在 VMM 網狀架構中佈建受防護的虛擬機器Provision shielded virtual machines in the VMM fabric

重要

已不再支援此版本的 Virtual Machine Manager (VMM),建議升級至 VMM 2019This version of Virtual Machine Manager (VMM) has reached the end of support, we recommend you to upgrade to VMM 2019.

本文說明在 System Center - Virtual Machine Manager (VMM) 計算網狀架構中,如何部署受防護的虛擬機器。This article describes how to deploy shielded virtual machines in the System Center - Virtual Machine Manager (VMM) compute fabric.

您有幾種方式可以在 VMM 中部署受防護 VM:You can deploy shielded VMs in VMM in a couple of ways:

  • 將現有的 VM 轉換成受防護的 VM。Convert an existing VM into a shielded VM.
  • 使用已簽署的虛擬機器硬碟 (VHDX) 和選擇性的 VM 範本建立新的受防護 VM。Create a new shielded VM using a signed virtual machine hard disk (VHDX), and optionally a VM template.

在您開始使用 Intune 之前Before you start

觀賞在 VMM 中佈建受防護 VM 的兩分鐘快速概觀影片。Watch a video that provides a quick, two-minute overview of provisioning shielded VMs in VMM. 接著,請確定您已完成下列工作︰Then, make sure you've done the following:

  1. 準備 HGS 伺服器:您應該部署一個 HGS 伺服器。Prepare an HGS server: You should have an HGS server deployed. 進一步瞭解Learn more.

  2. 設定 VMM:您需要在 VMM 中設定全域 HGS 設定,並至少設定一部受防護主機。Set up VMM: You need to configure global HGS settings in VMM, and set up at least one guarded host. 如果受防護主機屬於雲端,則應該啟用雲端以支援受防護 VM。If guarded hosts belong to a cloud, the cloud should be enabled to support shielded VMs. 進一步瞭解Learn more.

  3. 準備受防護的 VHDX 和 VM 範本:從受防護的虛擬硬碟 (VHDX) 部署受防護的 VM (並選擇性地使用 VM 範本)。Prepare a shielded VHDX and VM template: You deploy shielded VMs from a shielded virtual hard disk (VHDX), optionally using a VM template. 深入了解如何進行準備。Learn more about preparing these.

    注意

    您無法使用服務範本來建立受防護的 VM。You cannot use a service template to create a shielded VM. 請改用指令碼。Use a script instead.

  4. 準備防護資料檔案:若要使用 VMM 程式庫中已簽署的範本磁碟,租用戶必須準備一或多個防護資料檔案。Prepare shielding data files: To use the signed template disks in the VMM library, tenants must prepare one or more shielding data files. 此檔案包含租用戶部署 VM 時所需的所有機密資料,包括用來將 VM 特製化的自動安裝檔案、憑證及系統管理員帳戶密碼。This file contains all the secrets that a tenant needs to deploy a VM, including the unattend file used to specialize the VM, certificates, administrator account passwords. 檔案也會指定租用戶信任的受防護網狀架構,以用來裝載他們的 VM,以及和已簽署範本磁碟有關的資訊。The file also specifies which guarded fabric a tenant trusts to host their VM and information about the signed template disks. 檔案也會被加密且只有租用戶所信任受防護網狀架構中的主機才能讀取。The file is encrypted and can only be read by a host in a guarded fabric trusted by the tenant. 進一步瞭解Learn more.

  5. 設定主機群組:為了便於管理,我們建議將受防護主機放置在專用的 VMM 主機群組中。Set up host group: For easy management, we recommend that guarded hosts be placed in a dedicated VMM host group.

  6. 驗證現有的 VM 需求:如果您想要將現有 VM 轉換成受防護 VM,請注意以下事項:Verify existing VM requirements: If you want to convert an existing VM to shielded, note the following:

    • VM 必須是第 2 代,並已啟用 Microsoft Windows 安全開機範本The VM must be generation 2 and have the Microsoft Windows Secure Boot template enabled
    • 磁碟上的作業系統必須是下列其中一個:The operating system on the disk must be one of:
    • Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
    • Windows 10、Windows 8.1、Windows 8Windows 10, Windows 8.1, Windows 8
    • VM 的 OS 磁碟必須使用 GUID 磁碟分割表格。The OS disk for the VM must use GUID Partition Table. 第 2 代 VM 需要此表格才能支援 UEFI。This is required for generation 2 VMs to support UEFI.
  7. 設定協助程式 VHD:主機服務提供者將需要建立做為協助程式 VHD 使用的 VM,以用於轉換現有機器。Set up helper VHD: The hosting service provider will need to create a VM that acts as a helper VHD for converting existing machines. 進一步瞭解Learn more.

將防護資料檔案新增至 VMMAdding shielding data files to VMM

VM 擁有者必須產生防護資料檔案並將它新增至 VMM,您才能將現有的 VM 轉換成受防護的 VM,或從範本佈建新的受防護 VM。Before you can convert an existing VM to a shielded VM or provision a new shielded VM from a template, the VM owner must generate a shielding data file and add it to VMM.

如果您尚未匯入防護資料檔案,請完成下列步驟:If you do not already have a shielding data file imported, complete the following steps:

  1. 如果目前沒有防護資料檔案,請建立防護資料檔案Create a shielding data file if you don't already have one. 確定防護資料檔案會授權 VMM 所管理的主控網狀架構執行受防護的 VM。Make sure the shielding data file authorizes the hosting fabric VMM manages to run your shielded VMs.
  2. 在 VMM 主控台中,按一下 [程式庫] > [匯入防護資料] > [瀏覽] ,然後選取防護資料檔案。In the VMM console, click Library > Import Shielding Data > Browse and select your shielding data file.
  3. 在 [名稱] 中指定防護資料檔案的易記名稱,並選擇性地新增描述。Specify a friendly name for the shielding data file in Name and optionally add a description. 建議您在其名稱中指出防護資料檔案是用於現有的 VM 或新的 VM,以更容易再次找到。It is recommended that you indicate whether the shielding data file is intended for use with existing or new VMs in its name to make it easier to find again.
  4. 按一下 [匯入] 將防護資料儲存在 VMM 中。Click Import to save the shielding data in VMM.

若要管理您匯入的防護資料檔案,請移至 [程式庫] > [VM 防護資料] (在 [設定檔] 下)。To manage your imported shielding data files, go to Library > VM Shielding Data (under "Profiles").

佈建新的受防護 VMProvision a new shielded VM

  1. 請確定您在開始之前已準備好所有必要條件。Make sure you have all the prerequisites in place before you start.
  2. 在 [VM 和服務] 中,按一下 [建立虛擬機器] 來開啟 [建立虛擬機器精靈]。In VMs and Services, click Create Virtual Machine to open the Create Virtual Machine Wizard.
  3. 在 [選取來源] 中,按一下 [使用現有虛擬機器、VM 範本或虛擬硬碟] > [瀏覽] 。In Select Source, click Use an existing virtual machine, VM template, or virtual hard disk > Browse.
  4. 選取受防護的 VM 範本或已簽署的範本磁碟。Select a shielded VM template or signed template disk. 兩者都會以保護盾圖示識別Both are identified by the shield icon VMM 中的保護盾圖示.
  5. 在 [選取防護資料檔案] 中,按一下 [瀏覽] 並選取一個防護資料檔案。In Select Shielding Data File, click Browse and select a shielding data file. 只會顯示可用來建立新的受防護 VM 之防護資料檔案。Only shielding data files that can be used to create a new shielded VM will be shown. 按一下 [確定] > [下一步] 以繼續。Click OK > Next to continue.
  6. 依照這些指示來完成精靈,然後在主機/雲端部署 VM。Follow these instructions to complete the wizard, and to deploy the VM on a host/cloud.

當您完成精靈時,VMM 會從磁碟或範本建立新的受防護 VM:When you complete the wizard, VMM creates a new shielded VM from the disk or template:

  1. 範本磁碟 (VHDX) 檔案是從 VMM 程式庫複製The template disk (VHDX) file is copied from the VMM library
  2. VM 佈建會將防護資料檔案中的資料解密,完成 unattend.xml 檔案中的任何替代字串,以及從防護資料檔案複製其他檔案到作業系統磁碟機 (例如 RDP 憑證)。VM provisioning decrypts the data in the shielding data file, completes any substitution strings in the unattend.xml file, and copies additional files from the shielding data file to the operating system drive (for example, the RDP certificate).
  3. VM 會重新啟動,自訂,以及使用 BitLocker 重新加密。The VM restarts, is customized, and re-encrypted with BitLocker. BitLocker 完整磁碟加密金鑰會儲存在新 VM 的虛擬 TPM 中。The BitLocker full volume encryption key is stored in the virtual TPM of the new VM.
  4. VM 自訂會在 unattend.xml 檔案中的關機命令執行時完成,VM 會維持關閉狀態。VM customization is complete when the shutdown command in the unattend.xml file runs, the VM remains switched off. 如果無法進行自訂,請在受防護 VM 上加以執行,或使用允許存取主控台之支援加密的防護資料檔案,來檢查 unattend.xml 檔案。If customization gets stuck, check the unattend.xml file by running it on an unshielded VM, or using an encryption-supported shielding data file that allows console access.
  5. VMM 偵測到特製化已完成之後,它會更新其狀態,指出 VM 已建立,而且若經選取,則會啟動 VM。After VMM detects that specialization has finished, it will update its status to indicate the VM is created and, if selected, start up the VM.

防護現有的 VMShield an existing VM

您可以為目前在 VMM 網狀架構中未受防護主機上執行的 VM 啟用防護。You can enable shielding for a VM currently running on a host in the VMM fabric that isn't guarded.

  1. 請確定您在開始之前已準備好所有必要條件。Ensure you have all the prerequisites in place before you start.
  2. 讓 VM 離線。Take the VM offline.
  3. 我們建議您先在連接至 VM 的所有磁碟上啟用 BitLocker,再將它們移到受防護主機。We recommend that you enable BitLocker on all disks attached to the VM before moving it to the guarded host.
  4. 選取 VM > [屬性] > [防護] ,然後選取防護檔案資料。Select the VM > Properties > Shield, and select a shielding data file.
  5. 關閉 VM,從未受防護主機匯出,然後將它匯入受防護主機。Shut down the VM, export from non-guarded host, and import it to a guarded host. 只有受防護主機才能存取 VM 資料。Only a guarded host can access the VM data.

後續步驟Next steps

請參閱管理虛擬機器設定以了解如何設定 VM 的效能和可用性設定。Review Manage virtual machine settings to learn how to configure performance and availability settings for VMs.