password in a shielding data file (.PDK) that they'll provide when provisioning a new VM. 如果您指定產品金鑰,請確定它適用於範本磁碟上的作業系統。If you specify a product key make sure it's valid for the operating system on the template disk. 如果不適用,VM 佈建將會失敗。If it isn't, the VM will not provision successfully. 建立 VM 範本之後,請確定它可供租用戶系統管理員使用者角色使用。After the VM template is created, make sure that it's available to the Tenant Administrator user role. 租用戶接著將可以使用範本來佈建新的 VM。Tenants can then use it to provision new VMs.

設定防護協助程式 VHDConfigure the shielding helper VHD

現有的 Windows VM 也可以透過防護協助程式 VHD 轉換成受防護的 VM。Existing Windows VMs can also be converted to shielded VMs with the use of a shielding helper VHD. 協助程式 VHD 是特殊磁碟,備有加密另一個 VM 之作業系統磁碟機的工具。The helper VHD is a special disk prepared with tools to encrypt another VM's operating system drive. VMM 必須設定協助程式 VHD,才能防護現有的 VM。VMM must be configured with a helper VHD before you can shield existing VMs.

  1. 在執行 Windows Server 2016 或已安裝遠端伺服器管理工具之 Windows 10 的電腦上,準備好協助程式 VHDPrepare a helper VHD on a computer running Windows Server 2016 or Windows 10 with the Remote Server Administration Tools installed.
  2. 複製協助程式 VHD 到程式庫共用,並重新整理程式庫伺服器。Copy the helper VHD to a library share, and refresh the library server.
  3. 在 VMM 主控台中,按一下 [設定] > [主機守護者服務設定] 。In the VMM console, click Settings > Host Guardian Service Settings.
  4. 在 [防護協助程式 VHD] 區段中,按一下 [瀏覽] ,然後從程式庫共用中的檔案清單選取協助程式 VHD。In the Shielding Helper VHD section, click Browse and select the helper VHD from the list of files in the library shares.
  5. 按一下 [完成] 儲存設定。Click Finish to save the configuration.

設定防護協助程式 VHD 之後,您可以繼續防護現有的 VMWith the shielding helper VHD configured, you can proceed to shield an existing VM.

後續步驟Next steps

檢閱佈建受防護的 VM以了解如何在 VMM 運算網狀架構中部署受防護的虛擬機器。Review Provision shielded VMs to understand how to deploy shielded virtual machines in a VMM compute fabric.