Technical Preview 4 Step-by-Step Guide:
Deploy Shielded VMs Using TPM-trusted
Attestation
Microsoft Corporation
Published: 19 November 2015
Updated: 12 January 2016
Feedback and Support: Please email us at ShieldedVMFeedback@microsoft.com if you are evaluating shielded
VMs; we would like to work with you to gather feedback.
Note: This content is pre-release documentation and is subject to change in future releases.
Abstract
Windows Server 2016 introduces the concept of Guarded Fabrics, which enable hosting service providers and private
cloud operators to offer their tenants a hosting environment that protects tenant virtual machines and their data
from compromised storage, network attacks, rogue host administrators, and malware running on the host. Shielded
VMs running on a Guarded Fabric allow tenants to safely virtualize security-sensitive workloads such as Active
Directory Domain Controllers without exposing those workloads to the hosting infrastructure.
This deployment guide covers the end-to-end installation and configuration of a Guarded Fabric for both hosters and
tenant administrators using TPM-trusted (hardware) attestation with Windows Server 2016 Technical Preview 4 and
System Center Virtual Machine Manager 2016 Technical Preview 4.
Copyright Information
©2016 Microsoft Corporation. All rights reserved. This document is provided "as-is."
Information and views expressed in this document, including URL and other Internet website
site references, may change without notice. You bear the risk of using it. Some examples are
for illustration only and are fictitious. No real association is intended or inferred. Some
information relates to pre-released product which may be substantially modified before it’s
commercially released. Microsoft makes no warranties, express or implied, with respect to
the information provided here.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference
purposes.
Table of publishing updates
Version Date
V1
11/18/2015
V2
12/02/2015
V3
12/21/2015
V4
1/12/2016
Type of publishing
First publication – Windows Server 2016 Technical Preview 4 (Build
#10586)
Update – Corrected key protector cmdlet in Section 7: Scenario #1:
Create a new shielded VM on the tenant Hyper-V host and run it on the
guarded host; minor edits
Update – Fixed step in 6.3.1 to include missing -Name parameter;
Added details to Section 5: Known Issues and Limitations and Section
8.2.1 regarding Windows Server 2012 and Windows Server 2012 R2
template disk support
Minor edits
Updated VMM substitution strings in Section 8.3.2 and Section 10
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
2
1 Contents
Table of publishing updates ................................................................................................................ 2
1
Summary ......................................................................................................................................... 6
2
Solution goals .................................................................................................................................. 6
3
Scenario Validation - Overview ....................................................................................................... 8
4
Pre-requisites for shielded VM scenario validation ...................................................................... 11
4.1 For the Host Guardian Service (HGS) infrastructure: .................................................................. 11
4.2 For hosting provider/enterprise fabric infrastructure ................................................................ 11
4.3 For tenants .................................................................................................................................. 12
4.1
Named resources in this guide.............................................................................................. 12
4.1.1
Domains ........................................................................................................................ 12
4.1.2
Computers..................................................................................................................... 12
5
Known Issues and Limitations in Technical Preview 4 .................................................................. 14
6
Setting up the hosting environment ............................................................................................. 15
6.1
Configure the first HGS node ................................................................................................ 15
6.1.1
Add the HGS Role .......................................................................................................... 15
6.1.2
Install the Host Guardian Service .................................................................................. 15
6.1.3
Create self-signed certificates for HGS ......................................................................... 16
6.1.4
Initialize the HGS server for TPM-trusted attestation .................................................. 17
6.2
Configure the fabric DNS....................................................................................................... 18
6.3
Configure HGS attestation policies ....................................................................................... 18
6.3.1
Registering Guarded Hosts in TPM-trusted attestation mode ..................................... 18
6.4
Verify HGS is configured properly ......................................................................................... 20
6.5
Configure secondary HGS nodes ........................................................................................... 20
6.6
Confirm hosts can attest successfully ................................................................................... 21
6.7
Configure optional components ........................................................................................... 21
7 Scenario #1 – Create a new shielded VM on the tenant Hyper-V host and run it on the guarded
host 23
8
7.1
Import the guardian configuration on the tenant Hyper-V server ....................................... 23
7.2
Create a new VM on tenant Hyper-V.................................................................................... 23
Scenario #2 – Create a new shielded VM from a VM template using SC VMM ........................... 26
8.1
Configure Host Guardian Service Settings in Virtual Machine Manager .............................. 26
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
3
8.1.1
Configure the Host Guardian Service settings .............................................................. 27
8.1.2
Configure a specific guarded host’s settings ................................................................ 27
8.2
Hosting Service Provider Creates a Signed Disk Template ................................................... 30
8.2.1
Create Generation 2 Disk Template .............................................................................. 30
8.2.2
Run Windows Update on the template operating system ........................................... 30
8.2.3
Signing a Template Disk ................................................................................................ 30
8.2.4
Copy and publish the disk template to the VMM Library ............................................. 31
8.2.5
Create the shielded VM template in VMM using the signed disk ................................ 32
8.3
Tenant creates shielding data to define a shielded VM ....................................................... 32
8.3.1
Create an RDP certificate .............................................................................................. 33
8.3.2
Create an Unattend File ................................................................................................ 33
8.3.3
Get the volume signature catalog file ........................................................................... 34
8.3.4
Get the Host Guardian Service metadata and import it using cmdlets ........................ 34
8.3.5
Create a shielding data file for shielded templates ...................................................... 35
8.4
Create a shielded VM using VMM ........................................................................................ 36
9 Scenario #3 – Deploy a shielded VM using Windows Azure Pack (new in Windows Server 2016
Technical Preview 4) ............................................................................................................................. 37
9.1
Configure Service Provider Foundation and Windows Azure Pack to expose shielded VM
plans to tenants ................................................................................................................................ 38
9.1.1
Configure the Service Provider Foundation .................................................................. 38
9.1.2
Install Windows Azure Pack .......................................................................................... 38
9.1.3
Configure Windows Azure Pack .................................................................................... 38
9.1.4
Create a shielded VM Plan in Windows Azure Pack ..................................................... 39
9.2
Tenants create Shielding Data for the VM ............................................................................ 41
9.2.1
Get a Windows Azure Pack subscription ...................................................................... 41
9.2.2
Download the Volume Signature Catalog and guardian key from the tenant portal ... 41
9.2.3
Create the Shielding Data File ....................................................................................... 41
9.2.4
Upload Shielding Data in the Windows Azure Pack portal ........................................... 41
9.3
Create a shielded VM in Windows Azure Pack ..................................................................... 42
9.3.1
Quick Create a shielded VM in Windows Azure Pack ................................................... 42
9.3.2
Create a shielded VM in Windows Azure Pack from the Gallery using a shielded
template 42
9.3.3
Create a shielded VM in Windows Azure Pack from the gallery using a regular
template 43
9.4
Convert an existing Generation 2 VM to a shielded VM in Windows Azure Pack ................ 43
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
4
Appendix A – Import a VMM 2016 VHD in your fabric ......................................................................... 45
Building a VM to run Virtual Machine Manager ............................................................................... 45
Configure the Virtual Machine Manager image ............................................................................... 45
Configure SQL Server for Virtual Machine Manager ........................................................................ 45
Configure Virtual Machine Manager ................................................................................................ 46
Add a Hyper-V host to Virtual Machine Manager ............................................................................ 46
Appendix B – Enable HTTPS communication on the HGS server .......................................................... 47
Initialize HGS server with HTTPS Certificate ..................................................................................... 47
Configure VMM with HTTPS HGS endpoints .................................................................................... 47
Ensure guarded hosts trust the HTTPS certificate ............................................................................ 48
10 Sample unattend.xml file .............................................................................................................. 48
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
5
1
Summary
This document provides installation and configuration guidance for Windows Server 2016 Technical
Preview 4 (build #10586) and System Center VMM 2016 using the for Guarded Fabric hosts and
shielded VMs to enhance the security of physical hosts and guest VMs. This guide focuses specifically
on deployment scenarios that use TPM-trusted (hardware) attestation. For the shielded VM
deployment scenario that uses admin-trusted attestation, see the deployment guide titled Windows
Server 2016 Technical Preview 4 Step-by-Step Guide: Deploy Shielded VMs Using Administratortrusted Attestation.
The goal of the Guarded Fabric solution is to help provide hosting service providers and private cloud
operators the ability to offer their tenant administrators a hosted environment where protection for
tenant virtual machine data is strengthened against threats from compromised storage, networks,
host administrators, and malware. The focus of this preliminary release of Guarded Fabric and the
deployment guide is to test a deployment of Guarded Fabric that can run shielded Virtual Machines
(shielded VMs), which are encrypted. Guarded Fabric is intended to be used as part of your overall
server security strategy.
The primary users of this guide are hosting service providers or enterprise datacenter
administrators. Using the information from this guide in your own infrastructure, you will test deploy
guarded hosts in a fabric and run shielded VMs on these hosts using TPM-trusted (TPM) attestation.
2
Solution goals
As a cloud service provider or enterprise private cloud administrator, you can provide a secure
“TPM-trusted” (or alternatively, an “admin-trusted”) environment for tenant VMs where:
1. You are assured that you can provide a secure hardware trusted environment for tenant
VMs where the VM data is protected from malicious host administrators and malware.
2. You are assured that Windows Server has built-in breach hardening capabilities spanning
from secure and measured boot, code integrity and protection for high value operating
system security secrets and operations from malicious code on the Hyper-V host.
From the scenario validation point of view:
1. You can build an infrastructure for guarded hosts and “shielded VMs.”
2. Tenants can create new or use existing VMs and be able to convert them to shielded VMs.
3. Hosts can build a cloud service and offer shielded VM functionality using the Windows Azure
Pack Portal.
4. Tenants can use Windows Azure Pack to create and manage shielded VMs in Windows Azure
Pack.
5. Tenants can export VMs and grant permission to either a cloud service provider or an
enterprise cloud operator to be guardian, and are assured of security and data-at-rest
encryption.
6. Tenants can create new VMs from a VMM template and be assured that the base images
used for template creation are trusted and have not been tampered with.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
6
7. During VM creation from a VMM template, tenants can provide input for computer names
and administrator passwords in secure manner without exposing sensitive information to
fabric administrators.
8. Cloud service providers and enterprise administrators can use Live Migrate or Live (VSM)
virtual machines between guarded hosts in the same way as they did prior to deploying the
Guarded Fabric solution.
9. Cloud service providers and enterprise administrators can back up, checkpoint and restore
shielded VMs by usual methods.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
7
3 Scenario Validation - Overview
To help you understand the test environment that we’re going to build out here, let’s look at the
scenario behind the lab deployment.
The cloud service provider or enterprise private cloud operator is represented by Fabrikam, Inc. They
have the following infrastructure:
1. Fabrikam.com has a domain controller, DHCP server, DNS server, Hyper-V hosts, VMM 2016,
and other supporting infrastructure services.
2. Relecloud.com is the Active Directory domain for the Host Guardian Service (HGS)
infrastructure. HGS uses its own dedicated Active Directory forest, and access to this isolated
environment is very restrictive and granted to only very few trusted administrators. It is
important to note that the Fabrikam.com administrators (in the fabric infrastructure) do not
have any access to the HGS infrastructure. This creates a trust boundary between the fabric
infrastructure and the HGS environment.
The logical representation of the deployment topology for Technical Preview 4 (build #10586) is as
follows:
REST API
Virtual Machine
Manager 2016
3-node HGS cluster
• Key Protection Service
• Attestation Service
Tenant
WS 2016
Hyper-V
Hosts
Host Guardian Service
relecloud.com
• Self-service
management via
Windows Azure Pack or
VMM Console
• WS 2016 Hyper-V host
if preparing VMs on
own fabric first
Shielded &
Regular VMs
Hoster Active Directory
fabrikam.com
If you are planning for tenants to use VMM (see Scenario #2) and/or Windows
Azure Pack (see Scenario #3) to create and manage shielded VMs, you are not
required to provide a physical server for the tenant’s use; it can be a VM that is
running Windows 10 client or Windows Server 2016 Technical Preview 4.
In the context of this document, tenants are defined as the owners of the VM. Tenants could be
third-party customers who want to host VMs with a cloud service provider, or enterprise users who
wants to leverage shielded VMs for their enterprise workloads (first-party workloads). Tenants will
interact with hosting service providers or private cloud operators in the following ways:
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
8
1. Tenants will create new VMs or use existing VMs (Generation 2) and enable the shielded VM
feature on-premises (in the case of a host/tenant model) or on a secure trusted host (in the
case of enterprise private cloud model). The owner of the VMs (the tenants) will grant
permission to run this VM in designated fabric (“guardian”) infrastructure. Tenants will
export the VM and provide it to the host/fabric administrator, who can then run this VM
only on designated trusted hosts in their environment. Exported VMs are encrypted and
offer data-at-rest encryption, and only designated guardian hosts have the ability to decrypt
and start the VM.
2. Tenants can create a new VM (Generation 2) directly in the host/private cloud environment
from “gold images” provided and signed by the host/private cloud operators. This
guarantees tenants that the VHDX file comes from a trusted source and was not modified by
rogue users or malware in the process. Tenants provide information such as the computer
name, administrator passwords, product key, etc., in an encrypted package at the time of
VM creation. Tenants are fully ensured that this sensitive information and the VM are safe
and “shielded” from fabric administrators at all times.
3. Hosts/service providers can enable shielded VM capabilities in their cloud and make it
available using the Windows Azure Pack portal for their tenants. Tenants can use the web
portal to create and manage shielded VMs in following manner:
a. Tenants can create new shielded VMs for a shielded template
b. Tenants can create a new VM from the standard VM template and shield the VM
immediately after provisioning it
c. Tenants can convert any exiting Generation 2 VM to a shielded VM using the
Windows Azure Pack portal.
The following table summarizes important terminology used throughout the rest of this document.
Term
Definition
Guarded Fabric
A public or private cloud that has the ability to manage and run shielded
VMs.
hosting service provider
A service provider that offers shared or dedicated space on servers for
websites, in data centers, etc.
tenant administrator
A user role that allows the user to create and manage self-service users and
VM networks, specify which tasks the self-service users can perform on their
virtual machines and services, and place quotas on computing resources
and virtual machines.
shielded virtual machine
(shielded VM)
An encrypted virtual machine that can only run on guarded hosts.
guarded host
A host in the fabric on which shielded VMs can run. Guarded hosts must be
identified prior to being trusted, and must be configured appropriately in
order to pass attestation.
Host Guardian Service
A Windows Server Technical Preview role that you install on a secured
physical computer to implement the hardened fabric. The Host Guardian
Service (HGS) provides attestation and key distribution services so that
guarded hosts can run shielded VMs. The trusted administrator manages
the Host Guardian Service.
Host Guardian Service
remote attestation
Also referred to as attestation. The process of the Host Guardian Service
verifying that a host is part of the fabric—a guarded host—and the state of
its configuration.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
9
Term
Definition
Host Guardian Service key
distribution
The operation of delivering a key to a guarded host so that it can unlock and
run shielded VMs.
trusted administrator
An administrator in the public or private cloud that has the authority to
manage the policies and cryptographic material for determining on which
hosts a shielded VM can run.
fabric administrator
A public or private cloud administrator that can manage virtual machines. A
fabric administrator does not have access to shielded VMs, or the policies
that determine on which hosts shielded VM can run.
fabric controller
The management role within the fabric that provides fabric administration
tools and utilities to manage and run virtual machines (both shielded and
normal). An example of a fabric controller is System Center Virtual Machine
Manager.
virtual TPM
In Windows Server Technical Preview Hyper-V, you can enable a virtual TPM
2.0 device to guest VMs. This gives you the ability to encrypt the VM.
virtual secure mode
A Hyper-V based processing and storage environment on Windows Server
Technical Preview that is protected from administrators. You can use the
Virtual Secure Mode to store operating system keys that are not visible to
an operating system administrator.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
10
4 Pre-requisites for shielded VM scenario validation
The following pre-requisites are assumed in the environment.
4.1 For the Host Guardian Service (HGS) infrastructure:
The Host Guardian Service running Windows Server Technical Preview Standard or Datacenter
edition Technical Preview 4 (build #10586). This can be either physical or virtual; however physical is
recommended. The HGS service must run in its own Active Directory domain and must be isolated
from the current fabric AD infrastructure.
HGS can validate status of the Hyper-V hosts in hardware-based attestation mode. To use this mode,
you need name resolution between the fabric domain and the HGS domain. In this mode, the HyperV physical host that will run a shielded VM must have TPM 2.0 and UEFI 2.3.1 with secure boot
enabled. You should plan for network/firewall connectivity between HGS and the fabric domain
accordingly.
4.2 For hosting provider/enterprise fabric infrastructure
Windows Azure Pack
UR 7.1+
Please note: You must have Windows Server
2016 Technical Preview 4 and System Center
2016 Technical Preview 4 stack, (i.e. VMM 2016
Technical Preview 4 + Service Provider
Foundation 2016 Technical Preview 4) for
shielded VM support in Windows Azure Pack
UR7.1+.1 You can install all components on the
same server for evaluation purposes.
Service Provider
Foundation 2016 TP4
VMM 2016 TP4
Windows Server 2016
TP4
1. A fabric controller: VMM 2016 Technical Preview 4 build (either physical or virtual). A VMM
2016 VHD is available as a download on the TechNet Evaluation Center site. Please see
Appendix A for instructions on importing this VHD into your environment.
2. Configure Virtual Machine Manager (VMM) with following:
a. Host group for guarded hosts
b. Private cloud from the host group
c. Tenant administrator user role with the tenant as a member
d. Physical hosts running Windows Server Technical Preview 4 (build #10586).
3. Install Service Provider Foundation 2016 Technical Preview 4 on the VMM server and latest
version of Windows Azure Pack.
1
Service Provider Foundation 2012 R2 and VMM 2016 Technical Preview 4 will not work for a shielded VM.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
11
4. At least one physical host running Windows Server Technical Preview Datacenter or
Enterprise edition Technical Preview 4 (build #10586), which becomes guarded and will host
shielded VMs. Two hosts are needed to test the Hyper-V live migration for shielded VM.
a. For TPM-trusted attestation, you need a physical host with TPM 2.0 and UEFI 2.3.1
with secure boot enabled.
4.3 For tenants
To create virtual machines for use in the Guarded Fabric, you will need the following configuration in
your environment.
For Scenario #1
1. A physical server running Windows Server Technical Preview 4 (build #10586) with the
following roles and features installed:
a. Role
i. Hyper-V
b. Features
i. Remote Server Administration Tools\Shielded VM Tools
For Scenarios #2 & #3
You can have physical or virtual machine running Windows 10 client or Windows Server 2016
Technical Preview 4.
If you are using Windows Server 2016 Technical Preview 4, you need to add Feature\Remote Server
Administration Tools\Shielded VM Tools in Server Manager.
OR
If you are using the Windows 10 client operating system, you can download the Remote Server
Administration Tools for Windows Server 2016. This will install the Shielding Data File Wizard to
create the PDK file on the client machine.
4.1 Named resources in this guide
The following table describes all the named resources used in descriptions and commands
throughout this guide. When running commands, you should replace these names with the correct
ones for your own environment.
4.1.1 Domains
relecloud.com is the Host Guardian Service domain set up during HGS installation.
fabrikam.com is the fabric domain, to which the hosts and management tools are joined.
4.1.2 Computers
FQDN
hgs01.relecloud.com
hgs02.relecloud.com
hgs03.relecloud.com
IP Address
10.0.0.100
10.0.0.101
10.0.0.102
Technical Preview 4 Guide
Purpose
First HGS node
Second HGS node
Third HGS node
Initial Configuration
Windows Server 2016 TP4
Windows Server 2016 TP4
Windows Server 2016 TP4
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
12
dc.fabrikam.com
10.0.0.1
Fabric Domain Controller
vmm.fabrikam.com
10.0.0.2
spf.fabrikam.com
10.0.0.3
wap.fabrikam.com
10.0.0.4
host01.fabrikam.com
10.0.0.5
Virtual Machine Manager
server
Service Provider
Foundation server
Windows Azure Pack
server
Guarded host (ready for
hardware attestation)
Technical Preview 4 Guide
Windows Server 2016 TP4
AD DC (configured)
DNS (configured)
DHCP (configured)
Windows Server 2016 TP4
SCVMM 2016 TP4
Windows Server 2016 TP4
SCSPF 2016 TP4
Windows Server 2016 TP4
WAP UR 8.1+
TPM 2.0 module
UEFI 2.3.1 with Secure Boot
Windows Server 2016 TP4
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
13
5
Known Issues and Limitations in Technical Preview 4
1. An in-place upgrade from any previous release to the Technical Preview 4 release of
Windows Server 2016 is not supported.
2. Host Guardian Service and Hyper-V hosts must be running Windows Server 2016 Technical
Preview 4
3. The Host Guardian Service role on Server Core is not supported in Technical Preview 4.
4. You cannot convert the HGS attestation mode from TPM-trusted to admin-trusted or vice
versa. You must uninstall the HGS server (on all nodes in the case where HGS is clustered for
high availability), and then install with correct attestation mode.
5. You cannot change the HGS cluster name – “HgsCluster50E07” – for the Host Guardian
Service Cluster.
6. Hosts in a Guarded Fabric using TPM-trusted attestation will fail attestation if they are
configured to boot from the network (PXE boot). PXE boot should be disabled on these hosts
for Technical Preview 4.
7. To use Windows Server 2012 or Windows Server 2012 R2 as the guest OS in your template
disks for the VMM and WAP scenarios, you must first install update KB3116908 before
running the Template Disk Creation wizard to create your template disk. (You do not need
this update if you are using Windows Server 2016 Technical Preview 4 as the guest OS in
your template disks for these scenarios.)
7. In rare cases, when a non-administrator deploys a shielded VM to a cloud in VMM or WAP
where that cloud consists of both guarded and unguarded hosts, the shielded VM may be
placed on an unguarded host and be unable to start. To resolve this, migrate the VM to a
guarded host, and then start the VM.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
14
6
Setting up the hosting environment
In order to offer shielded VMs to your tenants, you first need to set up a Guarded Fabric. A Guarded
Fabric consists of “Guarded Hosts” (Hyper-V hosts that can run shielded VMs) and a cluster of Host
Guardian Service nodes that authorize these hosts to start up shielded VMs. To accomplish this, this
guide will show you how to set up the HGS nodes, configure the fabric DNS and domain (if
necessary), and set up the Hyper-V hosts to become Guarded Hosts. At the end of this section, you
will be ready to run shielded VMs in your datacenter.
In order to complete this section, you will need the following resources:
1–3 physical servers for the Host Guardian Service cluster, running Windows Server 2016
Technical Preview 4
Note: We recommend three or more nodes in this cluster, but one node is sufficient for a
proof of concept.
At least one Hyper-V host running Windows Server 2016 Technical Preview 4 that will
become a Guarded Host
Fabric domain credentials to configure DNS
This guide assumes you are setting up your HGS environment using TPM-trusted (hardware)
attestation. TPM-trusted attestation requires modern security chips on each Guarded Host (see
Section 4 for specific requirements), but offers the highest security assurances to your tenants.
Your Guarded Fabric cannot contain a mix of hardware- and admin-trusted attestation, so it is
important to decide which mode is best for your environment before setting up HGS. To review the
requirements for admin-trusted attestation, see the admin-trusted version of the deployment guide
here: Windows Server 2016 Technical Preview 4 Step-by-Step Guide: Deploy Shielded VMs Using
Administrator-trusted Attestation. It is possible to migrate from one mode to another; however,
such a migration will require all guarded hosts to be compatible with the new attestation mode. For
more information about changing the attestation mode of your HGS environment, see the Windows
Server 2016 Technical Preview 4 Shielded VMs and Guarded Fabric Operations Guide.
6.1 Configure the first HGS node
The following steps will guide you through setting up your first HGS node, and should be performed
on a physical server with Windows Server 2016 Technical Preview 4 installed.
6.1.1 Add the HGS Role
Add the Host Guardian Service role to the machine in Server Manager or by running the following
cmdlet in an elevated PowerShell window:
Install-WindowsFeature –Name HostGuardianServiceRole –
IncludeManagementTools -Restart
6.1.2 Install the Host Guardian Service
After the HGS role is added to the machine, the next step is to run the Install-HgsServer cmdlet,
which will set up the Active Directory forest backing HGS and configure other dependencies. Please
note that you cannot use an existing domain with the Host Guardian Service.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
15
In line with the named resources used in this guide, the HGS domain used in the following examples
will be “relecloud.com”.
1. In an elevated PowerShell window, run the following cmdlets to install the Host Guardian
Service and configure its domain.
$adminPassword = ConvertTo-SecureString -AsPlainText '!!123abc'
–Force
Install-HgsServer -HgsDomainName 'relecloud.com' SafeModeAdministratorPassword $adminPassword –Restart
Note: The –SafeModeAdministratorPassword argument specifies the
Directory Services Restore Mode (DSRM) for the Host Guardian Service’s Active
Directory Domain Controller.
2. Restart the server, and then log in as the domain administrator using the same password
you previously used as the local administrator.
6.1.3 Create self-signed certificates for HGS
The Host Guardian Service needs to be configured with two certificates for encryption and signing. If
you have an existing Public Key Infrastructure, use that to issue trusted certificates, and then skip to
section 6.1.4. Otherwise, follow these steps to create self-signed certificates for your HGS servers.
Warning: Creating self-signed certificates is not recommended outside of test
deployment environments. If you are deploying this solution in a production
environment, you should use certificates that are issued by a trusted authority.
1. Open an elevated PowerShell window, and then run the following cmdlet to specify the
password to use when exporting the self-signed certificate:
$certificatePassword = ConvertTo-SecureString -AsPlainText
'!!123abc' –Force
2. Create and export the signing certificate:
$signingCert = New-SelfSignedCertificate -DnsName
"signing.$env:userdnsdomain" -CertStoreLocation
Cert:\LocalMachine\My
Export-PfxCertificate -Cert $signingCert -Password
$certificatePassword -FilePath 'C:\signingCert.pfx'
3. Create and export the encryption certificate:
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
16
$encryptionCert = New-SelfSignedCertificate -DnsName
"encryption.$env:userdnsdomain" -CertStoreLocation
Cert:\LocalMachine\My
Export-PfxCertificate -Cert $encryptionCert -Password
$certificatePassword -FilePath 'C:\encryptionCert.pfx'
6.1.4 Initialize the HGS server for TPM-trusted attestation
The following cmdlets will finish the configuration of the first HGS node using TPM-trusted
attestation. All Guarded Hosts in your fabric must have UEFI 2.3.1, boot in UEFI mode (not BIOS or
“legacy” mode), and have a TPM 2.0 module.
1. Open an elevated PowerShell window and run the following cmdlet to initialize the HGS
server in TPM-trusted mode with the encryption and signing certificates created previously.
$HgsServiceName = 'TpmHgs'
$certificatePassword = ConvertTo-SecureString -AsPlainText
'!!123abc' -Force
Initialize-HGSServer -HgsServiceName $HgsServiceName SigningCertificatePath 'C:\signingCert.pfx' SigningCertificatePassword $certificatePassword EncryptionCertificatePath 'C:\encryptionCert.pfx' EncryptionCertificatePassword $certificatePassword -TrustTpm Force
Note: If you want to configure HGS to communicate with clients securely over
HTTPS, see Appendix A for the additional parameters needed when running this
cmdlet.
2. When Initialize-HgsServer has finished running, a warning displays with the following
message: “There were issues while creating the clustered role that may prevent it from
starting. For more information, view the report file below.”
When you view the report file, the following warning message is displayed: “An appropriate
disk was not found for configuring disk witness. The cluster is not configured with quorum
witness. As a best practice, configure a quorum witness to help achieve the high availability
of the cluster.”
Open Failover Cluster Manager and verify that the HgsClusterGroup role service is started
and is running. If it is, you can ignore this warning message.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
17
3. Continue setting up the hosting environment by configuring the fabric DNS forwarder in
section 6.2.
6.2 Configure the fabric DNS
In order for Guarded Hosts to be able to resolve the HGS server names, a DNS forwarder from the
fabric domain to the HGS domain must be set up. There are several ways to configure name
resolution on the fabric domain. One way is to set up a conditional forwarder zone in the fabric DNS
manager. To set up this zone, run the following cmdlet in an elevated PowerShell window on a fabric
DNS server:
$HgsDomainName = 'relecloud.com'
$firstHgsServerIP = '10.0.0.100'
Add-DnsServerConditionalForwarderZone -Name $HgsDomainName ReplicationScope "Forest" -MasterServers $firstHgsServerIP
We will add additional master servers later when we set up the additional HGS nodes.
6.3 Configure HGS attestation policies
With HGS set up and name resolution in place, it’s time to configure HGS to recognize the Guarded
Hosts. TPM-trusted attestation requires the creation of a code integrity policy and procurement of
secure boot policies and platform identifiers.
6.3.1 Registering Guarded Hosts in TPM-trusted attestation mode
As the name implies, TPM-trusted attestation requires identifiers from each machine’s hardware in
order to evaluate if the machine is in a healthy state. Additionally, a code integrity policy needs to be
authored to restrict which software can run on the hosts. We recommend that you have a
“reference machine” for each unique hardware configuration in your datacenter that can be used to
generate these pieces of information.
For each host
1. Each TPM module has a unique identity that is validated when a host tries to attest with
HGS. Run the following cmdlet in an elevated PowerShell window on the host to capture this
and other identifying information for the system:
(Get-PlatformIdentifier –Name 'Q1CX12R05-01').InnerXml | Outfile C:\Q1CX12R05-01.xml
Note: The “Name” parameter provided to Get-PlatformIdentifier should identify
the physical server location, as the platform identifier information is specific to
the actual hardware on which the host is running. Use the unique host name
identified by your fabric inventory service (if available); otherwise, specify the
host name.
2. Copy the outputted XML file to the HGS server or a network share accessible by HGS.
3. Run the following cmdlet in an elevated PowerShell window on the HGS server:
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
18
Add-HgsAttestationTpmHost –Name 'Q1CX12R05-01' -Path
C:\temp\Q1CX12R05-01.xml
For each unique hardware configuration
A TPM baseline is required for each unique hardware configuration in your datacenter fabric. This
baseline should be captured on a reference machine that exemplifies the standard you want other
hosts to follow (built from trusted media source, TPM, UEFI, and Secure Boot enabled, etc.).
1. Run the following cmdlet in an elevated PowerShell window on the reference host to record
the TPM baseline:
Get-HgsAttestationBaselinePolicy –Path C:\OEM1.tcglog –Force
2. Copy the tcglog file to the HGS server or a network share accessible by HGS.
3. On the HGS server, run the following cmdlet to add the TPM baseline as an acceptable
baseline for attestation:
Add-HgsAttestationTpmPolicy –Path C:\temp\OEM1.tcglog –Name
'OEM1Policy'
Create a code integrity policy
A code integrity (CI) policy ensures that only the executables you trust to run on a host are allowed
to run. If malware or other untrusted code tries to run on the system, the system will not allow the
code to run. Here, we will create a CI policy in audit mode that will only log an error if an untrusted
executable file is run. This will allow you to examine whether your CI policy is configured properly
without risking host downtime to update a policy that is too strict. For information on best practices
for CI policies, see the Windows Server 2016 Technical Preview 4 Shielded VMs and Guarded Fabric
Operations Guide.
Additional information about CI policies can be found at https://technet.microsoft.com/enus/library/mt243445(v=vs.85).aspx
For simplicity, you can create one CI policy that covers all machines in your fabric by running the
cmdlets below on each unique hardware/software configuration and then using the Merge-CIPolicy
cmdlet to create one master policy before registering it with HGS.
1. On the reference host, generate a new code integrity policy. To create a FilePublisher policy
which validates files based on the publisher certificate for each file, run the following
cmdlets:
New-CIPolicy –Level FilePublisher –Fallback FileName –FilePath
'C:\cipolicy.xml'
ConvertFrom-CIPolicy 'C:\cipolicy.xml' 'C:\cipolicy.p7b'
2. Copy the binary file (cipolicy.p7b) to the HGS server or a network share accessible to it
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
19
3. Run the following cmdlet on the HGS server to register the CI policy with the attestation
service:
Add-HgsAttestationCIPolicy -Path C:\temp\cipolicy.p7b -Name
'File Publisher CI Policy' –ConvertToHash
4. Keep this CI policy file handy. You may need to edit it in the future, and may need it later in
this guide if you choose to install System Center Virtual Machine Manager (SC VMM).
6.4 Verify HGS is configured properly
Now that HGS has been configured, it is time to check whether everything is configured correctly.
Navigate to the following URL (updated with your HGS’ FQDN) in a web browser. You should be
presented with an XML document if everything is configured correctly. If you encounter a HTTP 500
error, check that you’ve followed all the steps up to this point, or see the Windows Server 2016
Technical Preview 4 Shielded VMs and Guarded Fabric Troubleshooting Guide.
http://hgs01.relecloud.com/KeyProtection/service/metadata/201407/metadata.xml
6.5 Configure secondary HGS nodes
In production environments, the Host Guardian Service role should be set up in a high availability
cluster to ensure that shielded VMs will be able to boot even if a HGS node goes down. For test
environments, secondary HGS nodes are not required.
The following steps will add a new machine running Windows Server 2016 Technical Preview 4 to
the HGS cluster set up in step 6.1. The machine should not be joined to any domain prior to setting
up HGS.
1. To add the Host Guardian Service role, run the following cmdlet in an elevated PowerShell
window:
Install-WindowsFeature –Name HostGuardianServiceRole –
IncludeManagementTools –Restart
2. Install the Host Guardian Service by modifying the following:
$adminPassword = ConvertTo-SecureString -AsPlainText '!!123abc'
–Force
$cred = Get-Credential 'relecloud\Administrator'
$firstHgsServerIP = '10.0.0.100'
$HgsDomainName = 'relecloud.com'
$HgsServiceName = 'ADHgs'
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
20
Install-HgsServer -HgsDomainName $HgsDomainName HgsServerIPAddress $firstHgsServerIP -HgsDomainCredential $cred
-SafeModeAdministratorPassword $adminPassword –Restart –
Confirm:$false
3. Wait for the server to restart, then sign in with the HGS domain admin credentials.
4. Initialize the HGS server to finish adding the new node to the HGS cluster.
$firstHgsServerIP = '10.0.0.100'
$cred = Get-Credential 'relecloud\Administrator'
Initialize-HgsServer -HgsServerIPAddress $firstHgsServerIP HgsDomainCredential $cred -TrustTpm -Confirm:$false –Force
5. Check the metadata URL to verify the HGS node is functioning properly by opening a web
browser and navigating to the following address (change the URL to reflect the node you’re
working on):
6. Repeat these steps for each additional node in your HGS cluster.
6.6 Confirm hosts can attest successfully
After your HGS nodes are set up, it is time to configure the Hyper-V hosts to attest to the HGS
servers and confirm that your attestation groups are set up correctly.
Complete the following steps on at least one Guarded Hyper-V Host:
1. Configure the host’s Key Protection and Attestation URLs by executing the following cmdlet
in an elevated PowerShell window, modifying the FQDN of the HGS server cluster as
appropriate:
Set-HgsClientConfiguration -AttestationServerUrl
'http://relecloud.com/Attestation' -KeyProtectionServerUrl
'http://relecloud.com/KeyProtection' -confirm:$false
2. Run the following cmdlet to initiate an attestation attempt on the host and view the
attestation status:
Get-HgsClientConfiguration
6.7 Configure optional components
After completing sections 6.1-6.6, you are ready to begin using your Guarded Fabric. You may
optionally continue to configure System Center Virtual Machine Manager 2016 to more easily
manage your datacenter and Windows Azure Pack to offer an easy-to-use web interface to your
tenants.
Section 7 (Shielding and migrating an existing VM) describes the steps you need to do to create a
shielded VM on tenant infrastructure and move it to a secured hosting environment.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
21
Section 8 (Setting up Virtual Machine Manager) walks through the necessary steps to configure
VMM to work with a Guarded Fabric, including preparing Shielded disk templates that allow tenants
to securely deploy shielded VMs directly on your Guarded Fabric.
Section 9 (Setting up Windows Azure Pack) extends VMM’s functionality with a web interface that
allows your tenants to effortlessly deploy and manage VMs in your datacenter.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
22
7
Scenario #1 – Create a new shielded VM on the tenant Hyper-V host and run
it on the guarded host
Use the following steps to manually create a shielded virtual machine on a tenant Hyper-V host
computer and grant permission to run the VM in the Guarded Fabric environment.
Do these steps on a physical server running Windows Server Technical Preview 4 (build #10586) with
the following roles and features installed:
1. Role
a. Hyper-V
2. Features
a. Host Guardian Hyper-V Support
b. Remote Server Administration Tools\Shielded VM Tools
7.1 Import the guardian configuration on the tenant Hyper-V server
1. To get guardian key metadata using Internet Explorer, browse to the following URL:
http://relecloud.com/KeyProtection/service/metadata/2014-07/metadata.xml
2. Save the page as C:\temp\GuardianKey.xml.
If you don’t have name resolution and/or connectivity between the tenant HyperV Host and HGS infrastructure, you can download it on the HGS server and
transfer it offline to the tenant Hyper-V Host.
3. Import the guardian key. Review the following example, modify it as needed, and then run
the following cmdlet:
Import-HgsGuardian -Path 'C:\temp\GuardianKey.xml' -Name
'Guardian' -AllowUntrustedRoot
The -AllowUntrustedRoot parameter is only required if you used self-signed certificates
when setting up the Key Protection Service.
7.2 Create a new VM on tenant Hyper-V
1. Review, modify as needed, and then run the following cmdlet from a tenant Hyper-V host to
create a new Generation 2 virtual machine:
New-VM -Generation 2 -Name "ShieldVM1" -Path C:\VMs -NewVHDPath
c:\VMs\ShieldVM1\ShieldVM1.vhdx -NewVHDSizeBytes 60GB
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
23
2. Install the Windows Server 2016 Technical Preview 4 operating system on the VM, and then
enable the remote desktop connection and corresponding firewall rule. Record the VM’s IP
address; you will need it to remotely connect to the server.
3. Use RDP to remotely connect to the VM, and verify that RDP and the firewall are configured
correctly. As part of the shielding process, console access to the virtual machine through HyperV will be disabled.
4. Stop the VM by running the following:
Stop-VM -Name ShieldVM1
5. Create a new Host Guardian Service key protector using hosting service provide metadata and
the tenant owner. Review the following example, modify it as needed, and then run the
following cmdletss:
$Guardian = Get-HgsGuardian -Name 'Guardian'
$Owner = New-HgsGuardian –Name 'Owner' -GenerateCertificates
$KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian
-AllowUntrustedRoot
6. Enable the vTPM using the key protector. Review the following example, modify it as needed,
and then run the following cmdlets.
$VMName="ShieldVM1"
Stop-VM -Name $VMName -Force
Set-VMKeyProtector –VMName $VMName –KeyProtector $KP.RawData
Set-VMSecurityProfile -VMName $VMName -ShieldingRequested $true
Enable-VMTPM -VMName $VMName
7. Start the VM to verify that the key protector is working with local owner certificates. Review he
following example, modify it as needed, and then run the following cmdlet.
Start-VM -Name $VMName
8. Verify that the VM has started in the Hyper-V console.
9. Use RDP to remotely connect to the VM, and then enable BitLocker on all Virtual Hard Disk
partitions that are attached to the shielded VM.
Important: Wait for BitLocker encryption to finish on all partitions where you
enabled it before proceeding to the next step.
10. Stop the VM. Review the following example, modify it as needed, and then run the following
cmdlet:
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
24
Stop-VM -Name ShieldVM1
11. Export the VM using the tool of your choice (PowerShell or Hyper-V MMC) from the tenant
Hyper-V server, and then copy the files to the guarded Hyper-V Host and import it using the
following PowerShell cmdlets:
$VMConfig = Get-childItem -Path 'C:\vms\ShieldVM1\Virtual
Machines\' -Include "*.vmcx" -Recurse
Import-VM -path $VMConfig
12. Start the VM on the Guarded Host:
Start-VM -Name 'ShieldVM1'
Note: If you have not already configured the HGS URLs on this host using the
instructions in Section 6.6, you will not be able to start the VM because the host is
not guarded. Run the cmdlets from Section 6.6 to configure the host, then try
starting the VM again.
When the VM successfully boots, you have verified that the Key Protector was configured
correctly and that the VM is running securely on the Guarded Fabric.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
25
8
Scenario #2 – Create a new shielded VM from a VM template using SC VMM
For this scenario, hosting service providers prepare a signed disk template for use by their tenants,
and then make it available to the tenants. The tenants then connect to the VMM and create a
shielded VM from the shielded VM template, and then provide the desired configuration (for
example, VM Name, RDP Certificate, and any other secret data at the time of VM creation).
1. Hosting service providers configure the VMM and Hyper-V fabric to support shielded VM.
2. Hosting service providers use the following procedures to create a shielded VM template:
a.
b.
c.
d.
Download or prepare the VHD to use as a template.
Create a signed disk template.
Copy and publish the disk template to the VMM library.
Create the shielded VM template in VMM using the signed disk.
3. Tenant administrators use the following procedures to create shielding data for the shielded
VM. These steps must be completed on a tenant computer and not on the fabric Hyper-V
host.
a.
b.
c.
d.
e.
Create an RDP certificate.
Create an Unattend file.
Get the Volume Signature Catalog file.
Get the Host Guardian Service Metadata and import it using cmdlets.
Create a shielding Data File.
4. Finally, tenants use the following procedures to create and start the virtual machine:
a. Create a shielded VM using VMM.
b. Start the shielded VM and connect to it.
8.1 Configure Host Guardian Service Settings in Virtual Machine Manager
Virtual Machine Manager Technical Preview (VMM) includes features to manage shielded VMs.
Before you use VMM with the Host Guardian Service, you should already have VMM installed and
configured for your infrastructure.
For more information about installing and configuring VMM, see Virtual Machine
Manager guidance or download the pre-configured image that has been made
available to make the configuration of the scenario easier.
VMM should have the following:
1. Tenants need to have the Tenant Administration user role so that they can use the remote
VMM Administrator console.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
26
a. Verify that the user role you create for tenant administrators has the Deploy
Shielded property and Deploy permissions.
2. Clouds created for tenants, so that shielded VMs can be added to them.
a. On the General property page of a cloud, verify that for Shielded VM support, you
select Supported on this private cloud.
b. Verify that the cloud’s host group contains the guarded hosts that will run shielded
VMs.
Warning: In VMM 2016 Technical Preview 4, you should create a separate cloud
just for your guarded hosts. There is a known issue in VMM Technical Preview 4
that might result in shielded VMs being deployed to unguarded hosts if any exist
in your cloud, which would cause the VM deployment job to fail. This issue is
expected to be resolved in VMM Technical Preview 5.
In VMM, you specify global URLs for the Host Guardian Service. VMM uses the attestation server
URL to communicate with the Host Guardian Service to verify that a host is guarded and is allowed
to run shielded VMs. After a host is configured with Host Guardian Service settings and VMM’s
Change properties of a virtual machine host job runs for the host, it is ready to host shielded VMs.
You can view the status of any changes in the Jobs workspace.
Use the following procedures to configure VMM for guarded hosts.
8.1.1 Configure the Host Guardian Service settings
1. In VMM, open the Settings workspace, and then select General.
2. In the Settings view, open Host Guardian Service Settings.
3. In the Host Guardian Service Settings dialog box, type the URLs for the following servers:
a. Attestation Server URL
This URL might resemble http://relecloud.com/Attestation
b. Key Protection Server URL
This URL might resemble http://relecloud.com/KeyProtection
Note: If you enabled HTTPS endpoints when initializing the HGS Server in Section
6.4, use the https:// prefix for your URLs here. See Appendix B for more
information on working with HTTPS.
8.1.2 Configure a specific guarded host’s settings
1. In VMM, open the Fabric workspace.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
27
2. In the Fabric pane, under Servers, select All Hosts. .
3. In the Hosts view, select the guarded host that you want to update, and then click Properties.
4. In the Host Properties box, click Host Guardian Service.
5. Select the Enable the Host Guardian Service and use the URLs configured as global settings in
VMM check box.
6. Click OK.
7. You can review the job status for the guarded host in the Jobs workspace.
To review the job status and host status for a guarded host:
1. After you have made changes to the Host Guardian Service settings for a host, open the Jobs
workspace.
Note: If you have changed the code integrity policy for a host, it should have
restarted the host. This job may take several minutes to complete.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
28
2. In the Jobs pane, click History, and in the History – Recent Jobs view, select the Change
properties of a virtual machine host job.
3. The status of the job is displayed:
a. If the Status is Running, wait for the job to complete.
b. If the Status is Completed, then the job successfully ran; however, you should
review the host status to verify that it is ready to host and run shielded VMs.
4. Open the Fabric workspace.
5. In the Fabric pane, under Servers, select All Hosts.
6. In the Hosts view, review the Host Status and take any actions needed, as follows:
a. If the Host Status is OK, then the host is ready for shielded VMs.
b. If the Host Status is Needs Attention, select the host, and then click View Status.
i. In the Host Properties box, click Status. You should see one or more items
with Warning status. Review the error details for the warning.
ii. If the warning indicates that the Key Protection Server or Attestation Server
do not match the expected global Host Guardian Service setting, then you
need to change the settings for that host.
iii. If the warning indicates that the code integrity policy needs to be updated,
close the Host Properties box, and then click Apply Latest Code Integrity
Policy. If an informational dialog appears, click OK to close it. The Host
Status should change to OK after the host restarts and the Change
properties of a virtual machine host runs.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
29
8.2 Hosting Service Provider Creates a Signed Disk Template
8.2.1 Create Generation 2 Disk Template
You can create a Generation 2 Template by using any of the following methods documented the
topic titled “How to Create a Virtual Machine Template” (https://technet.microsoft.com/enus/library/hh427282.aspx).
The guest operating system must be Generation 2-compatible with the operating system (for
example, Windows Server 2016 Technical Preview 4), and the disk must be partitioned using GPT.
Warning: If the guest OS on the template disk is running Windows Server 2012 or
Windows Server 2012 R2, you must first install the KB3116908 update on the
server running the Template Disk Wizard. This update is not required if the guest
OS installed on your template disk is Windows Server 2016 Technical Preview 4.
Verify that the disk meets the following BitLocker requirements:
Is formatted with the NTFS file system
Does not use Dynamic Volume
Has at least two partitions. One partition must include the drive on which Windows is
installed. This is the drive that BitLocker will encrypt. The other partition is the active
partition, which remains unencrypted so that the computer can be started
Note: Do not copy the Disk Template in the VMM library at this stage.
8.2.2 Run Windows Update on the template operating system
Before continuing, verify that the template operating system has all of the latest Windows updates
installed. Recently released updates improve the reliability of the end-to-end shielding process – a
process that may fail to complete if the template operating system is not up-to-date.
8.2.3 Signing a Template Disk
Hosting service providers can use the following procedure to create a signed disk template with the
Protected Template Disk Creation wizard. The procedure creates a signed disk template disk that is
encrypted with BitLocker. During this process, a hash for the disk is generated and added to a .VSC
(volume signature catalog) file. The .VSC file is signed using a certificate and then BitLocker creates a
full volume encryption key, which is placed on the disk. The key is stored in clear text.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
30
As the wizard runs, the existing .VHDX image is modified by embedding the .VSC file in it. You may
want to copy the original .VHDX image and use the copy for the new template before you run the
wizard.
Later, when the VM is provisioned, the key becomes protected. After the read-only signed template
is created, modifying the template will render it unusable. When creating a new VM from a
template, tenants use VMM to download the volume signature catalog (VSC) for a template disk; the
VSC can be used as one of the inputs for the PDK generation.
1. You will need a certificate to sign the VHD that will be used as a template for creating new VM.
You must protect the certificate that you will use to sign the template. For testing purposes, you
can use the VMM server to create the signed template. You need to install “Remote Server
Administration Tools\Feature Administration Tools\Shielded VM Tools” in Server Manager,
either using Add Roles and Features or with PowerShell using following cmdlet, and then restart
the server:
Add-WindowsFeature -Name
RSAT-Shielded-VM-Tools -Restart
2. For this scenario validation, you can create a self-signed certificate to sign VHDX by running the
following cmdlet:
New-SelfSignedCertificate -DnsName
publisher.signingcertificate.com -CertStoreLocation
Cert:\LocalMachine\My -KeyExportPolicy Exportable
3. Run C:\Windows\System32\TemplateDiskWizard.exe to start the Protected Template Disk
Creation Wizard.
4. On the Certificate page, click Browse to display a list of certificates. Select the certificate that
with which to sign the template. This is the publisher of the template. Click OK > Next.
5. On the Virtual Disk page, Browse to the location of the virtual disk to update > Next.
6. On the Signature Catalog page, type the values for Disk name and Version.
For example, for Disk name type 10586TP4. For Version, type 1.0.0.0
7. On the Review Settings page, review the settings, and then click Generate.
a. The page shows the template file being generated. Wait until the signing process has
finished.
8. On the Summary page, information about the template, certificate used to sign the template,
and the certificate issuer is shown. Click Close to exit the wizard.
8.2.4 Copy and publish the disk template to the VMM Library
Use the following procedure to copy the disk template in Virtual Machine Manager (VMM).
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
31
1. Copy the VHDX file to the VMM library share folder.
2. Refresh the library to view the shielded disk.
You can optionally add the shielded column in the VMM Administrator console using the
corresponding property to view shielded disks.
8.2.5 Create the shielded VM template in VMM using the signed disk
Use the following procedure to create the shielded VM template in VMM using the signed disk.
1. In VMM, start the Create VM Template Wizard to begin creating a shielded VM template
using the signed disk.
2. In the Hardware Configuration, select the .VHDX disk that you prepared previously. Notice
that secure boot is enabled.
3. Verify that the network adapter is connected to a virtual machine network; otherwise, users
won’t be able to use Remote Desktop to connect to the VM, which is the only way for a
tenant to connect to their VM.
4. For operating system properties, the wizard differs from regular templates. VMM displays
non-secure information only, such as product key, time zone, and computer name. Secure
information such as administrator password and domain name is specified by the tenant
through a shielding data file (.PDK).
Verify that the correct product key is provided in the operating system properties
for the template disk. If an incorrect product key is used, the VM creation will fail.
After the template is created, tenants can use it when they create new virtual machines. You will
need to verify that the VM template is one of the resources available to the tenant administrator
user role.
8.3 Tenant creates shielding data to define a shielded VM
Use the information in the following sections to prepare secret information for use with the
shielded VM template, and then create the shielded VM.
Warning: The steps in this section must be completed on a tenant computer
running Windows Server 2016 Technical Preview and not on the fabric Hyper-V
host.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
32
8.3.1 Create an RDP certificate
Tenants create a remote desktop certificate to log on to the shielded VMs as a personal
information file (.PFX) file. The exported certificate is used in an Unattend.XML file in a
subsequent procedure. For basic information about certificates, see How to Use the Certificates
Console. For more comprehensive information about remote desktop certificates, see
Configuring Remote Desktop certificates.
1. On the tenant computer, create an answer file for the .VHDX that will be used during VM
creation from the template. Review, modify as needed, and then run the following cmdlets:
$rdpcertificate = New-SelfSignedCertificate -DnsName
ts.examplerdpcertificate.com -CertStoreLocation
Cert:\LocalMachine\My -KeyExportPolicy Exportable
$rdpcertificatepassword = ConvertTo-SecureString -AsPlainText
'!!123abc' -Force
Export-PfxCertificate -Cert $rdpcertificate -Password
$rdpcertificatepassword -FilePath 'c:\rdpcert.pfx'
2. Run the following cmdlet and record the thumbprint for the certificate.
$rdpcertificate.Thumbprint
8.3.2 Create an Unattend File
Tenants create an Unattend.XML file to define the secret information to include in the shielded
VM. This information will later be used by the shielding Data File Wizard to create a .PDK
(shielding data file). Tenants can include a set of values and substitution strings in the Unattend
file, which allows the hosting service to provide the ability to specify replaceable elements. If no
substitution strings are used, then the explicit values included in the Unattend file are used.
When creating an unattend file for shielded VMs, keep in mind the following restrictions:
1. The unattend file must result in the VM being turned off after it has been configured.
VMM will only know that the VM specialization process has completed when it sees the
VM has turned off.
2. It is strongly recommended that you configure an RDP certificate to ensure you are
connecting to the right VM and not another machine configured for a man-in-the-middle
attack.
3. Be sure to enable RDP and the corresponding firewall rule so you can access the VM
after it has been configured. You cannot use the VM console to access shielded VMs, so
you will need RDP to connect to your VM.
4. The only substitution strings supported in shielded VM unattend files are the following:
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
33
Replaceable Element
Substitution String
ComputerName
@ComputerName@
TimeZone
@TimeZone@
ProductKey
@ProductKey@
VMM will use substitution strings if you include them in the Uattend.XML file. If you do use
substitution strings, verify that corresponding values are set in the VMM virtual machine
template. Otherwise, the operating system customization will stall, which will prevent the VM
from shutting down, and then causes the VMM task to fail.
For your convenience, a sample unattend.xml file has been provided in Section 10.
8.3.3
Get the volume signature catalog file
Tenants use VMM to extract the volume signature catalog (.VSC) file, which describes the template
that the .PDK file can be applied to. You can use the following procedure to get the .VSC file.
1. Using a remote VMM administrator console, open a PowerShell window. Review the
following example information, modify it as needed, and then run the following cmdlets:
$disk = Get-SCVirtualHardDisk -Name "ThresholdTP3.vhdx"
$vsc = Get-SCVolumeSignatureCatalog -VirtualHardDisk $disk
$vsc.WriteToFile("c:\Disk1.VSC")
8.3.4
Get the Host Guardian Service metadata and import it using cmdlets
Tenants download the Host Guardian Service metadata information, in XML form, and then import
the metadata. The metadata contains the pubic portion of the encryption certificate and signature
used by the Host Guardian Service. You must already have a VMM tenant administrator user role
and be connected remotely to VMM using the VMM Administrator console in order to perform the
following procedure.
Use the following procedure on a tenant computer to get the metadata file and import the Host
Guardian Service certificate from it. Review the following example information and modify it as
needed.
8.3.4.1 Create a new owner certificate
1. If you don’t already have one, create a new owner certificate to use for the Shielding VM.
You can run the Get-HgsGuardian cmdlet to see list of guardians on the machine, and if
you already have “owner,” then continue to the next step, Import guardian.
New-HgsGuardian -Name Owner –GenerateCertificates
8.3.4.2
Import guardian
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
34
1. Open a web browser on the tenant machine, browse to the KPS metadata URL, and then
save the file as "C:\metadata.xml".
http://Relecloud.com/KeyProtection/service/metadata/2014-07/metadata.xml
Note: If tenants don’t have access to the HGS server, you can download the
metadata file and then transfer it offline to clients.
2. On a tenant computer with a copy of the downloaded metadata from Step 1, run the
following cmdlet in a PowerShell window. Note that if you have previously imported this
guardian, you can skip this cmdlet and continue to the next section, “Create a shielding data
file for shielded templates.”
Import-HgsGuardian –Path c:\metadata.xml -Name Guardian –
AllowUntrustedRoot
8.3.5 Create a shielding data file for shielded templates
Tenants can use the Shielding Data File wizard to create a PDK file. The PDK file is used for shielded
VM creation. The file is a protected data file that only the guardian’s owner can access, and it
contains the tenant’s secret information.
1. Run C:\Windows\System32\ShieldingDataFileWizard.exe to start the Shielding Data File
Wizard.
2. On the File Selection tab, select Create a new shielding data file, browse to the location where
you want to save the PDK file that you’re creating, type the file name to create. Select Shielding
Data for Shielded Templates > Next.
For example, type C:\Tenant.pdk.
3. On the Owner and Guardians page, select the owner of the PDK file, then select the Guardian
name > Next. Note that:
a. You can select multiple guardians.
b. The owner would typically be the tenant owner of the VM.
c. The Guardian name is the friendly name of the Host Guardian Service identified in
the metadata that you imported.
4. On the Volume ID Qualifiers page, click Add to open the Add Volume ID Qualifier dialog box.
5. In the Add Volume ID Qualifier dialog box, click Browse to locate the .VSC file that you created
previously. Open it, and then click OK.
a. Download from VMM, described in Get the Volume Signature Catalog File.
b. You can change the Version rule, as needed.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
35
6. On the Specialization Values pages, Browse for or type the path and file name of the
Unattend.XML file that you created previously, and then click Next.
You can also click Add under Other files to securely send them to the shielded VM when it is
created. For example, you might want to send an RDP certificate. If you used the sample
Unattend.XML file, then you would add RDPCert.pfx.
7. On the Review Settings page, review the settings, and then click Generate.
8. On the Shielding Data File Generation page, progress is displayed.
9. On the Summary page, information about the PDK file that you created is shown. Click Close to
exit the wizard.
Tenants can now instantiate a shielded VM from a signed disk template using the virtual machine
shielding information.
8.4 Create a shielded VM using VMM
1. In the VMM Administration console, select the template, and then click Create Virtual Machine
to start the Create Virtual Machine Wizard so you can begin creating a new virtual machine from
a shielded VM template.
2. In the wizard, you select the appropriate shielding data file (.PDK). You’ll make other choices for
the new virtual machine just as you would a regular unshielded virtual machine, such as
configuring the hardware, operating system, destination, cloud, settings, and properties.
VMM instantiates a new virtual machine from the template using information from the PDK file.
After the virtual machine is created on the Hyper-V Host, the following actions occur automatically:
1. The source disk template (VHDX) file is copied from the VMM library.
2. The VM provisioning service decrypts data in the .PDK file, creates a merged unattend.xml
file and copies additional files (for example, RDPCert.pfx) inside the .PDK file to the boot
volume of the VM.
3. The VM restarts, enters the Sysprep process, and becomes BitLocker-encrypted.
4. When the VM customization completes, the new virtual machine shuts down. Approximately
10 minutes elapse for the steps above to complete.
5. In the VMM Administrator console, you can see that the Create VM task completed and the
VM is turned off.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
36
9
Scenario #3 – Deploy a shielded VM using Windows Azure Pack (new in
Windows Server 2016 Technical Preview 4)
Important: You must complete steps 8.1 – 8.3.2 in Scenario #2 before beginning
this scenario.
In this scenario, the host service providers prepare a signed disk template for use by their tenants,
and then make it available to the tenants using the Plans feature in Windows Azure Pack. Tenants
then connect to the Windows Azure Pack portal and create a shielded VM from a shielded VM
template in the Windows Azure Pack Gallery. The required steps for the administrator are the same
(with one or two additional steps) for allowing the VM creation from VMM, while the tenant flow is
completely different because the tenant creates their VM from Windows Azure Pack instead of
VMM.
1. The hosting service providers configure VMM 2016 Technical Preview 4 and the Hyper-V
Technical Preview 4 fabric to support shielded VMs.
2. The hosting service providers use the following procedures to create a shielded VM
template:
a. Download or prepare VHD to use as a template.
b. Create a Signed Disk Template.
c. Copy and publish the disk template to the VMM library.
d. Create the shielded VM template in VMM using the signed disk.
3. The hosting service providers install and configure Service Provider Foundation 2016
Technical Preview 4 and Windows Azure Pack, and then create plans in Windows Azure Pack
to expose the shielded VMs to the tenants.
Tenant administrators use the Windows Azure Pack tenant portal to execute the following
procedures to create shielding data for shielded VM. To do this:
a. Get the Volume Signature Catalog File Host Guardian Service Metadata from the
Windows Azure Pack portal.
b. Create a shielding data file.
4. Tenants use the following procedures to create and start the virtual machine.
5. Tenants create a shielded VM using Windows Azure Pack.
Important: Before you begin this section, make sure you have completed Scenario #2, and have
successfully completed the following configurations in VMM, with artefacts that are defined for use
in the Windows Azure Pack portal. You should have:
1.
2.
3.
4.
5.
Host Guardian Service settings defined in VMM
Guarded hosts in your fabric
A VMM cloud that supports shielding
A Generation 2 VM template with unsigned disk
A Generation 2 VM template with signed disk (also referred to as Shielded Template in this
document)
6. A non-shielded VM
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
37
9.1 Configure Service Provider Foundation and Windows Azure Pack to expose
shielded VM plans to tenants
9.1.1 Configure the Service Provider Foundation
Install Service Provider Foundation 2016 Technical Preview 4 using the instructions at this link:
https://technet.microsoft.com/en-us/library/dn266007.aspx. Note that these instructions are for
Service Provider Foundation 2012 R2, but you must install Service Provider Foundation 2016
Technical Preview 4. Use the service account for Application Pool Credentials in step #8.
If you have issues with integrating Windows Azure Pack and Service Provider Foundation, see the
following link for help:
http://blogs.technet.com/b/privatecloud/archive/2013/11/08/troubleshooting-windows-azurepack-spf-amp-vmm.aspx
9.1.2 Install Windows Azure Pack
Before you install the Windows Azure Pack Express, verify that you have complied with the Windows
Azure Pack system requirements overview, including installing the Web Platform Installer.
1. Start the Web Platform Installer: Type Windows Azure Pack in the search box.
2. Next to Windows Azure Pack: Portal and API Express, click Add > Install.
If the server running VMM 2016 Technical Preview 4 does not have Internet access, see the
following instructions for installing offline: https://technet.microsoft.com/enus/dn756546.aspx.
3. On the Prerequisites page, review and accept the Terms and Conditions.
4. Indicate whether you want to use Microsoft Update to keep Windows Azure Pack up-todate. We recommend that you use Microsoft Update because it helps ensure that any
updates needed for this scenario are automatically installed.
5. The installation begins. Your computer might restart during the installation. When the
installation has completed, make sure all Internet Explorer windows are closed, and then
click Continue to start the Service Management Configuration site.
The configuration site (https://localhost:30101/) opens in Internet Explorer.
If you need help setting up Windows Azure Pack, see the instructions at
https://technet.microsoft.com/en-us/dn296439.aspx.
9.1.3 Configure Windows Azure Pack
Before you use Windows Azure Pack, you should already have it installed and configured for your
infrastructure.
1. Navigate to the Windows Azure Pack admin portal at http://<wapURL>:30091, and then log
in using your administrator credentials.
2. In the left pane, click VM Clouds.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
38
3. Connect Windows Azure Pack to the SAP to the Service Provider Foundation instance you
already configured by clicking “Register System Center Service Provider Foundation.” You
will need to specify the URL for Service Provider Foundation, as well as username and
password.
4. If successful, you should be able to navigate to the VM cloud you just connected to and see
details about the clouds that exist in VMM.
9.1.4 Create a shielded VM Plan in Windows Azure Pack
When you are connected to your instance of VMM, you are ready to create a Plan in Windows Azure
Pack to offer VMs to your tenants.
1. On the lower pane of the portal, click +NEW > PLAN > CREATE PLAN.
2. In the first step of the wizard, choose a name for your Plan. This is the name your tenants
will see.
3. In the second step, select VIRTUAL MACHINE CLOUDS as one of the services to offer in the
plan.
4. Skip the step about selecting any add-ons for the plan.
5. Click OK (check mark) to create the plan. Although this creates the plan, it is not yet in a
configured state.
6. To begin configuring the Plan, click its name.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
39
7. On the next page, under plan services, click Virtual Machine Clouds. This opens the page
where you can configure quotas for this plan.
8. Under basic, select the VMM Management Server and Virtual Machine Cloud to which you
want to connect. Choose the cloud that shows as “shielding supported” from the dropdown
menu.
9. Select the quotas you want to apply in this Plan. (For example, limits on Core, RAM usage,
and so forth.) Make sure to leave the Allow Virtual Machines To Be Shielded checkbox
selected.
10. Scroll down to the section on the page titled templates, and then select the templates to
add.
11. In the wizard that displays, look for the shielded templates you already created and added to
VMM. Make sure to include that template and any other templates you wish to make
available in the Plan.
Note: You will also want to include non-shielded Generation 2 VM templates in the Plan to validate
scenarios around converting Generation 2 VMs to shielded VMs.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
40
12. After setting any other settings or quotas for the Plan, click Save.
13. At the top left of the screen, click on the arrow to take you back to the Plan page.
14. At the bottom of the screen change the Plan from being Private to Public so that tenants can
subscribe to the Plan.
9.2 Tenants create Shielding Data for the VM
9.2.1 Get a Windows Azure Pack subscription
1. If you do not have a subscription already, navigate to the Windows Azure Pack administrator
portal at https://<wapURL>:30081 and sign up for one. Click +NEW > My Account > Add
Subscription.
2. From the list of Plans, select the Plan that was created in the previous section, including
shielded virtual machines, and then click OK (check mark). This will start the provisioning of
your subscription.
9.2.2 Download the Volume Signature Catalog and guardian key from the tenant portal
1. On the left side of the portal, click Virtual Machines.
2. At the top, click Shielding Data.
3. On the lower part of the page, click Download Guardian to download the Guardian Key file
locally to your machine. You may be prompted to choose a subscription if you have multiple
tenant subscriptions.
4. Click Download Catalog, and then select the template for which you want to create
Shielding Data to download the VSC to your local machine.
9.2.3 Create the Shielding Data File
Follow the instructions in Section 8.3.5 to create a shielding data file using the VSC and guardian key
downloaded from the WAP portal.
If you are using the Windows 10 Client operating system to browse the Windows Azure Portal, you
can download Remote Server Administration Tools for Windows Server 2016, which will install the
Shielding Data File Wizard to create a PDK file on the client computer.
OR
You can use Windows Server 2016 Technical Preview 4 and add Feature\Remote Server
Administration Tools\Shielded VM Tools in Server Manager.
9.2.4 Upload Shielding Data in the Windows Azure Pack portal
1.
2.
3.
4.
From the left navigation, click Virtual Machines.
At the top, click Shielding Data.
On the lower pane of the page, click Upload.
Click Browse, and then point to PDK file that was created in the previous step.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
41
5. Enter the Friendly Name and Description, and click the “right” icon in the lower-right corner
to upload it.
9.3 Create a shielded VM in Windows Azure Pack
There are two ways to create a VM from a Shielded Template in Windows Azure Pack: Either by
using the Quick Create feature of the portal or by using the Gallery.
9.3.1 Quick Create a shielded VM in Windows Azure Pack
1. In the Tenant Portal, click +NEW > STANDALONE VIRTUAL MACHINE > QUICK CREATE.
2. Select a name for the VM. From the dropdown list under Templates, choose the Shielded
Template from the list.
3. Choose the Shielding Data you want to use to create the VM.
4. Click CREATE VM INSTANCE to begin creating your VM.
5. Once the VM is created, it can be managed just like any other Windows Azure Pack VM (the
only difference is that you cannot use Console Connect). See the Windows Azure Pack
Virtual Machine documentation for more details regarding capabilities.
9.3.2 Create a shielded VM in Windows Azure Pack from the Gallery using a shielded
template
1. In the tenant portal, click on click +NEW > STANDALONE VIRTUAL MACHINE > FROM
GALLERY. The gallery wizard displays.
2. From the list of available templates, select a shielded template (indicated by an icon of a
shield) > Next.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
42
3. On the next page of the wizard, specify a name for the VM.
4. Using the dropdown menu, select the shielding data file to use to shield the VM.
5. On the next page of the wizard, choose a network to connect the VM to (optional), and then
click OK to begin creating the VM.
6. When the VM creation is completed, the VM can be managed just like any other Windows
Azure Pack VM (the only difference is that you cannot use Console Connect). See the
Windows Azure Pack Virtual Machine documentation for details about capabilities.
9.3.3 Create a shielded VM in Windows Azure Pack from the gallery using a regular
template
1. In the tenant portal, click on +NEW > STANDALONE VIRTUAL MACHINE > FROM GALLERY.
The gallery wizard displays.
2. From the list of available templates, select a template for a Generation 2 VM that is not a
shielded template (there should not be an icon with a shield next to the template), and then
click Next.
3. In the next page of the wizard, fill in the required fields for creating the VM.
4. On the lower part of the page, click the check box that asks if you want to shield the VM
after creation. This prompts you to select which shielding data to use.
5. In the next page of the wizard, choose a network to connect the VM to (optional), and then
click OK to begin creating the VM.
6. After the VM is created, it can be managed just like any other Windows Azure Pack Virtual
Machine (the only difference is that you cannot use Console Connect). See the Windows
Azure Pack Virtual Machine documentation for more details regarding capabilities.
9.4 Convert an existing Generation 2 VM to a shielded VM in Windows Azure Pack
1. Use Quick Create or Create from Gallery to create a VM using a Generation 2 VM Template
that is not shielded.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
43
After the VM is created, you can manage it in the same way you would a regular VM.
2. Click the Configure tab for the VM. Verify that the VM state is Stopped/Powered Off.
3. On the lower part of the configuration screen, click Shield. You are prompted to select a
Shielding Data file.
You have to generate a shielding data file as discussed in Section 8.3.5, but you
have to select Create a new Shielding data file, select Shielding data for existing
VM and non-shielded templates, and then upload the Shielding Data file in your
Windows Azure Pack subscription as discussed in Section 9.2.4.
4. Click OK. After this process, the VM will be converted into a shielded VM.
At this point, the VM can support shielding, but the configuration is not yet
complete. To finish the process, you must log on to the VM, install BitLocker
components (if not already installed), and enable BitLocker on all volumes,
including the system volume.
You should also change the password for administrators and all other accounts
that are enabled with RDP access to ensure that previously stored credentials
cannot be reused to log in and access the server using RDP.
Note that existing checkpoints and backups are not encrypted. You should either
consider securing such data and/or deleting them.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
44
Appendix A – Import a VMM 2016 VHD in your fabric
Building a VM to run Virtual Machine Manager
1. Copy the VMM Image you have downloaded to the Hyper-V server that will run Virtual
Machine Manager
2. Start the Hyper-V Manager on the physical host.
3. Click New > Virtual Machine > Next.
4. Specify a name and a path for the virtual machine.
5. Select Generation 1 VM.
6. Assign 6 GB or more of memory to the VM, and then click Next.
7. Connect the VM to a network that has access to the AD for the test environment, and then
click Next.
8. Select Attach disk later, and then click Next.
9. Select Install an Operation System later > Next.
10. Click Finish.
11. Copy the VHD file to the folder of the new VM.
12. In Hyper-V Manager, right-click the new VM > Settings.
13. Click IDE Controller > Hard Drive > Add.
14. Select the path to the location where the VHD was copied under the VM folder in step 12 >
OK.
15. Select the VM > Start.
Configure the Virtual Machine Manager image
1.
2.
3.
4.
5.
Provide an administrator password for the VMM server.
Join the VMM server to the test domain.
Restart the VMM server.
Log in as a domain administrator.
Add the VMM service account to local administrators.
Configure SQL Server for Virtual Machine Manager
1.
2.
3.
4.
5.
6.
7.
8.
From the shortcut on the desktop, start SQL Configuration.
Click Eval > Next.
Read and accept the license if you agree with it.
Click Check for updates > Next.
Click Next for image rules.
Select Default Instance > Next.
Click Next for Features > Next for Instance configuration > Configure Instance.
Close the SQL Server configuration.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
45
Configure Virtual Machine Manager
1.
2.
3.
4.
5.
6.
7.
Click the Configure VMM shortcut on the desktop.
Specify the name and organization.
Read the terms of the license. If you agree to them, click Next.
Choose the customer experience option > Next.
Select an update option > Next.
From the dropdown Instance menu, click MSSQLSERVER > Next.
Specify a domain account for the VMM service.
Note: This account has to be member of Local Administrators.
8. Select default path for VMM library, or enter another path if desired > Next > Install.
9. When the installation completes, click Close.
Add a Hyper-V host to Virtual Machine Manager
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
From the Start menu, start the VMM console.
In the left pane, click Fabric, and then in the left menu, click Servers.
Click Add Resources, and then select Hyper-V Host or Cluster.
Depending on where your Hyper-V host is located, select Windows Server in a domain or
non-domain.
Select Manually enter credentials, enter the username and password for a user who has
administrator access to the Hyper-V host > Next.
Select Specify Windows Server Computer Names.
Enter the name of the Hyper-V host that was installed with Windows Server vNext build
9926 > Next.
Under Discovered computers, select the server > Next.
Read the warning > OK.
On the Host group page, click Next > Finish.
Close the job window, and then in the Servers view, verify that the host is running as
healthy.
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
46
Appendix B – Enable HTTPS communication on the HGS server
1. Create and export the HGS HTTPS certificate
$HttpsCertificate = New-SelfSignedCertificate -DnsName
"$HgsServiceName.$env:userdnsdomain" –CertStoreLocation
Cert:\LocalMachine\My
Export-PfxCertificate -Cert $HttpsCertificate -Password
$certificatePassword -FilePath 'c:\HttpsCertificate.pfx'
Initialize HGS server with HTTPS Certificate
To enable HTTPS communication on the HGS server, you need to pass in the HTTPS certificate when
initializing the HGS server. Modify the following example as appropriate, and then run it in place of
the cmdlet in Section 6.4.
Initialize-HgsServer –HgsServiceName $HgsServiceName EncryptionCertificateThumbprint $encryptionCert.Thumbprint SigningCertificateThumbprint $signingCert.Thumbprint CommunicationsCertificateThumbprint $signingCert.Thumbprint –
TrustActiveDirectory –Http –Https –HttpsCertificatePath
‘C:\HttpsCertificate.pfx’ –HttpsCertificatePassword
$certificatePassword -Force
Note: If you are setting up multiple HGS servers in a High Availability
configuration, be sure to import the same HTTPS certificate on each machine. The
bolded part of the cmdlet above should be included every time you initialize an
HGS server in your environment.
Configure VMM with HTTPS HGS endpoints
In order to take advantage of the SSL encryption, you must specify the secure endpoints when
configuring the HGS settings in VMM. For example, instead of the addresses shown in Section 8.1.1,
provide the following addresses:
1. https://Relecloud.com/Attestation for the Attestation URL
2. https://Relecloud.com/KeyProtection for the KPS URL
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
47
Ensure guarded hosts trust the HTTPS certificate
If you chose to use a self-signed certificate for your HTTPS certificate, you will need to import the
certificate into the Trusted Root Certificate Authorities store on every host. To do this, run the
following cmdlet on each host machine, where the certificate file is the one generated in Section 6.3:
Import-Certificate –FilePath “C:\temp\HttpsCertificate.cer” –
CertStoreLocation Cert:\LocalMachine\Root
10 Sample unattend.xml file
The following is a sample unattend.xml file that you can use when creating your Shielding Data File.
This file assumes that you are including a certificate named RDPCert.pfx in your Shielding Data File
that will be used to secure your RDP communications. You must update the RDP Certificate
password and thumbprint (highlighted in yellow) with the appropriate values for your certificate.
You may also want to change the administrator password, uncomment the section to join the VM to
a domain, or add your own specialization steps to the script. For general unattend.xml information,
see Section 8.3.5.
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<servicing></servicing>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ComputerName>@ComputerName@</ComputerName>
<!-- If you are installing an evaluation edition of Windows that
does not require a product key, remove the following <ProductKey> node -->
<ProductKey>@ProductKey@</ProductKey>
</component>
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Order>1</Order>
<!-- Update with your certificate password -->
<Path>certutil -p &quot;!!123abc&quot; -importpfx
%SYSTEMDRIVE%\temp\RDPCert.pfx</Path>
<WillReboot>OnRequest</WillReboot>
<Description>Import certificate</Description>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Description>If there is one, copy original setupcomplete.cmd to a
unique file</Description>
<Order>2</Order>
<Path>cmd /C if exist {%WINDIR%\Setup\Scripts\SetupComplete.cmd} (copy
%WINDIR%\Setup\Scripts\SetupComplete.cmd %WINDIR%\Setup\Scripts\SC3746EE82-EA9D-423E-B99F510F9D7FF4F5.cmd /y)</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>3</Order>
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
48
<Description>mkdir Scripts since Windows looks for SetupComplete.cmd
in that dir. If the dir exists, it should be fine.</Description>
<Path>cmd.exe /C mkdir %WINDIR%\Setup\Scripts</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>4</Order>
<Description>Put certificate configuration command in
SetupComplete.cmd</Description>
<Path>cmd /C echo wmic /namespace:\\root\cimv2\TerminalServices PATH
Win32_TSGeneralSetting Set
SSLCertificateSHA1Hash=&quot;f5d17b3d2fe391480e7532764026d6129884862b&quot; &gt;&gt;
%WINDIR%\Setup\Scripts\SetupComplete.cmd</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Order>5</Order>
<Description>Put shutdown VM in SetupComplete.cmd</Description>
<Path>cmd /C echo shutdown /s /f &gt;&gt;
%WINDIR%\Setup\Scripts\SetupComplete.cmd</Path>
<WillReboot>OnRequest</WillReboot>
</RunSynchronousCommand>
</RunSynchronous>
<!--->
</component>
For VM to Domain Join use this section. Please ensure VM can reach domain controller
<!-<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Identification>
<Credentials>
<Domain>contoso.com</Domain>
<Username>Administrator</Username>
<Password>ContosoAdminPassword1!</Password>
</Credentials>
<JoinDomain>contoso.com</JoinDomain>
</Identification>
</component>
-->
<component name="Microsoft-Windows-TerminalServices-LocalSessionManager"
processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral"
versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<fDenyTSConnections>false</fDenyTSConnections>
</component>
<component name="Networking-MPSSVC-Svc" processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<FirewallGroups>
<!-- Allow RDP connections through the firewall -->
<FirewallGroup wcm:action="add" wcm:keyValue="RDGroup">
<Active>true</Active>
<Group>@FirewallAPI.dll,-28752</Group>
<Profile>all</Profile>
</FirewallGroup>
</FirewallGroups>
</component>
<component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions"
processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral"
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
49
versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UserAuthentication>0</UserAuthentication>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<OOBE>
<HideEULAPage>true</HideEULAPage>
<SkipUserOOBE>true</SkipUserOOBE>
</OOBE>
<UserAccounts>
<AdministratorPassword>
<Value>ExampleAdminPassword1!</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
</UserAccounts>
<TimeZone>@TimeZone@</TimeZone>
</component>
<component name="Microsoft-Windows-International-Core"
processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral"
versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UserLocale>en-US</UserLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguage>en-US</UILanguage>
<InputLocale>0409:00000409</InputLocale>
</component>
</settings>
</unattend>
Technical Preview 4 Guide
Microsoft Windows Server
© 2015 Microsoft Corporation. All rights reserved.
50
