租使用者的受防護 Vm-建立防護資料以定義受防護的 VMShielded VMs for tenants - Creating shielding data to define a shielded VM

適用于: Windows Server 2019、Windows Server (半年通道) 、Windows Server 2016Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016

防護資料檔案 (也稱為佈建資料檔案或 PDK 檔案) 是一種加密檔案,租用戶或 VM 擁有者會建立該檔案以保護重要的 VM 組態資訊,例如系統管理員密碼、RDP 及其他身分識別相關的憑證、網域加入認證等等。A shielding data file (also called a provisioning data file or PDK file) is an encrypted file that a tenant or VM owner creates to protect important VM configuration information, such as the administrator password, RDP and other identity-related certificates, domain-join credentials, and so on. 本主題提供如何建立防護資料檔案的相關資訊。This topic provides information about how to create a shielding data file. 建立檔案之前,您必須從主機服務提供者取得範本磁片,或建立範本磁片(如租使用者的 受防護 vm 所述-建立範本磁片 (選用) Before you can create the file, you must either obtain a template disk from your hosting service provider, or create a template disk as described in Shielded VMs for tenants - Creating a template disk (optional).

如需防護資料檔案內容的清單和圖表,請參閱 何謂防護資料,以及為何需要它?For a list and a diagram of the contents of a shielding data file, see What is shielding data and why is it necessary?.

重要

本節中的步驟應該在受防護網狀架構之外的不同受信任電腦上完成。The steps in this section should be completed on a separate, trusted machine outside of the guarded fabric. 一般而言,VM 擁有者 (租使用者) 會建立其 Vm 的防護資料,而不是網狀架構系統管理員。Typically, the VM owner (tenant) would create the shielding data for their VMs, not the fabric administrators.

若要準備建立防護資料檔案,請執行下列步驟:To prepare to create a shielding data file, take the following steps:

然後,您可以建立防護資料檔案:Then you can create the shielding data file:

(選用) 取得遠端桌面連線的憑證(Optional) Obtain a certificate for Remote Desktop Connection

因為租使用者只能使用遠端桌面連線或其他遠端系統管理工具連接到其受防護的 Vm,所以請務必確定租使用者可以確認它們是否連線到正確的 (端點,而不會有「中間人」攔截連接) 。Since tenants are only able to connect to their shielded VMs using Remote Desktop Connection or other remote management tools, it is important to ensure that tenants can verify they are connecting to the right endpoint (that is, there is not a "man in the middle" intercepting the connection).

驗證您要連線到預期伺服器的其中一種方式,是安裝和設定憑證,讓遠端桌面服務在您起始連線時顯示。One way to verify you are connecting to the intended server is to install and configure a certificate for Remote Desktop Services to present when you initiate a connection. 連接到伺服器的用戶端電腦會檢查它是否信任憑證,並顯示警告(如果沒有的話)。The client machine connecting to the server will check whether it trusts the certificate and show a warning if it does not. 一般而言,為了確保連線的用戶端會信任憑證,會從租使用者的 PKI 發出 RDP 憑證。Generally, to ensure the connecting client trusts the certificate, RDP certificates are issued from the tenant's PKI. 如需 在遠端桌面服務中使用憑證的 詳細資訊,請參閱 TechNet 上的。More information about Using certificates in Remote Desktop Services can be found on TechNet.

為協助您決定是否需要取得自訂 RDP 憑證,請考慮下列事項:To help you decide if you need to obtain a custom RDP certificate, consider the following:

  • 如果您只是在實驗室環境中測試受防護的 Vm,就 需要自訂 RDP 憑證。If you're just testing shielded VMs in a lab environment, you do not need a custom RDP certificate.
  • 如果您的 VM 設定為加入 Active Directory 網域,則電腦憑證通常會由您組織的憑證授權單位單位自動發行,並在 RDP 連線期間用來識別電腦。If your VM is configured to join an Active Directory domain, a computer certificate will typically be issued by your organization's certificate authority automatically and used to identify the computer during RDP connections. 需要自訂 RDP 憑證。You do not need a custom RDP certificate.
  • 如果您的 VM 未加入網域,但您想要在使用遠端桌面時驗證您是否連線到正確電腦的方法,您 應該考慮 使用自訂 RDP 憑證。If your VM is not domain joined but you want a way to verify you're connecting to the correct machine when you use Remote Desktop, you should consider using custom RDP certificates.

提示

當您選取要包含在防護資料檔案中的 RDP 憑證時,請務必使用萬用字元憑證。When selecting an RDP certificate to include in your shielding data file, be sure to use a wildcard certificate. 您可以使用一個防護資料檔案來建立不限數目的 Vm。One shielding data file may be used to create an unlimited number of VMs. 因為每個 VM 都會共用相同的憑證,所以無論 VM 的主機名稱為何,萬用字元憑證都會確保憑證有效。Since each VM will share the same certificate, a wildcard certificate ensures the certificate will be valid regardless of the VM's hostname.

建立回應檔案Create an answer file

由於 VMM 中已簽署的範本磁片已一般化,因此租使用者必須提供回應檔案,以便在布建過程中特製化其受防護的 Vm。Since the signed template disk in VMM is generalized, tenants are required to provide an answer file to specialize their shielded VMs during the provisioning process. 回應檔案 (通常稱為自動安裝檔案) 可以為其預定角色設定 VM,也就是它可以安裝 Windows 功能、註冊在上一個步驟中建立的 RDP 憑證,以及執行其他自訂動作。The answer file (often called the unattend file) can configure the VM for its intended role - that is, it can install Windows features, register the RDP certificate created in the previous step, and perform other custom actions. 它也會提供 Windows 安裝程式所需的資訊,包括預設系統管理員的密碼和產品金鑰。It will also supply required information for Windows setup, including the default administrator's password and product key.

如需取得和使用 ShieldingDataAnswerFile 函式來產生回應檔案 ( # A0 檔案) 來建立受防護的 vm 的詳細資訊,請參閱 使用 New-ShieldingDataAnswerFile 函數產生回應檔案。For information about obtaining and using the New-ShieldingDataAnswerFile function to generate an answer file (Unattend.xml file) for creating shielded VMs, see Generate an answer file by using the New-ShieldingDataAnswerFile function. 使用函式時,您可以更輕鬆地產生回應檔案,以反映下列選項:Using the function, you can more easily generate an answer file that reflects choices such as the following:

  • VM 是否打算在初始化程式結束時加入網域?Is the VM intended to be domain joined at the end of the initialization process?
  • 您是否會使用每個 VM 的大量授權或特定產品金鑰?Will you be using a volume license or specific product key per VM?
  • 您是使用 DHCP 還是靜態 IP?Are you using DHCP or static IP?
  • 您是否會使用自訂遠端桌面通訊協定 (RDP) 憑證,以用來證明 VM 屬於您的組織嗎?Will you use a custom Remote Desktop Protocol (RDP) certificate that will be used to prove that the VM belongs to your organization?
  • 您是否要在初始化結束時執行腳本?Do you want to run a script at the end of the initialization?

用於防護資料檔案中的回應檔案,將用於使用該防護資料檔案建立的每個 VM 上。Answer files used in shielding data files will be used on every VM created using that shielding data file. 因此,您應該確定不會將任何 VM 特定的資訊硬式編碼到回應檔案中。Therefore, you should make sure that you do not hard code any VM-specific information into the answer file. VMM 支援一些替代字串 (請參閱下表中) 的自動安裝檔案,以處理可能會從 VM 變更為 VM 的特製化值。VMM supports some substitution strings (see the table below) in the unattend file to handle specialization values that may change from VM to VM. 您不需要使用這些;但是,如果它們存在,VMM 將會利用它們。You are not required to use these; however, if they are present VMM will take advantage of them.

針對受防護的 Vm 建立 unattend.xml 檔案時,請記住下列限制:When creating an unattend.xml file for shielded VMs, keep in mind the following restrictions:

  • 如果您使用 VMM 來管理您的資料中心,自動安裝檔案必須在設定好之後關閉 VM。If you're using VMM to manage your datacenter, the unattend file must result in the VM being turned off after it has been configured. 這是為了讓 VMM 知道何時應該向租使用者報告 VM 完成布建並準備好可供使用。This is to allow VMM to know when it should report to the tenant that the VM finished provisioning and is ready for use. 當 VM 偵測到在布建期間已關閉時,VMM 會自動重新開機 VM。VMM will automatically power the VM back on once it detects it has been turned off during provisioning.

  • 請務必啟用 RDP 和對應的防火牆規則,以便您可以在設定 VM 之後存取 VM。Be sure to enable RDP and the corresponding firewall rule so you can access the VM after it has been configured. 您無法使用 VMM 主控台來存取受防護的 Vm,因此您將需要 RDP 連線到您的 VM。You cannot use the VMM console to access shielded VMs, so you will need RDP to connect to your VM. 如果您想要使用 Windows PowerShell 遠端管理系統,請確定已啟用 WinRM。If you prefer to manage your systems with Windows PowerShell remoting, ensure WinRM is enabled, too.

  • 受防護的 VM 自動安裝檔案中唯一支援的替代字串如下:The only substitution strings supported in shielded VM unattend files are the following:

    可替換元素Replaceable Element 替代字串Substitution String
    ComputerNameComputerName @ComputerName@@ComputerName@
    TimeZoneTimeZone @TimeZone@@TimeZone@
    ProductKeyProductKey @ProductKey@@ProductKey@
    IPAddr4-1IPAddr4-1 @IP4Addr-1@@IP4Addr-1@
    IPAddr6-1IPAddr6-1 @IP6Addr-1@@IP6Addr-1@
    MACAddr-1MACAddr-1 @MACAddr-1@@MACAddr-1@
    前置詞-1-1Prefix-1-1 @Prefix-1-1@@Prefix-1-1@
    NextHop-1-1NextHop-1-1 @NextHop-1-1@@NextHop-1-1@
    前置詞-1-2Prefix-1-2 @Prefix-1-2@@Prefix-1-2@
    NextHop-1-2NextHop-1-2 @NextHop-1-2@@NextHop-1-2@

    如果您有一個以上的 NIC,您可以藉由遞增第一個數位,為 IP 設定新增多個替代字串。If you have more than one NIC, you can add multiple substitution strings for the IP configuration by incrementing the first digit. 例如,若要設定2個 Nic 的 IPv4 位址、子網和閘道,您可以使用下列替代字串:For example, to set the IPv4 address, subnet, and gateway for 2 NICs, you would use the following substitution strings:

    替代字串Substitution String 替代範例Example substitution
    @IP4Addr-1@@IP4Addr-1@ 192.168.1.10/24192.168.1.10/24
    @MACAddr-1@@MACAddr-1@ 乙太網路Ethernet
    @Prefix-1-1@@Prefix-1-1@ 2424
    @NextHop-1-1@@NextHop-1-1@ 192.168.1.254192.168.1.254
    @IP4Addr-2@@IP4Addr-2@ 10.0.20.30/2410.0.20.30/24
    @MACAddr-2@@MACAddr-2@ Ethernet 2Ethernet 2
    @Prefix-2-1@@Prefix-2-1@ 2424
    @NextHop-2-1@@NextHop-2-1@ 10.0.20.110.0.20.1

使用替代字串時,請務必確定在 VM 布建過程中會填入字串。When using substitution strings, it is important to ensure that the strings will be populated during the VM provisioning process. 如果 @ProductKey 在部署期間未提供如 @ 的字串,則將自動安裝檔案 < 中的 ProductKey > 節點保留空白,特製化程式將會失敗,且您將無法連線到您的 VM。If a string such as @ProductKey@ is not supplied at deployment time, leaving the <ProductKey> node in the unattend file blank, the specialization process will fail and you will be unable to connect to your VM.

此外,請注意,只有當您利用 VMM 靜態 IP 位址池時,才會使用與資料表結尾相關的網路相關替代字串。Also, note that the networking-related substitution strings towards the end of the table are only used if you are leveraging VMM Static IP Address Pools. 您的主機服務提供者應該能夠告訴您是否需要這些替代字串。Your hosting service provider should be able to tell you if these substitution strings are required. 如需 VMM 範本中靜態 IP 位址的詳細資訊,請參閱 VMM 檔中的下列內容:For more information about static IP addresses in VMM templates, see the following in the VMM documentation:

最後一點要注意的是,受防護的 VM 部署程式只會加密 OS 磁片磁碟機。Finally, it is important to note that the shielded VM deployment process will only encrypt the OS drive. 如果您使用一或多個資料磁片磁碟機來部署受防護的 VM,強烈建議您在租使用者網域中新增自動安裝命令或群組原則設定,以自動加密資料磁片磁碟機。If you deploy a shielded VM with one or more data drives, it is strongly recommended that you add an unattend command or Group Policy setting in the tenant domain to automatically encrypt the data drives.

取得磁片區簽章目錄檔案Get the volume signature catalog file

防護資料檔案也包含租使用者所信任之範本磁片的相關資訊。Shielding data files also contain information about the template disks a tenant trusts. 租使用者會從磁片區簽章目錄的形式取得受信任範本磁片的磁片簽章, (VSC) 檔。Tenants acquire the disk signatures from trusted template disks in the form of a volume signature catalog (VSC) file. 這些簽章接著會在部署新的 VM 時進行驗證。These signatures are then validated when a new VM is deployed. 如果防護資料檔中的簽章都不符合嘗試使用 VM 部署的範本磁片 (也就是它已修改或交換為不同的可能惡意磁片) ,布建程式將會失敗。If none of the signatures in the shielding data file match the template disk trying to be deployed with the VM (i.e. it was modified or swapped with a different, potentially malicious disk), the provisioning process will fail.

重要

雖然 VSC 可確保磁片未遭篡改,但租使用者一開始就必須信任該磁片。While the VSC ensures that a disk has not been tampered with, it is still important for the tenant to trust the disk in the first place. 如果您是主機服務提供者,且範本磁片是由您的主機服務提供者所提供,請使用該範本磁片來部署測試 VM,並執行您自己的工具 (的防毒軟體、弱點掃描程式等) 來驗證磁片實際上是在您信任的狀態。If you are the tenant and the template disk is provided by your hoster, deploy a test VM using that template disk and run your own tools (antivirus, vulnerability scanners, and so on) to validate the disk is, in fact, in a state that you trust.

有兩種方式可以取得範本磁片的 VSC:There are two ways to acquire the VSC of a template disk:

  1. 主機服務提供者 (或租使用者,如果租使用者可存取 VMM) 使用 VMM PowerShell Cmdlet 來儲存 VSC 並將它提供給租使用者。The hoster (or tenant, if the tenant has access to VMM) uses the VMM PowerShell cmdlets to save the VSC and gives it to the tenant. 您可以在任何已安裝並設定 VMM 主控台的電腦上執行此操作,以管理主控網狀架構的 VMM 環境。This can be performed on any machine with the VMM console installed and configured to manage the hosting fabric's VMM environment. 用來儲存 VSC 的 PowerShell Cmdlet 如下:The PowerShell cmdlets to save the VSC are:

    $disk = Get-SCVirtualHardDisk -Name "templateDisk.vhdx"
    
    $vsc = Get-SCVolumeSignatureCatalog -VirtualHardDisk $disk
    
    $vsc.WriteToFile(".\templateDisk.vsc")
    
  2. 租使用者具有範本磁片檔案的存取權。The tenant has access to the template disk file. 如果租使用者建立要上傳至主機服務提供者的範本磁片,或是租使用者可以下載主機服務提供者的範本磁片,就可能會發生這種情況。This may be the case if the tenant creates a template disk to uploaded to a hosting service provider or if the tenant can download the hoster's template disk. 在此情況下,如果沒有 VMM,租使用者會執行下列 Cmdlet (與受防護的 VM 工具功能一起安裝,遠端伺服器管理工具) 的一部分:In this case, without VMM in the picture, the tenant would run the following cmdlet (installed with the Shielded VM Tools feature, part of Remote Server Administration Tools):

    Save-VolumeSignatureCatalog -TemplateDiskPath templateDisk.vhdx -VolumeSignatureCatalogPath templateDisk.vsc
    

選取信任的網狀架構Select trusted fabrics

防護資料檔案中的最後一個元件與 VM 的擁有者和守護者相關。The last component in the shielding data file relates to the owner and guardians of a VM. 守護者可用來指定受防護 VM 的擁有者,以及已獲授權執行的受防護網狀架構。Guardians are used to designate both the owner of a shielded VM and the guarded fabrics on which it is authorized to run.

若要授權主機網狀架構執行受防護的 VM,您必須從主機服務提供者的主機守護者服務取得守護者中繼資料。To authorize a hosting fabric to run a shielded VM, you must obtain the guardian metadata from the hosting service provider's Host Guardian Service. 主機服務提供者通常會透過其管理工具提供此中繼資料。Often, the hosting service provider will provide you with this metadata through their management tools. 在企業案例中,您可以直接存取來自行取得中繼資料。In an enterprise scenario, you may have direct access to obtain the metadata yourself.

您或您的主機服務提供者可以藉由執行下列其中一項動作,從 HGS 取得守護者中繼資料:You or your hosting service provider can obtain the guardian metadata from HGS by performing one of the following actions:

  • 藉由執行下列 Windows PowerShell 命令,或流覽至網站並儲存所顯示的 XML 檔案,直接從 HGS 取得守護者中繼資料:Obtain the guardian metadata directly from HGS by running the following Windows PowerShell command, or browsing to the website and saving the XML file that is displayed:

    Invoke-WebRequest 'http://hgs.bastion.local/KeyProtection/service/metadata/2014-07/metadata.xml' -OutFile .\RelecloudGuardian.xml
    
  • 使用 VMM PowerShell Cmdlet 從 VMM 取得守護者中繼資料:Obtain the guardian metadata from VMM using the VMM PowerShell cmdlets:

    $relecloudmetadata = Get-SCGuardianConfiguration
    $relecloudmetadata.InnerXml | Out-File .\RelecloudGuardian.xml -Encoding UTF8
    

針對您想要授權受防護 Vm 執行的每個受防護網狀架構,取得守護者中繼資料檔案,然後再繼續進行。Obtain the guardian metadata files for each guarded fabric you wish to authorize your shielded VMs to run on before continuing.

使用防護資料檔案 wizard 建立防護資料檔案並新增監護人Create a shielding data file and add guardians using the Shielding Data File wizard

執行 [防護資料檔案] wizard,以 (PDK) 檔建立防護資料。Run the Shielding Data File wizard to create a shielding data (PDK) file. 在這裡,您將新增 RDP 憑證、自動安裝檔案、磁片區簽章目錄、擁有者守護者,以及在上一個步驟中取得的下載的守護者中繼資料。Here, you'll add the RDP certificate, unattend file, volume signature catalogs, owner guardian and the downloaded guardian metadata obtained in the preceding step.

  1. 使用伺服器管理員或下列 Windows PowerShell 命令,在您的電腦上安裝 遠端伺服器管理工具 > 功能管理工具 > 防護的 VM 工具Install Remote Server Administration Tools > Feature Administration Tools > Shielded VM Tools on your machine using Server Manager or the following Windows PowerShell command:

    Install-WindowsFeature RSAT-Shielded-VM-Tools
    
  2. 從您 [開始] 功能表上的 [系統管理員工具] 區段開啟 [防護資料檔案嚮導],或執行下列可執行檔 C: \ Windows \ System32 \ShieldingDataFileWizard.exeOpen the Shielding Data File Wizard from the Administrator Tools section on your Start menu or by running the following executable C:\Windows\System32\ShieldingDataFileWizard.exe.

  3. 在第一個頁面上,使用第二個檔案選擇方塊來選擇您的防護資料檔案的位置和檔案名。On the first page, use the second file selection box to choose a location and file name for your shielding data file. 一般情況下,您會在擁有以該防護資料建立之任何 Vm 的實體之後,將防護資料檔命名 (例如,HR、IT、財務) 和執行的工作負載角色 (例如,檔案伺服器、網頁伺服器或自動安裝檔案) 所設定的其他任何 Vm。Normally, you would name a shielding data file after the entity who owns any VMs created with that shielding data (for example, HR, IT, Finance) and the workload role it is running (for example, file server, web server, or anything else configured by the unattend file). 將選項按鈕設定為 [ 防護受防護範本的資料]。Leave the radio button set to Shielding data for Shielded templates.

    注意

    在 [防護資料檔案] 中,您會看到下列兩個選項:In the Shielding Data File Wizard you will notice the two options below:

    • 受防護範本的防護資料Shielding data for Shielded templates
    • 現有 Vm 和未受防護範本的防護資料Shielding data for existing VMs and non-Shielded templates
      第一個選項是在從受防護的範本建立新的受防護 Vm 時使用。The first option is used when creating new shielded VMs from shielded templates. 第二個選項可讓您建立防護資料,只有在轉換現有的 Vm 或從非受防護的範本建立受防護的 Vm 時才可使用。The second option allows you to create shielding data that can only be used when converting existing VMs or creating shielded VMs from non-shielded templates.

    防護資料檔案嚮導,檔案選取

    此外,您必須選擇使用此防護資料檔案建立的 Vm 是否會在「支援加密」模式中真正受到防護或設定。Additionally, you must choose whether VMs created using this shielding data file will be truly shielded or configured in "encryption supported" mode. 如需這兩個選項的詳細資訊,請參閱 哪些是受防護網狀架構可執行檔虛擬機器類型?For more information about these two options, see What are the types of virtual machines that a guarded fabric can run?.

    重要

    請注意下一個步驟,因為它會定義受防護 Vm 的擁有者,以及您受防護的 Vm 將獲授權執行的網狀架構。Pay careful attention to the next step as it defines the owner of your shielded VMs and which fabrics your shielded VMs will be authorized to run on.
    需要擁有 擁有者守護者 ,才能在稍後將現有受防護的 VM 從 防護 變更為 支援的加密 ,反之亦然。Possession of owner guardian is required in order to later change an existing shielded VM from Shielded to Encryption Supported or vice-versa.

  4. 您在此步驟中的目標是兩個折迭:Your goal in this step is two-fold:

    • 建立或選取代表您作為 VM 擁有者的擁有者Create or select an owner guardian that represents you as the VM owner

    • 匯入您在上一個步驟中從主機服務提供者的 (或您自己的) 主機守護者服務下載的守護者Import the guardian that you downloaded from the hosting provider's (or your own) Host Guardian Service in the preceding step

    若要指定現有的擁有者守護者,請從下拉式功能表中選取適當的守護者。To designate an existing owner guardian, select the appropriate guardian from the drop down menu. 只有安裝在本機電腦上且私密金鑰保持不變的保護者,才會顯示在此清單中。Only guardians installed on your local machine with the private keys intact will show up in this list. 您也可以選取右下角的 [ 管理本機 保護者],然後按一下 [ 建立 ] 和 [完成嚮導],以建立自己的擁有者守護者。You can also create your own owner guardian by selecting Manage Local Guardians in the lower right corner and clicking Create and completing the wizard.

    接下來,我們會使用 [ 擁有者和監護人 ] 頁面再次匯入先前下載的守護者中繼資料。Next, we import the guardian metadata downloaded earlier again using the Owner and Guardians page. 選取右下角的 [ 管理本機監護人 ]。Select Manage Local Guardians from the lower right corner. 使用匯 功能匯入守護者中繼資料檔案。Use the Import feature to import the guardian metadata file. 匯入或新增所有必要的保護程式之後,請按一下 [確定]Click OK once you have imported or added all of the necessary guardians. 最佳做法是在主機服務提供者或企業資料中心代表之後,將監護人命名為。As a best practice, name guardians after the hosting service provider or enterprise datacenter they represent. 最後,選取代表受防護 VM 執行授權的資料中心的所有監護人。Finally, select all the guardians that represent the datacenters in which your shielded VM is authorized to run. 您不需要再次選取「擁有者」。You do not need to select the owner guardian again. 完成之後,請按 [下一步]Click Next once finished.

    防護資料檔案嚮導、擁有者和保護者

  5. 在 [磁片區識別碼辨識符號] 頁面上,按一下 [ 新增 ],在您的防護資料檔案中授權已簽署的範本磁片。On the Volume ID Qualifiers page, click Add to authorize a signed template disk in your shielding data file. 當您在對話方塊中選取 VSC 時,它會顯示該磁片的名稱、版本,以及用來簽署該磁片之憑證的相關資訊。When you select a VSC in the dialog box, it will show you information about that disk's name, version, and the certificate that was used to sign it. 針對您想要授權的每個範本磁片重複此程式。Repeat this process for each template disk you wish to authorize.

  6. 在 [特製 化值 ] 頁面上,按一下 [流覽] ,選取將用來特製化 vm 的 unattend.xml 檔案。On the Specialization Values page, click Browse to select your unattend.xml file that will be used to specialize your VMs.

    使用底部的 [ 新增 ] 按鈕,將任何額外的檔案新增至特製化程式期間所需的 PDK。Use the Add button at the bottom to add any additional files to the PDK that are needed during the specialization process. 例如,如果您的自動安裝檔案正在將 RDP 憑證安裝到 VM (如 使用 New-ShieldingDataAnswerFile 函式產生回應 檔案所述) ,您應該在這裡新增 RDP 憑證 PFX 檔案和 RDPCertificateConfig.ps1 腳本。For example, if your unattend file is installing an RDP certificate onto the VM (as described in Generate an answer file by using the New-ShieldingDataAnswerFile function), you should add the RDP certificate PFX file and the RDPCertificateConfig.ps1 script here. 請注意,您在此處指定的任何檔案將會自動複製 \ 到 \ 建立的 VM 上的 C: temp。Note that any files you specify here will automatically be copied to C:\temp\ on the VM that is created. 當您的自動安裝檔案依路徑參考這些檔案時,該檔案應該會在該資料夾中。Your unattend file should expect the files to be in that folder when referencing them by path.

  7. 在下一個頁面上檢查您的選擇,然後按一下 [ 產生]。Review your selections on the next page, and then click Generate.

  8. 完成之後,請關閉嚮導。Close the wizard after it has completed.

使用 PowerShell 建立防護資料檔案並新增監護人Create a shielding data file and add guardians using PowerShell

您可以執行 ShieldingDataFile 來建立防護資料檔案,做為防護資料檔案的替代方案。As an alternative to the Shielding Data File wizard, you can run New-ShieldingDataFile to create a shielding data file.

所有防護資料檔案都必須使用正確的擁有者和守護者憑證來設定,以授權受防護的 Vm 可在受防護網狀架構上執行。All shielding data files need to be configured with the correct owner and guardian certificates to authorize your shielded VMs to be run on a guarded fabric. 您可以藉由執行 HgsGuardian來檢查是否已在本機安裝任何監護人。You can check if you have any guardians installed locally by running Get-HgsGuardian. 擁有者擁有者具有私密金鑰,而您的資料中心的守護者通常不會。Owner guardians have private keys while guardians for your datacenter typically do not.

如果您需要建立擁有者守護者,請執行下列命令:If you need to create an owner guardian, run the following command:

New-HgsGuardian -Name "Owner" -GenerateCertificates

此命令會在本機電腦的憑證存放區中,于 [受防護的 VM 本機憑證] 資料夾下建立一組簽署和加密憑證。This command creates a pair of signing and encryption certificates in the local machine's certificate store under the "Shielded VM Local Certificates" folder. 您將需要擁有者憑證及其對應的私密金鑰來 unshield 虛擬機器,因此請確定這些憑證已備份並受到保護,以免遭竊。You will need the owner certificates and their corresponding private keys to unshield a virtual machine, so ensure these certificates are backed up and protected from theft. 擁有擁有者憑證存取權的攻擊者可以使用它們來啟動受防護的虛擬機器,或變更其安全性設定。An attacker with access to the owner certificates can use them to start up your shielded virtual machine or change its security configuration.

如果您需要從您想要執行虛擬機器的受防護網狀架構匯入守護者資訊 (您的主要資料中心、備份資料中心等 ) ,請針對每個 從受防護網狀架構取出的中繼資料檔案,執行下列命令。If you need to import guardian information from a guarded fabric where you want to run your virtual machine (your primary datacenter, backup datacenters, etc.), run the following command for each metadata file retrieved from your guarded fabrics.

Import-HgsGuardian -Name 'EAST-US Datacenter' -Path '.\EastUSGuardian.xml'

提示

如果您使用自我簽署憑證,或以 HGS 註冊的憑證已過期,您可能需要搭配 -AllowUntrustedRoot Import-HgsGuardian 命令使用 and/or -AllowExpired 旗標,以略過安全性檢查。If you used self-signed certificates or the certificates registered with HGS are expired, you may need to use the -AllowUntrustedRoot and/or -AllowExpired flags with the Import-HgsGuardian command to bypass the security checks.

您也需要為每個您想要搭配此防護資料檔案和防護資料回應檔案使用的範本磁片取得磁片區簽章目錄,以允許作業系統自動完成其特製化工作。You will also need to obtain a volume signature catalog for each template disk you want to use with this shielding data file and a shielding data answer file to allow the operating system to complete its specialization tasks automatically. 最後,決定是否要讓 VM 受到完整防護或僅 vTPM 啟用。Lastly, decide if you want your VM to be fully shielded or just vTPM-enabled. -Policy Shielded適用于完全受防護的 vm -Policy EncryptionSupported ,或適用于允許基本主控台連線和 PowerShell Direct 的啟用 VTPM 的 vm。Use -Policy Shielded for a fully shielded VM or -Policy EncryptionSupported for a vTPM enabled VM that allows basic console connections and PowerShell Direct.

一切就緒後,請執行下列命令來建立您的防護資料檔案:Once everything is ready, run the following command to create your shielding data file:

$viq = New-VolumeIDQualifier -VolumeSignatureCatalogFilePath 'C:\temp\marketing-ws2016.vsc' -VersionRule Equals
New-ShieldingDataFile -ShieldingDataFilePath "C:\temp\Marketing-LBI.pdk" -Policy EncryptionSupported -Owner 'Owner' -Guardian 'EAST-US Datacenter' -VolumeIDQualifier $viq -AnswerFile 'C:\temp\marketing-ws2016-answerfile.xml'

提示

如果您使用的是自訂 RDP 憑證、SSH 金鑰或其他需要包含在防護資料檔案中的檔案,請使用 -OtherFile 參數來包含它們。If you are using a custom RDP certificate, SSH keys, or other files that need to be included with your shielding data file, use the -OtherFile parameter to include them. 您可以提供以逗號分隔的檔案路徑清單,如下所示: -OtherFile "C:\source\myRDPCert.pfx", "C:\source\RDPCertificateConfig.ps1"You can provide a comma separated list of file paths, like -OtherFile "C:\source\myRDPCert.pfx", "C:\source\RDPCertificateConfig.ps1"

在上述命令中,名為 "Owner" (從 HgsGuardian) 取得的守護者將能夠在未來變更 VM 的安全性設定,而「美國東部資料中心」則可執行 VM,但不會變更其設定。In the above command, the guardian named "Owner" (obtained from Get-HgsGuardian) will be able to change the security configuration of the VM in the future, while 'EAST-US Datacenter' can run the VM but not change its settings. 如果您有一個以上的守護者,請以逗號分隔監護人的名稱,例如 'EAST-US Datacenter', 'EMEA Datacenter'If you have more than one guardian, separate the names of the guardians with commas like 'EAST-US Datacenter', 'EMEA Datacenter'. 磁片區識別碼辨識符號會指定您是否只信任相同版本 (等於) 的範本磁片或未來版本 (GreaterThanOrEquals) 。The volume ID qualifier specifies whether you trust only the exact version (Equals) of the template disk or future versions (GreaterThanOrEquals) as well. 磁片名稱和簽署憑證必須完全符合進行部署時所要考慮的版本比較。The disk name and signing certificate must match exactly for the version comparison to considered at deployment time. 您可以藉由提供以逗號分隔的磁片區識別碼限定詞清單來信任多個範本磁片 -VolumeIDQualifierYou can trust more than one template disk by providing a comma-separated list of volume ID qualifiers to the -VolumeIDQualifier parameter. 最後,如果您有其他需要伴隨回應檔案與 VM 的檔案,請使用 -OtherFile 參數並提供以逗號分隔的檔案路徑清單。Finally, if you have other files that need to accompany the answer file with the VM, use the -OtherFile parameter and provide a comma-separated list of file paths.

請參閱 ShieldingDataFileVolumeIDQualifier 的 Cmdlet 檔,以瞭解設定防護資料檔案的其他方法。See the cmdlet documentation for New-ShieldingDataFile and New-VolumeIDQualifier to learn about additional ways to configure your shielding data file.

其他參考資料Additional References