建立 OS 特殊化回應檔案Create OS specialization answer file

適用于: Windows Server 2019、Windows Server (半年通道) 、Windows Server 2016Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016

若要準備部署受防護的 Vm,您可能需要建立作業系統特製化回應檔案。In preparation to deploy shielded VMs, you may need to create an operating system specialization answer file. 在 Windows 中,這通常稱為「unattend.xml」檔案。On Windows, this is commonly known as the "unattend.xml" file. ShieldingDataAnswerFile Windows PowerShell 函數可協助您這樣做。The New-ShieldingDataAnswerFile Windows PowerShell function helps you do this. 然後,當您使用 System Center Virtual Machine Manager (或任何其他網狀架構控制器) ,從範本建立受防護的 Vm 時,您就可以使用回應檔案。You can then use the answer file when you're creating shielded VMs from a template by using System Center Virtual Machine Manager (or any other fabric controller).

如需受防護 Vm 的自動安裝檔案的一般指導方針,請參閱 建立回應檔案。For general guidelines for Unattend files for shielded VMs, see Create an answer file.

下載 New-ShieldingDataAnswerFile 函數Downloading the New-ShieldingDataAnswerFile function

您可以從 PowerShell 資源庫取得 新的 ShieldingDataAnswerFile 函數。You can obtain the New-ShieldingDataAnswerFile function from the PowerShell Gallery. 如果您的電腦具有網際網路連線能力,您可以使用下列命令從 PowerShell 進行安裝:If your computer has Internet connectivity, you can install it from PowerShell with the following command:

Install-Module GuardedFabricTools -Repository PSGallery -MinimumVersion 1.0.0

unattend.xml輸出可以封裝至防護資料,以及額外的構件,以便用來從範本建立受防護的 vm。The unattend.xml output can be packaged into the shielding data, along with additional artifacts, so that it can be used to create shielded VMs from templates.

下列各節會示範如何針對包含各種選項的檔案使用函式參數 unattend.xmlThe following sections show how you can use the function parameters for an unattend.xml file containing various options:

基本 Windows 回應檔案Basic Windows answer file

下列命令會建立 Windows 回應檔案,該檔案只會設定系統管理員帳戶密碼和主機名稱。The following commands create a Windows answer file that simply sets the administrator account password and hostname. VM 網路介面卡將會使用 DHCP 來取得 IP 位址,而 VM 將不會加入 Active Directory 網域。The VM network adapters will use DHCP to obtain IP addresses, and the VM will not be joined to an Active Directory domain. 當系統提示您輸入系統管理員認證時,請指定所需的使用者名稱和密碼。When prompted to enter an administrator credential, specify the desired username and password. 如果您想要設定內建的系統管理員帳戶,請使用 "Administrator" 作為使用者名稱。Use "Administrator" for the username if you wish to configure the built-in Administrator account.

$adminCred = Get-Credential -Message "Local administrator account"

New-ShieldingDataAnswerFile -Path '.\ShieldedVMAnswerFile.xml' -AdminCredentials $adminCred

具有加入網域的 Windows 回應檔案Windows answer file with domain join

下列命令會建立 Windows 回應檔案,以將受防護的 VM 加入至 Active Directory 網域。The following commands create a Windows answer file that joins the shielded VM to an Active Directory domain. VM 網路介面卡將會使用 DHCP 來取得 IP 位址。The VM network adapters will use DHCP to obtain IP addresses.

第一個認證提示會要求本機系統管理員帳戶資訊。The first credential prompt will ask for the local administrator account information. 如果您想要設定內建的系統管理員帳戶,請使用 "Administrator" 作為使用者名稱。Use "Administrator" for the username if you wish to configure the built-in Administrator account.

第二個認證提示會要求有權將電腦加入 Active Directory 網域的認證。The second credential prompt will ask for credentials that have the right to join the machine to the Active Directory domain.

請務必將 "-DomainName" 參數的值變更為您 Active Directory 網域的 FQDN。Be sure to change the value of the "-DomainName" parameter to the FQDN of your Active Directory domain.

$adminCred = Get-Credential -Message "Local administrator account"
$domainCred = Get-Credential -Message "Domain join credentials"

New-ShieldingDataAnswerFile -Path '.\ShieldedVMAnswerFile.xml' -AdminCredentials $adminCred -DomainName 'my.contoso.com' -DomainJoinCredentials $domainCred

具有靜態 IPv4 位址的 Windows 回應檔案Windows answer file with static IPv4 addresses

下列命令會建立 Windows 回應檔案,該檔案會使用網狀架構管理員在部署期間提供的靜態 IP 位址,例如 System Center Virtual Machine Manager。The following commands create a Windows answer file that uses static IP addresses provided at deployment time by the fabric manager, such as System Center Virtual Machine Manager.

Virtual Machine Manager 使用 IP 集區提供三個元件給靜態 IP 位址: IPv4 位址、IPv6 位址、閘道位址和 DNS 位址。Virtual Machine Manager provides three components to the static IP address by using an IP pool: IPv4 address, IPv6 address, gateway address, and DNS address. 如果您想要包含任何其他欄位或需要自訂網路設定,則必須手動編輯腳本所產生的回應檔案。If you want any additional fields to be included or require a custom network configuration, you will need to manually edit the answer file produced by the script.

下列螢幕擷取畫面顯示您可以在 Virtual Machine Manager 中設定的 IP 集區。The following screenshots show the IP pools that you can configure in Virtual Machine Manager. 如果您想要使用靜態 IP,則需要這些集區。These pools are necessary if you want to use static IP.

目前,此函數僅支援一部 DNS 伺服器。Currently, the function supports only one DNS server. 以下是您的 DNS 設定看起來的樣子:Here is what your DNS settings would look like:

使用靜態 IP 集區設定 DNS 伺服器

建立靜態 IP 位址池的摘要如下所示。Here is what your summary for creating the static IP address pool would look like. 簡單地說,您必須只有一個網路路由、一個閘道和一部 DNS 伺服器,而且您必須指定 IP 位址。In short, you must have only one network route, one gateway, and one DNS server - and you must specify your IP address.

靜態 IP 集區建立的摘要

您必須設定虛擬機器的網路介面卡。You need to configure your network adapter for your virtual machine. 下列螢幕擷取畫面顯示設定該設定的位置,以及如何將其切換為靜態 IP。The following screenshot shows where to set that configuration and how to switch it to static IP.

設定硬體以使用靜態 IP

然後,您可以使用參數,將 -StaticIPPool 靜態 IP 元素包含在回應檔案中。Then, you can use the -StaticIPPool parameter to include the static IP elements in the answer file. 然後,回應檔案中的參數 @IPAddr-1@@NextHop-1-1@@DNSAddr-1-1@ 會以您在部署時 Virtual Machine Manager 中指定的實際值取代。The parameters @IPAddr-1@, @NextHop-1-1@, and @DNSAddr-1-1@ in the answer file will then be replaced with the real values that you specified in Virtual Machine Manager at deployment time.

$adminCred = Get-Credential -Message "Local administrator account"

New-ShieldingDataAnswerFile -Path '.\ShieldedVMAnswerFile.xml' -AdminCredentials $adminCred -StaticIPPool IPv4Address

具有自訂地區設定的 Windows 回應檔案Windows answer file with a custom locale

下列命令會建立具有自訂地區設定的 Windows 回應檔案。The following commands create a Windows answer file with a custom locale.

當系統提示您輸入系統管理員認證時,請指定所需的使用者名稱和密碼。When prompted to enter an administrator credential, specify the desired username and password. 如果您想要設定內建的系統管理員帳戶,請使用 "Administrator" 作為使用者名稱。Use "Administrator" for the username if you wish to configure the built-in Administrator account.

$adminCred = Get-Credential -Message "Local administrator account"
$domainCred = Get-Credential -Message "Domain join credentials"

New-ShieldingDataAnswerFile -Path '.\ShieldedVMAnswerFile.xml' -AdminCredentials $adminCred -Locale es-ES

基本 Linux 回應檔案Basic Linux answer file

從 Windows Server 1709 版開始,您可以在受防護的 Vm 中執行某些 Linux 客體作業系統。Starting with Windows Server version 1709, you can run certain Linux guest OSes in shielded VMs. 如果您使用 System Center Virtual Machine Manager Linux 代理程式來特製化這些 Vm,則 New-ShieldingDataAnswerFile Cmdlet 可以為其建立相容的回應檔案。If you are using the System Center Virtual Machine Manager Linux agent to specialize those VMs, the New-ShieldingDataAnswerFile cmdlet can create compatible answer files for it.

在 Linux 回應檔案中,您通常會包含根密碼、根 SSH 金鑰,以及選擇性的靜態 IP 集區資訊。In a Linux answer file, you will typically include the root password, root SSH key, and optionally static IP pool information. 執行下列腳本之前,請先取代 SSH 金鑰的公開半形路徑。Replace the path to the public half of your SSH key before running the script below.

$rootPassword = Read-Host -Prompt "Root password" -AsSecureString

New-ShieldingDataAnswerFile -Path '.\ShieldedVMAnswerFile.xml' -RootPassword $rootPassword -RootSshKey '~\.ssh\id_rsa.pub'

其他參考資料Additional References