Technical Preview 4 Step-by-Step Guide: Deploy Shielded VMs Using TPM-trusted Attestation Microsoft Corporation Published: 19 November 2015 Updated: 12 January 2016 Feedback and Support: Please email us at ShieldedVMFeedback@microsoft.com if you are evaluating shielded VMs; we would like to work with you to gather feedback. Note: This content is pre-release documentation and is subject to change in future releases. Abstract Windows Server 2016 introduces the concept of Guarded Fabrics, which enable hosting service providers and private cloud operators to offer their tenants a hosting environment that protects tenant virtual machines and their data from compromised storage, network attacks, rogue host administrators, and malware running on the host. Shielded VMs running on a Guarded Fabric allow tenants to safely virtualize security-sensitive workloads such as Active Directory Domain Controllers without exposing those workloads to the hosting infrastructure. This deployment guide covers the end-to-end installation and configuration of a Guarded Fabric for both hosters and tenant administrators using TPM-trusted (hardware) attestation with Windows Server 2016 Technical Preview 4 and System Center Virtual Machine Manager 2016 Technical Preview 4. Copyright Information ©2016 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet website site references, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. Some information relates to pre-released product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Table of publishing updates Version Date V1 11/18/2015 V2 12/02/2015 V3 12/21/2015 V4 1/12/2016 Type of publishing First publication – Windows Server 2016 Technical Preview 4 (Build #10586) Update – Corrected key protector cmdlet in Section 7: Scenario #1: Create a new shielded VM on the tenant Hyper-V host and run it on the guarded host; minor edits Update – Fixed step in 6.3.1 to include missing -Name parameter; Added details to Section 5: Known Issues and Limitations and Section 8.2.1 regarding Windows Server 2012 and Windows Server 2012 R2 template disk support Minor edits Updated VMM substitution strings in Section 8.3.2 and Section 10 Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 2 1 Contents Table of publishing updates ................................................................................................................ 2 1 Summary ......................................................................................................................................... 6 2 Solution goals .................................................................................................................................. 6 3 Scenario Validation - Overview ....................................................................................................... 8 4 Pre-requisites for shielded VM scenario validation ...................................................................... 11 4.1 For the Host Guardian Service (HGS) infrastructure: .................................................................. 11 4.2 For hosting provider/enterprise fabric infrastructure ................................................................ 11 4.3 For tenants .................................................................................................................................. 12 4.1 Named resources in this guide.............................................................................................. 12 4.1.1 Domains ........................................................................................................................ 12 4.1.2 Computers..................................................................................................................... 12 5 Known Issues and Limitations in Technical Preview 4 .................................................................. 14 6 Setting up the hosting environment ............................................................................................. 15 6.1 Configure the first HGS node ................................................................................................ 15 6.1.1 Add the HGS Role .......................................................................................................... 15 6.1.2 Install the Host Guardian Service .................................................................................. 15 6.1.3 Create self-signed certificates for HGS ......................................................................... 16 6.1.4 Initialize the HGS server for TPM-trusted attestation .................................................. 17 6.2 Configure the fabric DNS....................................................................................................... 18 6.3 Configure HGS attestation policies ....................................................................................... 18 6.3.1 Registering Guarded Hosts in TPM-trusted attestation mode ..................................... 18 6.4 Verify HGS is configured properly ......................................................................................... 20 6.5 Configure secondary HGS nodes ........................................................................................... 20 6.6 Confirm hosts can attest successfully ................................................................................... 21 6.7 Configure optional components ........................................................................................... 21 7 Scenario #1 – Create a new shielded VM on the tenant Hyper-V host and run it on the guarded host 23 8 7.1 Import the guardian configuration on the tenant Hyper-V server ....................................... 23 7.2 Create a new VM on tenant Hyper-V.................................................................................... 23 Scenario #2 – Create a new shielded VM from a VM template using SC VMM ........................... 26 8.1 Configure Host Guardian Service Settings in Virtual Machine Manager .............................. 26 Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 3 8.1.1 Configure the Host Guardian Service settings .............................................................. 27 8.1.2 Configure a specific guarded host’s settings ................................................................ 27 8.2 Hosting Service Provider Creates a Signed Disk Template ................................................... 30 8.2.1 Create Generation 2 Disk Template .............................................................................. 30 8.2.2 Run Windows Update on the template operating system ........................................... 30 8.2.3 Signing a Template Disk ................................................................................................ 30 8.2.4 Copy and publish the disk template to the VMM Library ............................................. 31 8.2.5 Create the shielded VM template in VMM using the signed disk ................................ 32 8.3 Tenant creates shielding data to define a shielded VM ....................................................... 32 8.3.1 Create an RDP certificate .............................................................................................. 33 8.3.2 Create an Unattend File ................................................................................................ 33 8.3.3 Get the volume signature catalog file ........................................................................... 34 8.3.4 Get the Host Guardian Service metadata and import it using cmdlets ........................ 34 8.3.5 Create a shielding data file for shielded templates ...................................................... 35 8.4 Create a shielded VM using VMM ........................................................................................ 36 9 Scenario #3 – Deploy a shielded VM using Windows Azure Pack (new in Windows Server 2016 Technical Preview 4) ............................................................................................................................. 37 9.1 Configure Service Provider Foundation and Windows Azure Pack to expose shielded VM plans to tenants ................................................................................................................................ 38 9.1.1 Configure the Service Provider Foundation .................................................................. 38 9.1.2 Install Windows Azure Pack .......................................................................................... 38 9.1.3 Configure Windows Azure Pack .................................................................................... 38 9.1.4 Create a shielded VM Plan in Windows Azure Pack ..................................................... 39 9.2 Tenants create Shielding Data for the VM ............................................................................ 41 9.2.1 Get a Windows Azure Pack subscription ...................................................................... 41 9.2.2 Download the Volume Signature Catalog and guardian key from the tenant portal ... 41 9.2.3 Create the Shielding Data File ....................................................................................... 41 9.2.4 Upload Shielding Data in the Windows Azure Pack portal ........................................... 41 9.3 Create a shielded VM in Windows Azure Pack ..................................................................... 42 9.3.1 Quick Create a shielded VM in Windows Azure Pack ................................................... 42 9.3.2 Create a shielded VM in Windows Azure Pack from the Gallery using a shielded template 42 9.3.3 Create a shielded VM in Windows Azure Pack from the gallery using a regular template 43 9.4 Convert an existing Generation 2 VM to a shielded VM in Windows Azure Pack ................ 43 Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 4 Appendix A – Import a VMM 2016 VHD in your fabric ......................................................................... 45 Building a VM to run Virtual Machine Manager ............................................................................... 45 Configure the Virtual Machine Manager image ............................................................................... 45 Configure SQL Server for Virtual Machine Manager ........................................................................ 45 Configure Virtual Machine Manager ................................................................................................ 46 Add a Hyper-V host to Virtual Machine Manager ............................................................................ 46 Appendix B – Enable HTTPS communication on the HGS server .......................................................... 47 Initialize HGS server with HTTPS Certificate ..................................................................................... 47 Configure VMM with HTTPS HGS endpoints .................................................................................... 47 Ensure guarded hosts trust the HTTPS certificate ............................................................................ 48 10 Sample unattend.xml file .............................................................................................................. 48 Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 5 1 Summary This document provides installation and configuration guidance for Windows Server 2016 Technical Preview 4 (build #10586) and System Center VMM 2016 using the for Guarded Fabric hosts and shielded VMs to enhance the security of physical hosts and guest VMs. This guide focuses specifically on deployment scenarios that use TPM-trusted (hardware) attestation. For the shielded VM deployment scenario that uses admin-trusted attestation, see the deployment guide titled Windows Server 2016 Technical Preview 4 Step-by-Step Guide: Deploy Shielded VMs Using Administratortrusted Attestation. The goal of the Guarded Fabric solution is to help provide hosting service providers and private cloud operators the ability to offer their tenant administrators a hosted environment where protection for tenant virtual machine data is strengthened against threats from compromised storage, networks, host administrators, and malware. The focus of this preliminary release of Guarded Fabric and the deployment guide is to test a deployment of Guarded Fabric that can run shielded Virtual Machines (shielded VMs), which are encrypted. Guarded Fabric is intended to be used as part of your overall server security strategy. The primary users of this guide are hosting service providers or enterprise datacenter administrators. Using the information from this guide in your own infrastructure, you will test deploy guarded hosts in a fabric and run shielded VMs on these hosts using TPM-trusted (TPM) attestation. 2 Solution goals As a cloud service provider or enterprise private cloud administrator, you can provide a secure “TPM-trusted” (or alternatively, an “admin-trusted”) environment for tenant VMs where: 1. You are assured that you can provide a secure hardware trusted environment for tenant VMs where the VM data is protected from malicious host administrators and malware. 2. You are assured that Windows Server has built-in breach hardening capabilities spanning from secure and measured boot, code integrity and protection for high value operating system security secrets and operations from malicious code on the Hyper-V host. From the scenario validation point of view: 1. You can build an infrastructure for guarded hosts and “shielded VMs.” 2. Tenants can create new or use existing VMs and be able to convert them to shielded VMs. 3. Hosts can build a cloud service and offer shielded VM functionality using the Windows Azure Pack Portal. 4. Tenants can use Windows Azure Pack to create and manage shielded VMs in Windows Azure Pack. 5. Tenants can export VMs and grant permission to either a cloud service provider or an enterprise cloud operator to be guardian, and are assured of security and data-at-rest encryption. 6. Tenants can create new VMs from a VMM template and be assured that the base images used for template creation are trusted and have not been tampered with. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 6 7. During VM creation from a VMM template, tenants can provide input for computer names and administrator passwords in secure manner without exposing sensitive information to fabric administrators. 8. Cloud service providers and enterprise administrators can use Live Migrate or Live (VSM) virtual machines between guarded hosts in the same way as they did prior to deploying the Guarded Fabric solution. 9. Cloud service providers and enterprise administrators can back up, checkpoint and restore shielded VMs by usual methods. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 7 3 Scenario Validation - Overview To help you understand the test environment that we’re going to build out here, let’s look at the scenario behind the lab deployment. The cloud service provider or enterprise private cloud operator is represented by Fabrikam, Inc. They have the following infrastructure: 1. Fabrikam.com has a domain controller, DHCP server, DNS server, Hyper-V hosts, VMM 2016, and other supporting infrastructure services. 2. Relecloud.com is the Active Directory domain for the Host Guardian Service (HGS) infrastructure. HGS uses its own dedicated Active Directory forest, and access to this isolated environment is very restrictive and granted to only very few trusted administrators. It is important to note that the Fabrikam.com administrators (in the fabric infrastructure) do not have any access to the HGS infrastructure. This creates a trust boundary between the fabric infrastructure and the HGS environment. The logical representation of the deployment topology for Technical Preview 4 (build #10586) is as follows: REST API Virtual Machine Manager 2016 3-node HGS cluster • Key Protection Service • Attestation Service Tenant WS 2016 Hyper-V Hosts Host Guardian Service relecloud.com • Self-service management via Windows Azure Pack or VMM Console • WS 2016 Hyper-V host if preparing VMs on own fabric first Shielded & Regular VMs Hoster Active Directory fabrikam.com If you are planning for tenants to use VMM (see Scenario #2) and/or Windows Azure Pack (see Scenario #3) to create and manage shielded VMs, you are not required to provide a physical server for the tenant’s use; it can be a VM that is running Windows 10 client or Windows Server 2016 Technical Preview 4. In the context of this document, tenants are defined as the owners of the VM. Tenants could be third-party customers who want to host VMs with a cloud service provider, or enterprise users who wants to leverage shielded VMs for their enterprise workloads (first-party workloads). Tenants will interact with hosting service providers or private cloud operators in the following ways: Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 8 1. Tenants will create new VMs or use existing VMs (Generation 2) and enable the shielded VM feature on-premises (in the case of a host/tenant model) or on a secure trusted host (in the case of enterprise private cloud model). The owner of the VMs (the tenants) will grant permission to run this VM in designated fabric (“guardian”) infrastructure. Tenants will export the VM and provide it to the host/fabric administrator, who can then run this VM only on designated trusted hosts in their environment. Exported VMs are encrypted and offer data-at-rest encryption, and only designated guardian hosts have the ability to decrypt and start the VM. 2. Tenants can create a new VM (Generation 2) directly in the host/private cloud environment from “gold images” provided and signed by the host/private cloud operators. This guarantees tenants that the VHDX file comes from a trusted source and was not modified by rogue users or malware in the process. Tenants provide information such as the computer name, administrator passwords, product key, etc., in an encrypted package at the time of VM creation. Tenants are fully ensured that this sensitive information and the VM are safe and “shielded” from fabric administrators at all times. 3. Hosts/service providers can enable shielded VM capabilities in their cloud and make it available using the Windows Azure Pack portal for their tenants. Tenants can use the web portal to create and manage shielded VMs in following manner: a. Tenants can create new shielded VMs for a shielded template b. Tenants can create a new VM from the standard VM template and shield the VM immediately after provisioning it c. Tenants can convert any exiting Generation 2 VM to a shielded VM using the Windows Azure Pack portal. The following table summarizes important terminology used throughout the rest of this document. Term Definition Guarded Fabric A public or private cloud that has the ability to manage and run shielded VMs. hosting service provider A service provider that offers shared or dedicated space on servers for websites, in data centers, etc. tenant administrator A user role that allows the user to create and manage self-service users and VM networks, specify which tasks the self-service users can perform on their virtual machines and services, and place quotas on computing resources and virtual machines. shielded virtual machine (shielded VM) An encrypted virtual machine that can only run on guarded hosts. guarded host A host in the fabric on which shielded VMs can run. Guarded hosts must be identified prior to being trusted, and must be configured appropriately in order to pass attestation. Host Guardian Service A Windows Server Technical Preview role that you install on a secured physical computer to implement the hardened fabric. The Host Guardian Service (HGS) provides attestation and key distribution services so that guarded hosts can run shielded VMs. The trusted administrator manages the Host Guardian Service. Host Guardian Service remote attestation Also referred to as attestation. The process of the Host Guardian Service verifying that a host is part of the fabric—a guarded host—and the state of its configuration. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 9 Term Definition Host Guardian Service key distribution The operation of delivering a key to a guarded host so that it can unlock and run shielded VMs. trusted administrator An administrator in the public or private cloud that has the authority to manage the policies and cryptographic material for determining on which hosts a shielded VM can run. fabric administrator A public or private cloud administrator that can manage virtual machines. A fabric administrator does not have access to shielded VMs, or the policies that determine on which hosts shielded VM can run. fabric controller The management role within the fabric that provides fabric administration tools and utilities to manage and run virtual machines (both shielded and normal). An example of a fabric controller is System Center Virtual Machine Manager. virtual TPM In Windows Server Technical Preview Hyper-V, you can enable a virtual TPM 2.0 device to guest VMs. This gives you the ability to encrypt the VM. virtual secure mode A Hyper-V based processing and storage environment on Windows Server Technical Preview that is protected from administrators. You can use the Virtual Secure Mode to store operating system keys that are not visible to an operating system administrator. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 10 4 Pre-requisites for shielded VM scenario validation The following pre-requisites are assumed in the environment. 4.1 For the Host Guardian Service (HGS) infrastructure: The Host Guardian Service running Windows Server Technical Preview Standard or Datacenter edition Technical Preview 4 (build #10586). This can be either physical or virtual; however physical is recommended. The HGS service must run in its own Active Directory domain and must be isolated from the current fabric AD infrastructure. HGS can validate status of the Hyper-V hosts in hardware-based attestation mode. To use this mode, you need name resolution between the fabric domain and the HGS domain. In this mode, the HyperV physical host that will run a shielded VM must have TPM 2.0 and UEFI 2.3.1 with secure boot enabled. You should plan for network/firewall connectivity between HGS and the fabric domain accordingly. 4.2 For hosting provider/enterprise fabric infrastructure Windows Azure Pack UR 7.1+ Please note: You must have Windows Server 2016 Technical Preview 4 and System Center 2016 Technical Preview 4 stack, (i.e. VMM 2016 Technical Preview 4 + Service Provider Foundation 2016 Technical Preview 4) for shielded VM support in Windows Azure Pack UR7.1+.1 You can install all components on the same server for evaluation purposes. Service Provider Foundation 2016 TP4 VMM 2016 TP4 Windows Server 2016 TP4 1. A fabric controller: VMM 2016 Technical Preview 4 build (either physical or virtual). A VMM 2016 VHD is available as a download on the TechNet Evaluation Center site. Please see Appendix A for instructions on importing this VHD into your environment. 2. Configure Virtual Machine Manager (VMM) with following: a. Host group for guarded hosts b. Private cloud from the host group c. Tenant administrator user role with the tenant as a member d. Physical hosts running Windows Server Technical Preview 4 (build #10586). 3. Install Service Provider Foundation 2016 Technical Preview 4 on the VMM server and latest version of Windows Azure Pack. 1 Service Provider Foundation 2012 R2 and VMM 2016 Technical Preview 4 will not work for a shielded VM. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 11 4. At least one physical host running Windows Server Technical Preview Datacenter or Enterprise edition Technical Preview 4 (build #10586), which becomes guarded and will host shielded VMs. Two hosts are needed to test the Hyper-V live migration for shielded VM. a. For TPM-trusted attestation, you need a physical host with TPM 2.0 and UEFI 2.3.1 with secure boot enabled. 4.3 For tenants To create virtual machines for use in the Guarded Fabric, you will need the following configuration in your environment. For Scenario #1 1. A physical server running Windows Server Technical Preview 4 (build #10586) with the following roles and features installed: a. Role i. Hyper-V b. Features i. Remote Server Administration Tools\Shielded VM Tools For Scenarios #2 & #3 You can have physical or virtual machine running Windows 10 client or Windows Server 2016 Technical Preview 4. If you are using Windows Server 2016 Technical Preview 4, you need to add Feature\Remote Server Administration Tools\Shielded VM Tools in Server Manager. OR If you are using the Windows 10 client operating system, you can download the Remote Server Administration Tools for Windows Server 2016. This will install the Shielding Data File Wizard to create the PDK file on the client machine. 4.1 Named resources in this guide The following table describes all the named resources used in descriptions and commands throughout this guide. When running commands, you should replace these names with the correct ones for your own environment. 4.1.1 Domains relecloud.com is the Host Guardian Service domain set up during HGS installation. fabrikam.com is the fabric domain, to which the hosts and management tools are joined. 4.1.2 Computers FQDN hgs01.relecloud.com hgs02.relecloud.com hgs03.relecloud.com IP Address 10.0.0.100 10.0.0.101 10.0.0.102 Technical Preview 4 Guide Purpose First HGS node Second HGS node Third HGS node Initial Configuration Windows Server 2016 TP4 Windows Server 2016 TP4 Windows Server 2016 TP4 Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 12 dc.fabrikam.com 10.0.0.1 Fabric Domain Controller vmm.fabrikam.com 10.0.0.2 spf.fabrikam.com 10.0.0.3 wap.fabrikam.com 10.0.0.4 host01.fabrikam.com 10.0.0.5 Virtual Machine Manager server Service Provider Foundation server Windows Azure Pack server Guarded host (ready for hardware attestation) Technical Preview 4 Guide Windows Server 2016 TP4 AD DC (configured) DNS (configured) DHCP (configured) Windows Server 2016 TP4 SCVMM 2016 TP4 Windows Server 2016 TP4 SCSPF 2016 TP4 Windows Server 2016 TP4 WAP UR 8.1+ TPM 2.0 module UEFI 2.3.1 with Secure Boot Windows Server 2016 TP4 Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 13 5 Known Issues and Limitations in Technical Preview 4 1. An in-place upgrade from any previous release to the Technical Preview 4 release of Windows Server 2016 is not supported. 2. Host Guardian Service and Hyper-V hosts must be running Windows Server 2016 Technical Preview 4 3. The Host Guardian Service role on Server Core is not supported in Technical Preview 4. 4. You cannot convert the HGS attestation mode from TPM-trusted to admin-trusted or vice versa. You must uninstall the HGS server (on all nodes in the case where HGS is clustered for high availability), and then install with correct attestation mode. 5. You cannot change the HGS cluster name – “HgsCluster50E07” – for the Host Guardian Service Cluster. 6. Hosts in a Guarded Fabric using TPM-trusted attestation will fail attestation if they are configured to boot from the network (PXE boot). PXE boot should be disabled on these hosts for Technical Preview 4. 7. To use Windows Server 2012 or Windows Server 2012 R2 as the guest OS in your template disks for the VMM and WAP scenarios, you must first install update KB3116908 before running the Template Disk Creation wizard to create your template disk. (You do not need this update if you are using Windows Server 2016 Technical Preview 4 as the guest OS in your template disks for these scenarios.) 7. In rare cases, when a non-administrator deploys a shielded VM to a cloud in VMM or WAP where that cloud consists of both guarded and unguarded hosts, the shielded VM may be placed on an unguarded host and be unable to start. To resolve this, migrate the VM to a guarded host, and then start the VM. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 14 6 Setting up the hosting environment In order to offer shielded VMs to your tenants, you first need to set up a Guarded Fabric. A Guarded Fabric consists of “Guarded Hosts” (Hyper-V hosts that can run shielded VMs) and a cluster of Host Guardian Service nodes that authorize these hosts to start up shielded VMs. To accomplish this, this guide will show you how to set up the HGS nodes, configure the fabric DNS and domain (if necessary), and set up the Hyper-V hosts to become Guarded Hosts. At the end of this section, you will be ready to run shielded VMs in your datacenter. In order to complete this section, you will need the following resources: 1–3 physical servers for the Host Guardian Service cluster, running Windows Server 2016 Technical Preview 4 Note: We recommend three or more nodes in this cluster, but one node is sufficient for a proof of concept. At least one Hyper-V host running Windows Server 2016 Technical Preview 4 that will become a Guarded Host Fabric domain credentials to configure DNS This guide assumes you are setting up your HGS environment using TPM-trusted (hardware) attestation. TPM-trusted attestation requires modern security chips on each Guarded Host (see Section 4 for specific requirements), but offers the highest security assurances to your tenants. Your Guarded Fabric cannot contain a mix of hardware- and admin-trusted attestation, so it is important to decide which mode is best for your environment before setting up HGS. To review the requirements for admin-trusted attestation, see the admin-trusted version of the deployment guide here: Windows Server 2016 Technical Preview 4 Step-by-Step Guide: Deploy Shielded VMs Using Administrator-trusted Attestation. It is possible to migrate from one mode to another; however, such a migration will require all guarded hosts to be compatible with the new attestation mode. For more information about changing the attestation mode of your HGS environment, see the Windows Server 2016 Technical Preview 4 Shielded VMs and Guarded Fabric Operations Guide. 6.1 Configure the first HGS node The following steps will guide you through setting up your first HGS node, and should be performed on a physical server with Windows Server 2016 Technical Preview 4 installed. 6.1.1 Add the HGS Role Add the Host Guardian Service role to the machine in Server Manager or by running the following cmdlet in an elevated PowerShell window: Install-WindowsFeature –Name HostGuardianServiceRole – IncludeManagementTools -Restart 6.1.2 Install the Host Guardian Service After the HGS role is added to the machine, the next step is to run the Install-HgsServer cmdlet, which will set up the Active Directory forest backing HGS and configure other dependencies. Please note that you cannot use an existing domain with the Host Guardian Service. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 15 In line with the named resources used in this guide, the HGS domain used in the following examples will be “relecloud.com”. 1. In an elevated PowerShell window, run the following cmdlets to install the Host Guardian Service and configure its domain. $adminPassword = ConvertTo-SecureString -AsPlainText '!!123abc' –Force Install-HgsServer -HgsDomainName 'relecloud.com' SafeModeAdministratorPassword $adminPassword –Restart Note: The –SafeModeAdministratorPassword argument specifies the Directory Services Restore Mode (DSRM) for the Host Guardian Service’s Active Directory Domain Controller. 2. Restart the server, and then log in as the domain administrator using the same password you previously used as the local administrator. 6.1.3 Create self-signed certificates for HGS The Host Guardian Service needs to be configured with two certificates for encryption and signing. If you have an existing Public Key Infrastructure, use that to issue trusted certificates, and then skip to section 6.1.4. Otherwise, follow these steps to create self-signed certificates for your HGS servers. Warning: Creating self-signed certificates is not recommended outside of test deployment environments. If you are deploying this solution in a production environment, you should use certificates that are issued by a trusted authority. 1. Open an elevated PowerShell window, and then run the following cmdlet to specify the password to use when exporting the self-signed certificate: $certificatePassword = ConvertTo-SecureString -AsPlainText '!!123abc' –Force 2. Create and export the signing certificate: $signingCert = New-SelfSignedCertificate -DnsName "signing.$env:userdnsdomain" -CertStoreLocation Cert:\LocalMachine\My Export-PfxCertificate -Cert $signingCert -Password $certificatePassword -FilePath 'C:\signingCert.pfx' 3. Create and export the encryption certificate: Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 16 $encryptionCert = New-SelfSignedCertificate -DnsName "encryption.$env:userdnsdomain" -CertStoreLocation Cert:\LocalMachine\My Export-PfxCertificate -Cert $encryptionCert -Password $certificatePassword -FilePath 'C:\encryptionCert.pfx' 6.1.4 Initialize the HGS server for TPM-trusted attestation The following cmdlets will finish the configuration of the first HGS node using TPM-trusted attestation. All Guarded Hosts in your fabric must have UEFI 2.3.1, boot in UEFI mode (not BIOS or “legacy” mode), and have a TPM 2.0 module. 1. Open an elevated PowerShell window and run the following cmdlet to initialize the HGS server in TPM-trusted mode with the encryption and signing certificates created previously. $HgsServiceName = 'TpmHgs' $certificatePassword = ConvertTo-SecureString -AsPlainText '!!123abc' -Force Initialize-HGSServer -HgsServiceName $HgsServiceName SigningCertificatePath 'C:\signingCert.pfx' SigningCertificatePassword $certificatePassword EncryptionCertificatePath 'C:\encryptionCert.pfx' EncryptionCertificatePassword $certificatePassword -TrustTpm Force Note: If you want to configure HGS to communicate with clients securely over HTTPS, see Appendix A for the additional parameters needed when running this cmdlet. 2. When Initialize-HgsServer has finished running, a warning displays with the following message: “There were issues while creating the clustered role that may prevent it from starting. For more information, view the report file below.” When you view the report file, the following warning message is displayed: “An appropriate disk was not found for configuring disk witness. The cluster is not configured with quorum witness. As a best practice, configure a quorum witness to help achieve the high availability of the cluster.” Open Failover Cluster Manager and verify that the HgsClusterGroup role service is started and is running. If it is, you can ignore this warning message. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 17 3. Continue setting up the hosting environment by configuring the fabric DNS forwarder in section 6.2. 6.2 Configure the fabric DNS In order for Guarded Hosts to be able to resolve the HGS server names, a DNS forwarder from the fabric domain to the HGS domain must be set up. There are several ways to configure name resolution on the fabric domain. One way is to set up a conditional forwarder zone in the fabric DNS manager. To set up this zone, run the following cmdlet in an elevated PowerShell window on a fabric DNS server: $HgsDomainName = 'relecloud.com' $firstHgsServerIP = '10.0.0.100' Add-DnsServerConditionalForwarderZone -Name $HgsDomainName ReplicationScope "Forest" -MasterServers $firstHgsServerIP We will add additional master servers later when we set up the additional HGS nodes. 6.3 Configure HGS attestation policies With HGS set up and name resolution in place, it’s time to configure HGS to recognize the Guarded Hosts. TPM-trusted attestation requires the creation of a code integrity policy and procurement of secure boot policies and platform identifiers. 6.3.1 Registering Guarded Hosts in TPM-trusted attestation mode As the name implies, TPM-trusted attestation requires identifiers from each machine’s hardware in order to evaluate if the machine is in a healthy state. Additionally, a code integrity policy needs to be authored to restrict which software can run on the hosts. We recommend that you have a “reference machine” for each unique hardware configuration in your datacenter that can be used to generate these pieces of information. For each host 1. Each TPM module has a unique identity that is validated when a host tries to attest with HGS. Run the following cmdlet in an elevated PowerShell window on the host to capture this and other identifying information for the system: (Get-PlatformIdentifier –Name 'Q1CX12R05-01').InnerXml | Outfile C:\Q1CX12R05-01.xml Note: The “Name” parameter provided to Get-PlatformIdentifier should identify the physical server location, as the platform identifier information is specific to the actual hardware on which the host is running. Use the unique host name identified by your fabric inventory service (if available); otherwise, specify the host name. 2. Copy the outputted XML file to the HGS server or a network share accessible by HGS. 3. Run the following cmdlet in an elevated PowerShell window on the HGS server: Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 18 Add-HgsAttestationTpmHost –Name 'Q1CX12R05-01' -Path C:\temp\Q1CX12R05-01.xml For each unique hardware configuration A TPM baseline is required for each unique hardware configuration in your datacenter fabric. This baseline should be captured on a reference machine that exemplifies the standard you want other hosts to follow (built from trusted media source, TPM, UEFI, and Secure Boot enabled, etc.). 1. Run the following cmdlet in an elevated PowerShell window on the reference host to record the TPM baseline: Get-HgsAttestationBaselinePolicy –Path C:\OEM1.tcglog –Force 2. Copy the tcglog file to the HGS server or a network share accessible by HGS. 3. On the HGS server, run the following cmdlet to add the TPM baseline as an acceptable baseline for attestation: Add-HgsAttestationTpmPolicy –Path C:\temp\OEM1.tcglog –Name 'OEM1Policy' Create a code integrity policy A code integrity (CI) policy ensures that only the executables you trust to run on a host are allowed to run. If malware or other untrusted code tries to run on the system, the system will not allow the code to run. Here, we will create a CI policy in audit mode that will only log an error if an untrusted executable file is run. This will allow you to examine whether your CI policy is configured properly without risking host downtime to update a policy that is too strict. For information on best practices for CI policies, see the Windows Server 2016 Technical Preview 4 Shielded VMs and Guarded Fabric Operations Guide. Additional information about CI policies can be found at https://technet.microsoft.com/enus/library/mt243445(v=vs.85).aspx For simplicity, you can create one CI policy that covers all machines in your fabric by running the cmdlets below on each unique hardware/software configuration and then using the Merge-CIPolicy cmdlet to create one master policy before registering it with HGS. 1. On the reference host, generate a new code integrity policy. To create a FilePublisher policy which validates files based on the publisher certificate for each file, run the following cmdlets: New-CIPolicy –Level FilePublisher –Fallback FileName –FilePath 'C:\cipolicy.xml' ConvertFrom-CIPolicy 'C:\cipolicy.xml' 'C:\cipolicy.p7b' 2. Copy the binary file (cipolicy.p7b) to the HGS server or a network share accessible to it Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 19 3. Run the following cmdlet on the HGS server to register the CI policy with the attestation service: Add-HgsAttestationCIPolicy -Path C:\temp\cipolicy.p7b -Name 'File Publisher CI Policy' –ConvertToHash 4. Keep this CI policy file handy. You may need to edit it in the future, and may need it later in this guide if you choose to install System Center Virtual Machine Manager (SC VMM). 6.4 Verify HGS is configured properly Now that HGS has been configured, it is time to check whether everything is configured correctly. Navigate to the following URL (updated with your HGS’ FQDN) in a web browser. You should be presented with an XML document if everything is configured correctly. If you encounter a HTTP 500 error, check that you’ve followed all the steps up to this point, or see the Windows Server 2016 Technical Preview 4 Shielded VMs and Guarded Fabric Troubleshooting Guide. http://hgs01.relecloud.com/KeyProtection/service/metadata/201407/metadata.xml 6.5 Configure secondary HGS nodes In production environments, the Host Guardian Service role should be set up in a high availability cluster to ensure that shielded VMs will be able to boot even if a HGS node goes down. For test environments, secondary HGS nodes are not required. The following steps will add a new machine running Windows Server 2016 Technical Preview 4 to the HGS cluster set up in step 6.1. The machine should not be joined to any domain prior to setting up HGS. 1. To add the Host Guardian Service role, run the following cmdlet in an elevated PowerShell window: Install-WindowsFeature –Name HostGuardianServiceRole – IncludeManagementTools –Restart 2. Install the Host Guardian Service by modifying the following: $adminPassword = ConvertTo-SecureString -AsPlainText '!!123abc' –Force $cred = Get-Credential 'relecloud\Administrator' $firstHgsServerIP = '10.0.0.100' $HgsDomainName = 'relecloud.com' $HgsServiceName = 'ADHgs' Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 20 Install-HgsServer -HgsDomainName $HgsDomainName HgsServerIPAddress $firstHgsServerIP -HgsDomainCredential $cred -SafeModeAdministratorPassword $adminPassword –Restart – Confirm:$false 3. Wait for the server to restart, then sign in with the HGS domain admin credentials. 4. Initialize the HGS server to finish adding the new node to the HGS cluster. $firstHgsServerIP = '10.0.0.100' $cred = Get-Credential 'relecloud\Administrator' Initialize-HgsServer -HgsServerIPAddress $firstHgsServerIP HgsDomainCredential $cred -TrustTpm -Confirm:$false –Force 5. Check the metadata URL to verify the HGS node is functioning properly by opening a web browser and navigating to the following address (change the URL to reflect the node you’re working on): 6. Repeat these steps for each additional node in your HGS cluster. 6.6 Confirm hosts can attest successfully After your HGS nodes are set up, it is time to configure the Hyper-V hosts to attest to the HGS servers and confirm that your attestation groups are set up correctly. Complete the following steps on at least one Guarded Hyper-V Host: 1. Configure the host’s Key Protection and Attestation URLs by executing the following cmdlet in an elevated PowerShell window, modifying the FQDN of the HGS server cluster as appropriate: Set-HgsClientConfiguration -AttestationServerUrl 'http://relecloud.com/Attestation' -KeyProtectionServerUrl 'http://relecloud.com/KeyProtection' -confirm:$false 2. Run the following cmdlet to initiate an attestation attempt on the host and view the attestation status: Get-HgsClientConfiguration 6.7 Configure optional components After completing sections 6.1-6.6, you are ready to begin using your Guarded Fabric. You may optionally continue to configure System Center Virtual Machine Manager 2016 to more easily manage your datacenter and Windows Azure Pack to offer an easy-to-use web interface to your tenants. Section 7 (Shielding and migrating an existing VM) describes the steps you need to do to create a shielded VM on tenant infrastructure and move it to a secured hosting environment. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 21 Section 8 (Setting up Virtual Machine Manager) walks through the necessary steps to configure VMM to work with a Guarded Fabric, including preparing Shielded disk templates that allow tenants to securely deploy shielded VMs directly on your Guarded Fabric. Section 9 (Setting up Windows Azure Pack) extends VMM’s functionality with a web interface that allows your tenants to effortlessly deploy and manage VMs in your datacenter. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 22 7 Scenario #1 – Create a new shielded VM on the tenant Hyper-V host and run it on the guarded host Use the following steps to manually create a shielded virtual machine on a tenant Hyper-V host computer and grant permission to run the VM in the Guarded Fabric environment. Do these steps on a physical server running Windows Server Technical Preview 4 (build #10586) with the following roles and features installed: 1. Role a. Hyper-V 2. Features a. Host Guardian Hyper-V Support b. Remote Server Administration Tools\Shielded VM Tools 7.1 Import the guardian configuration on the tenant Hyper-V server 1. To get guardian key metadata using Internet Explorer, browse to the following URL: http://relecloud.com/KeyProtection/service/metadata/2014-07/metadata.xml 2. Save the page as C:\temp\GuardianKey.xml. If you don’t have name resolution and/or connectivity between the tenant HyperV Host and HGS infrastructure, you can download it on the HGS server and transfer it offline to the tenant Hyper-V Host. 3. Import the guardian key. Review the following example, modify it as needed, and then run the following cmdlet: Import-HgsGuardian -Path 'C:\temp\GuardianKey.xml' -Name 'Guardian' -AllowUntrustedRoot The -AllowUntrustedRoot parameter is only required if you used self-signed certificates when setting up the Key Protection Service. 7.2 Create a new VM on tenant Hyper-V 1. Review, modify as needed, and then run the following cmdlet from a tenant Hyper-V host to create a new Generation 2 virtual machine: New-VM -Generation 2 -Name "ShieldVM1" -Path C:\VMs -NewVHDPath c:\VMs\ShieldVM1\ShieldVM1.vhdx -NewVHDSizeBytes 60GB Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 23 2. Install the Windows Server 2016 Technical Preview 4 operating system on the VM, and then enable the remote desktop connection and corresponding firewall rule. Record the VM’s IP address; you will need it to remotely connect to the server. 3. Use RDP to remotely connect to the VM, and verify that RDP and the firewall are configured correctly. As part of the shielding process, console access to the virtual machine through HyperV will be disabled. 4. Stop the VM by running the following: Stop-VM -Name ShieldVM1 5. Create a new Host Guardian Service key protector using hosting service provide metadata and the tenant owner. Review the following example, modify it as needed, and then run the following cmdletss: $Guardian = Get-HgsGuardian -Name 'Guardian' $Owner = New-HgsGuardian –Name 'Owner' -GenerateCertificates $KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian -AllowUntrustedRoot 6. Enable the vTPM using the key protector. Review the following example, modify it as needed, and then run the following cmdlets. $VMName="ShieldVM1" Stop-VM -Name $VMName -Force Set-VMKeyProtector –VMName $VMName –KeyProtector $KP.RawData Set-VMSecurityProfile -VMName $VMName -ShieldingRequested $true Enable-VMTPM -VMName $VMName 7. Start the VM to verify that the key protector is working with local owner certificates. Review he following example, modify it as needed, and then run the following cmdlet. Start-VM -Name $VMName 8. Verify that the VM has started in the Hyper-V console. 9. Use RDP to remotely connect to the VM, and then enable BitLocker on all Virtual Hard Disk partitions that are attached to the shielded VM. Important: Wait for BitLocker encryption to finish on all partitions where you enabled it before proceeding to the next step. 10. Stop the VM. Review the following example, modify it as needed, and then run the following cmdlet: Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 24 Stop-VM -Name ShieldVM1 11. Export the VM using the tool of your choice (PowerShell or Hyper-V MMC) from the tenant Hyper-V server, and then copy the files to the guarded Hyper-V Host and import it using the following PowerShell cmdlets: $VMConfig = Get-childItem -Path 'C:\vms\ShieldVM1\Virtual Machines\' -Include "*.vmcx" -Recurse Import-VM -path $VMConfig 12. Start the VM on the Guarded Host: Start-VM -Name 'ShieldVM1' Note: If you have not already configured the HGS URLs on this host using the instructions in Section 6.6, you will not be able to start the VM because the host is not guarded. Run the cmdlets from Section 6.6 to configure the host, then try starting the VM again. When the VM successfully boots, you have verified that the Key Protector was configured correctly and that the VM is running securely on the Guarded Fabric. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 25 8 Scenario #2 – Create a new shielded VM from a VM template using SC VMM For this scenario, hosting service providers prepare a signed disk template for use by their tenants, and then make it available to the tenants. The tenants then connect to the VMM and create a shielded VM from the shielded VM template, and then provide the desired configuration (for example, VM Name, RDP Certificate, and any other secret data at the time of VM creation). 1. Hosting service providers configure the VMM and Hyper-V fabric to support shielded VM. 2. Hosting service providers use the following procedures to create a shielded VM template: a. b. c. d. Download or prepare the VHD to use as a template. Create a signed disk template. Copy and publish the disk template to the VMM library. Create the shielded VM template in VMM using the signed disk. 3. Tenant administrators use the following procedures to create shielding data for the shielded VM. These steps must be completed on a tenant computer and not on the fabric Hyper-V host. a. b. c. d. e. Create an RDP certificate. Create an Unattend file. Get the Volume Signature Catalog file. Get the Host Guardian Service Metadata and import it using cmdlets. Create a shielding Data File. 4. Finally, tenants use the following procedures to create and start the virtual machine: a. Create a shielded VM using VMM. b. Start the shielded VM and connect to it. 8.1 Configure Host Guardian Service Settings in Virtual Machine Manager Virtual Machine Manager Technical Preview (VMM) includes features to manage shielded VMs. Before you use VMM with the Host Guardian Service, you should already have VMM installed and configured for your infrastructure. For more information about installing and configuring VMM, see Virtual Machine Manager guidance or download the pre-configured image that has been made available to make the configuration of the scenario easier. VMM should have the following: 1. Tenants need to have the Tenant Administration user role so that they can use the remote VMM Administrator console. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 26 a. Verify that the user role you create for tenant administrators has the Deploy Shielded property and Deploy permissions. 2. Clouds created for tenants, so that shielded VMs can be added to them. a. On the General property page of a cloud, verify that for Shielded VM support, you select Supported on this private cloud. b. Verify that the cloud’s host group contains the guarded hosts that will run shielded VMs. Warning: In VMM 2016 Technical Preview 4, you should create a separate cloud just for your guarded hosts. There is a known issue in VMM Technical Preview 4 that might result in shielded VMs being deployed to unguarded hosts if any exist in your cloud, which would cause the VM deployment job to fail. This issue is expected to be resolved in VMM Technical Preview 5. In VMM, you specify global URLs for the Host Guardian Service. VMM uses the attestation server URL to communicate with the Host Guardian Service to verify that a host is guarded and is allowed to run shielded VMs. After a host is configured with Host Guardian Service settings and VMM’s Change properties of a virtual machine host job runs for the host, it is ready to host shielded VMs. You can view the status of any changes in the Jobs workspace. Use the following procedures to configure VMM for guarded hosts. 8.1.1 Configure the Host Guardian Service settings 1. In VMM, open the Settings workspace, and then select General. 2. In the Settings view, open Host Guardian Service Settings. 3. In the Host Guardian Service Settings dialog box, type the URLs for the following servers: a. Attestation Server URL This URL might resemble http://relecloud.com/Attestation b. Key Protection Server URL This URL might resemble http://relecloud.com/KeyProtection Note: If you enabled HTTPS endpoints when initializing the HGS Server in Section 6.4, use the https:// prefix for your URLs here. See Appendix B for more information on working with HTTPS. 8.1.2 Configure a specific guarded host’s settings 1. In VMM, open the Fabric workspace. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 27 2. In the Fabric pane, under Servers, select All Hosts. . 3. In the Hosts view, select the guarded host that you want to update, and then click Properties. 4. In the Host Properties box, click Host Guardian Service. 5. Select the Enable the Host Guardian Service and use the URLs configured as global settings in VMM check box. 6. Click OK. 7. You can review the job status for the guarded host in the Jobs workspace. To review the job status and host status for a guarded host: 1. After you have made changes to the Host Guardian Service settings for a host, open the Jobs workspace. Note: If you have changed the code integrity policy for a host, it should have restarted the host. This job may take several minutes to complete. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 28 2. In the Jobs pane, click History, and in the History – Recent Jobs view, select the Change properties of a virtual machine host job. 3. The status of the job is displayed: a. If the Status is Running, wait for the job to complete. b. If the Status is Completed, then the job successfully ran; however, you should review the host status to verify that it is ready to host and run shielded VMs. 4. Open the Fabric workspace. 5. In the Fabric pane, under Servers, select All Hosts. 6. In the Hosts view, review the Host Status and take any actions needed, as follows: a. If the Host Status is OK, then the host is ready for shielded VMs. b. If the Host Status is Needs Attention, select the host, and then click View Status. i. In the Host Properties box, click Status. You should see one or more items with Warning status. Review the error details for the warning. ii. If the warning indicates that the Key Protection Server or Attestation Server do not match the expected global Host Guardian Service setting, then you need to change the settings for that host. iii. If the warning indicates that the code integrity policy needs to be updated, close the Host Properties box, and then click Apply Latest Code Integrity Policy. If an informational dialog appears, click OK to close it. The Host Status should change to OK after the host restarts and the Change properties of a virtual machine host runs. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 29 8.2 Hosting Service Provider Creates a Signed Disk Template 8.2.1 Create Generation 2 Disk Template You can create a Generation 2 Template by using any of the following methods documented the topic titled “How to Create a Virtual Machine Template” (https://technet.microsoft.com/enus/library/hh427282.aspx). The guest operating system must be Generation 2-compatible with the operating system (for example, Windows Server 2016 Technical Preview 4), and the disk must be partitioned using GPT. Warning: If the guest OS on the template disk is running Windows Server 2012 or Windows Server 2012 R2, you must first install the KB3116908 update on the server running the Template Disk Wizard. This update is not required if the guest OS installed on your template disk is Windows Server 2016 Technical Preview 4. Verify that the disk meets the following BitLocker requirements: Is formatted with the NTFS file system Does not use Dynamic Volume Has at least two partitions. One partition must include the drive on which Windows is installed. This is the drive that BitLocker will encrypt. The other partition is the active partition, which remains unencrypted so that the computer can be started Note: Do not copy the Disk Template in the VMM library at this stage. 8.2.2 Run Windows Update on the template operating system Before continuing, verify that the template operating system has all of the latest Windows updates installed. Recently released updates improve the reliability of the end-to-end shielding process – a process that may fail to complete if the template operating system is not up-to-date. 8.2.3 Signing a Template Disk Hosting service providers can use the following procedure to create a signed disk template with the Protected Template Disk Creation wizard. The procedure creates a signed disk template disk that is encrypted with BitLocker. During this process, a hash for the disk is generated and added to a .VSC (volume signature catalog) file. The .VSC file is signed using a certificate and then BitLocker creates a full volume encryption key, which is placed on the disk. The key is stored in clear text. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 30 As the wizard runs, the existing .VHDX image is modified by embedding the .VSC file in it. You may want to copy the original .VHDX image and use the copy for the new template before you run the wizard. Later, when the VM is provisioned, the key becomes protected. After the read-only signed template is created, modifying the template will render it unusable. When creating a new VM from a template, tenants use VMM to download the volume signature catalog (VSC) for a template disk; the VSC can be used as one of the inputs for the PDK generation. 1. You will need a certificate to sign the VHD that will be used as a template for creating new VM. You must protect the certificate that you will use to sign the template. For testing purposes, you can use the VMM server to create the signed template. You need to install “Remote Server Administration Tools\Feature Administration Tools\Shielded VM Tools” in Server Manager, either using Add Roles and Features or with PowerShell using following cmdlet, and then restart the server: Add-WindowsFeature -Name RSAT-Shielded-VM-Tools -Restart 2. For this scenario validation, you can create a self-signed certificate to sign VHDX by running the following cmdlet: New-SelfSignedCertificate -DnsName publisher.signingcertificate.com -CertStoreLocation Cert:\LocalMachine\My -KeyExportPolicy Exportable 3. Run C:\Windows\System32\TemplateDiskWizard.exe to start the Protected Template Disk Creation Wizard. 4. On the Certificate page, click Browse to display a list of certificates. Select the certificate that with which to sign the template. This is the publisher of the template. Click OK > Next. 5. On the Virtual Disk page, Browse to the location of the virtual disk to update > Next. 6. On the Signature Catalog page, type the values for Disk name and Version. For example, for Disk name type 10586TP4. For Version, type 1.0.0.0 7. On the Review Settings page, review the settings, and then click Generate. a. The page shows the template file being generated. Wait until the signing process has finished. 8. On the Summary page, information about the template, certificate used to sign the template, and the certificate issuer is shown. Click Close to exit the wizard. 8.2.4 Copy and publish the disk template to the VMM Library Use the following procedure to copy the disk template in Virtual Machine Manager (VMM). Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 31 1. Copy the VHDX file to the VMM library share folder. 2. Refresh the library to view the shielded disk. You can optionally add the shielded column in the VMM Administrator console using the corresponding property to view shielded disks. 8.2.5 Create the shielded VM template in VMM using the signed disk Use the following procedure to create the shielded VM template in VMM using the signed disk. 1. In VMM, start the Create VM Template Wizard to begin creating a shielded VM template using the signed disk. 2. In the Hardware Configuration, select the .VHDX disk that you prepared previously. Notice that secure boot is enabled. 3. Verify that the network adapter is connected to a virtual machine network; otherwise, users won’t be able to use Remote Desktop to connect to the VM, which is the only way for a tenant to connect to their VM. 4. For operating system properties, the wizard differs from regular templates. VMM displays non-secure information only, such as product key, time zone, and computer name. Secure information such as administrator password and domain name is specified by the tenant through a shielding data file (.PDK). Verify that the correct product key is provided in the operating system properties for the template disk. If an incorrect product key is used, the VM creation will fail. After the template is created, tenants can use it when they create new virtual machines. You will need to verify that the VM template is one of the resources available to the tenant administrator user role. 8.3 Tenant creates shielding data to define a shielded VM Use the information in the following sections to prepare secret information for use with the shielded VM template, and then create the shielded VM. Warning: The steps in this section must be completed on a tenant computer running Windows Server 2016 Technical Preview and not on the fabric Hyper-V host. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 32 8.3.1 Create an RDP certificate Tenants create a remote desktop certificate to log on to the shielded VMs as a personal information file (.PFX) file. The exported certificate is used in an Unattend.XML file in a subsequent procedure. For basic information about certificates, see How to Use the Certificates Console. For more comprehensive information about remote desktop certificates, see Configuring Remote Desktop certificates. 1. On the tenant computer, create an answer file for the .VHDX that will be used during VM creation from the template. Review, modify as needed, and then run the following cmdlets: $rdpcertificate = New-SelfSignedCertificate -DnsName ts.examplerdpcertificate.com -CertStoreLocation Cert:\LocalMachine\My -KeyExportPolicy Exportable $rdpcertificatepassword = ConvertTo-SecureString -AsPlainText '!!123abc' -Force Export-PfxCertificate -Cert $rdpcertificate -Password $rdpcertificatepassword -FilePath 'c:\rdpcert.pfx' 2. Run the following cmdlet and record the thumbprint for the certificate. $rdpcertificate.Thumbprint 8.3.2 Create an Unattend File Tenants create an Unattend.XML file to define the secret information to include in the shielded VM. This information will later be used by the shielding Data File Wizard to create a .PDK (shielding data file). Tenants can include a set of values and substitution strings in the Unattend file, which allows the hosting service to provide the ability to specify replaceable elements. If no substitution strings are used, then the explicit values included in the Unattend file are used. When creating an unattend file for shielded VMs, keep in mind the following restrictions: 1. The unattend file must result in the VM being turned off after it has been configured. VMM will only know that the VM specialization process has completed when it sees the VM has turned off. 2. It is strongly recommended that you configure an RDP certificate to ensure you are connecting to the right VM and not another machine configured for a man-in-the-middle attack. 3. Be sure to enable RDP and the corresponding firewall rule so you can access the VM after it has been configured. You cannot use the VM console to access shielded VMs, so you will need RDP to connect to your VM. 4. The only substitution strings supported in shielded VM unattend files are the following: Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 33 Replaceable Element Substitution String ComputerName @ComputerName@ TimeZone @TimeZone@ ProductKey @ProductKey@ VMM will use substitution strings if you include them in the Uattend.XML file. If you do use substitution strings, verify that corresponding values are set in the VMM virtual machine template. Otherwise, the operating system customization will stall, which will prevent the VM from shutting down, and then causes the VMM task to fail. For your convenience, a sample unattend.xml file has been provided in Section 10. 8.3.3 Get the volume signature catalog file Tenants use VMM to extract the volume signature catalog (.VSC) file, which describes the template that the .PDK file can be applied to. You can use the following procedure to get the .VSC file. 1. Using a remote VMM administrator console, open a PowerShell window. Review the following example information, modify it as needed, and then run the following cmdlets: $disk = Get-SCVirtualHardDisk -Name "ThresholdTP3.vhdx" $vsc = Get-SCVolumeSignatureCatalog -VirtualHardDisk $disk $vsc.WriteToFile("c:\Disk1.VSC") 8.3.4 Get the Host Guardian Service metadata and import it using cmdlets Tenants download the Host Guardian Service metadata information, in XML form, and then import the metadata. The metadata contains the pubic portion of the encryption certificate and signature used by the Host Guardian Service. You must already have a VMM tenant administrator user role and be connected remotely to VMM using the VMM Administrator console in order to perform the following procedure. Use the following procedure on a tenant computer to get the metadata file and import the Host Guardian Service certificate from it. Review the following example information and modify it as needed. 8.3.4.1 Create a new owner certificate 1. If you don’t already have one, create a new owner certificate to use for the Shielding VM. You can run the Get-HgsGuardian cmdlet to see list of guardians on the machine, and if you already have “owner,” then continue to the next step, Import guardian. New-HgsGuardian -Name Owner –GenerateCertificates 8.3.4.2 Import guardian Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 34 1. Open a web browser on the tenant machine, browse to the KPS metadata URL, and then save the file as "C:\metadata.xml". http://Relecloud.com/KeyProtection/service/metadata/2014-07/metadata.xml Note: If tenants don’t have access to the HGS server, you can download the metadata file and then transfer it offline to clients. 2. On a tenant computer with a copy of the downloaded metadata from Step 1, run the following cmdlet in a PowerShell window. Note that if you have previously imported this guardian, you can skip this cmdlet and continue to the next section, “Create a shielding data file for shielded templates.” Import-HgsGuardian –Path c:\metadata.xml -Name Guardian – AllowUntrustedRoot 8.3.5 Create a shielding data file for shielded templates Tenants can use the Shielding Data File wizard to create a PDK file. The PDK file is used for shielded VM creation. The file is a protected data file that only the guardian’s owner can access, and it contains the tenant’s secret information. 1. Run C:\Windows\System32\ShieldingDataFileWizard.exe to start the Shielding Data File Wizard. 2. On the File Selection tab, select Create a new shielding data file, browse to the location where you want to save the PDK file that you’re creating, type the file name to create. Select Shielding Data for Shielded Templates > Next. For example, type C:\Tenant.pdk. 3. On the Owner and Guardians page, select the owner of the PDK file, then select the Guardian name > Next. Note that: a. You can select multiple guardians. b. The owner would typically be the tenant owner of the VM. c. The Guardian name is the friendly name of the Host Guardian Service identified in the metadata that you imported. 4. On the Volume ID Qualifiers page, click Add to open the Add Volume ID Qualifier dialog box. 5. In the Add Volume ID Qualifier dialog box, click Browse to locate the .VSC file that you created previously. Open it, and then click OK. a. Download from VMM, described in Get the Volume Signature Catalog File. b. You can change the Version rule, as needed. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 35 6. On the Specialization Values pages, Browse for or type the path and file name of the Unattend.XML file that you created previously, and then click Next. You can also click Add under Other files to securely send them to the shielded VM when it is created. For example, you might want to send an RDP certificate. If you used the sample Unattend.XML file, then you would add RDPCert.pfx. 7. On the Review Settings page, review the settings, and then click Generate. 8. On the Shielding Data File Generation page, progress is displayed. 9. On the Summary page, information about the PDK file that you created is shown. Click Close to exit the wizard. Tenants can now instantiate a shielded VM from a signed disk template using the virtual machine shielding information. 8.4 Create a shielded VM using VMM 1. In the VMM Administration console, select the template, and then click Create Virtual Machine to start the Create Virtual Machine Wizard so you can begin creating a new virtual machine from a shielded VM template. 2. In the wizard, you select the appropriate shielding data file (.PDK). You’ll make other choices for the new virtual machine just as you would a regular unshielded virtual machine, such as configuring the hardware, operating system, destination, cloud, settings, and properties. VMM instantiates a new virtual machine from the template using information from the PDK file. After the virtual machine is created on the Hyper-V Host, the following actions occur automatically: 1. The source disk template (VHDX) file is copied from the VMM library. 2. The VM provisioning service decrypts data in the .PDK file, creates a merged unattend.xml file and copies additional files (for example, RDPCert.pfx) inside the .PDK file to the boot volume of the VM. 3. The VM restarts, enters the Sysprep process, and becomes BitLocker-encrypted. 4. When the VM customization completes, the new virtual machine shuts down. Approximately 10 minutes elapse for the steps above to complete. 5. In the VMM Administrator console, you can see that the Create VM task completed and the VM is turned off. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 36 9 Scenario #3 – Deploy a shielded VM using Windows Azure Pack (new in Windows Server 2016 Technical Preview 4) Important: You must complete steps 8.1 – 8.3.2 in Scenario #2 before beginning this scenario. In this scenario, the host service providers prepare a signed disk template for use by their tenants, and then make it available to the tenants using the Plans feature in Windows Azure Pack. Tenants then connect to the Windows Azure Pack portal and create a shielded VM from a shielded VM template in the Windows Azure Pack Gallery. The required steps for the administrator are the same (with one or two additional steps) for allowing the VM creation from VMM, while the tenant flow is completely different because the tenant creates their VM from Windows Azure Pack instead of VMM. 1. The hosting service providers configure VMM 2016 Technical Preview 4 and the Hyper-V Technical Preview 4 fabric to support shielded VMs. 2. The hosting service providers use the following procedures to create a shielded VM template: a. Download or prepare VHD to use as a template. b. Create a Signed Disk Template. c. Copy and publish the disk template to the VMM library. d. Create the shielded VM template in VMM using the signed disk. 3. The hosting service providers install and configure Service Provider Foundation 2016 Technical Preview 4 and Windows Azure Pack, and then create plans in Windows Azure Pack to expose the shielded VMs to the tenants. Tenant administrators use the Windows Azure Pack tenant portal to execute the following procedures to create shielding data for shielded VM. To do this: a. Get the Volume Signature Catalog File Host Guardian Service Metadata from the Windows Azure Pack portal. b. Create a shielding data file. 4. Tenants use the following procedures to create and start the virtual machine. 5. Tenants create a shielded VM using Windows Azure Pack. Important: Before you begin this section, make sure you have completed Scenario #2, and have successfully completed the following configurations in VMM, with artefacts that are defined for use in the Windows Azure Pack portal. You should have: 1. 2. 3. 4. 5. Host Guardian Service settings defined in VMM Guarded hosts in your fabric A VMM cloud that supports shielding A Generation 2 VM template with unsigned disk A Generation 2 VM template with signed disk (also referred to as Shielded Template in this document) 6. A non-shielded VM Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 37 9.1 Configure Service Provider Foundation and Windows Azure Pack to expose shielded VM plans to tenants 9.1.1 Configure the Service Provider Foundation Install Service Provider Foundation 2016 Technical Preview 4 using the instructions at this link: https://technet.microsoft.com/en-us/library/dn266007.aspx. Note that these instructions are for Service Provider Foundation 2012 R2, but you must install Service Provider Foundation 2016 Technical Preview 4. Use the service account for Application Pool Credentials in step #8. If you have issues with integrating Windows Azure Pack and Service Provider Foundation, see the following link for help: http://blogs.technet.com/b/privatecloud/archive/2013/11/08/troubleshooting-windows-azurepack-spf-amp-vmm.aspx 9.1.2 Install Windows Azure Pack Before you install the Windows Azure Pack Express, verify that you have complied with the Windows Azure Pack system requirements overview, including installing the Web Platform Installer. 1. Start the Web Platform Installer: Type Windows Azure Pack in the search box. 2. Next to Windows Azure Pack: Portal and API Express, click Add > Install. If the server running VMM 2016 Technical Preview 4 does not have Internet access, see the following instructions for installing offline: https://technet.microsoft.com/enus/dn756546.aspx. 3. On the Prerequisites page, review and accept the Terms and Conditions. 4. Indicate whether you want to use Microsoft Update to keep Windows Azure Pack up-todate. We recommend that you use Microsoft Update because it helps ensure that any updates needed for this scenario are automatically installed. 5. The installation begins. Your computer might restart during the installation. When the installation has completed, make sure all Internet Explorer windows are closed, and then click Continue to start the Service Management Configuration site. The configuration site (https://localhost:30101/) opens in Internet Explorer. If you need help setting up Windows Azure Pack, see the instructions at https://technet.microsoft.com/en-us/dn296439.aspx. 9.1.3 Configure Windows Azure Pack Before you use Windows Azure Pack, you should already have it installed and configured for your infrastructure. 1. Navigate to the Windows Azure Pack admin portal at http://<wapURL>:30091, and then log in using your administrator credentials. 2. In the left pane, click VM Clouds. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 38 3. Connect Windows Azure Pack to the SAP to the Service Provider Foundation instance you already configured by clicking “Register System Center Service Provider Foundation.” You will need to specify the URL for Service Provider Foundation, as well as username and password. 4. If successful, you should be able to navigate to the VM cloud you just connected to and see details about the clouds that exist in VMM. 9.1.4 Create a shielded VM Plan in Windows Azure Pack When you are connected to your instance of VMM, you are ready to create a Plan in Windows Azure Pack to offer VMs to your tenants. 1. On the lower pane of the portal, click +NEW > PLAN > CREATE PLAN. 2. In the first step of the wizard, choose a name for your Plan. This is the name your tenants will see. 3. In the second step, select VIRTUAL MACHINE CLOUDS as one of the services to offer in the plan. 4. Skip the step about selecting any add-ons for the plan. 5. Click OK (check mark) to create the plan. Although this creates the plan, it is not yet in a configured state. 6. To begin configuring the Plan, click its name. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 39 7. On the next page, under plan services, click Virtual Machine Clouds. This opens the page where you can configure quotas for this plan. 8. Under basic, select the VMM Management Server and Virtual Machine Cloud to which you want to connect. Choose the cloud that shows as “shielding supported” from the dropdown menu. 9. Select the quotas you want to apply in this Plan. (For example, limits on Core, RAM usage, and so forth.) Make sure to leave the Allow Virtual Machines To Be Shielded checkbox selected. 10. Scroll down to the section on the page titled templates, and then select the templates to add. 11. In the wizard that displays, look for the shielded templates you already created and added to VMM. Make sure to include that template and any other templates you wish to make available in the Plan. Note: You will also want to include non-shielded Generation 2 VM templates in the Plan to validate scenarios around converting Generation 2 VMs to shielded VMs. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 40 12. After setting any other settings or quotas for the Plan, click Save. 13. At the top left of the screen, click on the arrow to take you back to the Plan page. 14. At the bottom of the screen change the Plan from being Private to Public so that tenants can subscribe to the Plan. 9.2 Tenants create Shielding Data for the VM 9.2.1 Get a Windows Azure Pack subscription 1. If you do not have a subscription already, navigate to the Windows Azure Pack administrator portal at https://<wapURL>:30081 and sign up for one. Click +NEW > My Account > Add Subscription. 2. From the list of Plans, select the Plan that was created in the previous section, including shielded virtual machines, and then click OK (check mark). This will start the provisioning of your subscription. 9.2.2 Download the Volume Signature Catalog and guardian key from the tenant portal 1. On the left side of the portal, click Virtual Machines. 2. At the top, click Shielding Data. 3. On the lower part of the page, click Download Guardian to download the Guardian Key file locally to your machine. You may be prompted to choose a subscription if you have multiple tenant subscriptions. 4. Click Download Catalog, and then select the template for which you want to create Shielding Data to download the VSC to your local machine. 9.2.3 Create the Shielding Data File Follow the instructions in Section 8.3.5 to create a shielding data file using the VSC and guardian key downloaded from the WAP portal. If you are using the Windows 10 Client operating system to browse the Windows Azure Portal, you can download Remote Server Administration Tools for Windows Server 2016, which will install the Shielding Data File Wizard to create a PDK file on the client computer. OR You can use Windows Server 2016 Technical Preview 4 and add Feature\Remote Server Administration Tools\Shielded VM Tools in Server Manager. 9.2.4 Upload Shielding Data in the Windows Azure Pack portal 1. 2. 3. 4. From the left navigation, click Virtual Machines. At the top, click Shielding Data. On the lower pane of the page, click Upload. Click Browse, and then point to PDK file that was created in the previous step. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 41 5. Enter the Friendly Name and Description, and click the “right” icon in the lower-right corner to upload it. 9.3 Create a shielded VM in Windows Azure Pack There are two ways to create a VM from a Shielded Template in Windows Azure Pack: Either by using the Quick Create feature of the portal or by using the Gallery. 9.3.1 Quick Create a shielded VM in Windows Azure Pack 1. In the Tenant Portal, click +NEW > STANDALONE VIRTUAL MACHINE > QUICK CREATE. 2. Select a name for the VM. From the dropdown list under Templates, choose the Shielded Template from the list. 3. Choose the Shielding Data you want to use to create the VM. 4. Click CREATE VM INSTANCE to begin creating your VM. 5. Once the VM is created, it can be managed just like any other Windows Azure Pack VM (the only difference is that you cannot use Console Connect). See the Windows Azure Pack Virtual Machine documentation for more details regarding capabilities. 9.3.2 Create a shielded VM in Windows Azure Pack from the Gallery using a shielded template 1. In the tenant portal, click on click +NEW > STANDALONE VIRTUAL MACHINE > FROM GALLERY. The gallery wizard displays. 2. From the list of available templates, select a shielded template (indicated by an icon of a shield) > Next. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 42 3. On the next page of the wizard, specify a name for the VM. 4. Using the dropdown menu, select the shielding data file to use to shield the VM. 5. On the next page of the wizard, choose a network to connect the VM to (optional), and then click OK to begin creating the VM. 6. When the VM creation is completed, the VM can be managed just like any other Windows Azure Pack VM (the only difference is that you cannot use Console Connect). See the Windows Azure Pack Virtual Machine documentation for details about capabilities. 9.3.3 Create a shielded VM in Windows Azure Pack from the gallery using a regular template 1. In the tenant portal, click on +NEW > STANDALONE VIRTUAL MACHINE > FROM GALLERY. The gallery wizard displays. 2. From the list of available templates, select a template for a Generation 2 VM that is not a shielded template (there should not be an icon with a shield next to the template), and then click Next. 3. In the next page of the wizard, fill in the required fields for creating the VM. 4. On the lower part of the page, click the check box that asks if you want to shield the VM after creation. This prompts you to select which shielding data to use. 5. In the next page of the wizard, choose a network to connect the VM to (optional), and then click OK to begin creating the VM. 6. After the VM is created, it can be managed just like any other Windows Azure Pack Virtual Machine (the only difference is that you cannot use Console Connect). See the Windows Azure Pack Virtual Machine documentation for more details regarding capabilities. 9.4 Convert an existing Generation 2 VM to a shielded VM in Windows Azure Pack 1. Use Quick Create or Create from Gallery to create a VM using a Generation 2 VM Template that is not shielded. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 43 After the VM is created, you can manage it in the same way you would a regular VM. 2. Click the Configure tab for the VM. Verify that the VM state is Stopped/Powered Off. 3. On the lower part of the configuration screen, click Shield. You are prompted to select a Shielding Data file. You have to generate a shielding data file as discussed in Section 8.3.5, but you have to select Create a new Shielding data file, select Shielding data for existing VM and non-shielded templates, and then upload the Shielding Data file in your Windows Azure Pack subscription as discussed in Section 9.2.4. 4. Click OK. After this process, the VM will be converted into a shielded VM. At this point, the VM can support shielding, but the configuration is not yet complete. To finish the process, you must log on to the VM, install BitLocker components (if not already installed), and enable BitLocker on all volumes, including the system volume. You should also change the password for administrators and all other accounts that are enabled with RDP access to ensure that previously stored credentials cannot be reused to log in and access the server using RDP. Note that existing checkpoints and backups are not encrypted. You should either consider securing such data and/or deleting them. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 44 Appendix A – Import a VMM 2016 VHD in your fabric Building a VM to run Virtual Machine Manager 1. Copy the VMM Image you have downloaded to the Hyper-V server that will run Virtual Machine Manager 2. Start the Hyper-V Manager on the physical host. 3. Click New > Virtual Machine > Next. 4. Specify a name and a path for the virtual machine. 5. Select Generation 1 VM. 6. Assign 6 GB or more of memory to the VM, and then click Next. 7. Connect the VM to a network that has access to the AD for the test environment, and then click Next. 8. Select Attach disk later, and then click Next. 9. Select Install an Operation System later > Next. 10. Click Finish. 11. Copy the VHD file to the folder of the new VM. 12. In Hyper-V Manager, right-click the new VM > Settings. 13. Click IDE Controller > Hard Drive > Add. 14. Select the path to the location where the VHD was copied under the VM folder in step 12 > OK. 15. Select the VM > Start. Configure the Virtual Machine Manager image 1. 2. 3. 4. 5. Provide an administrator password for the VMM server. Join the VMM server to the test domain. Restart the VMM server. Log in as a domain administrator. Add the VMM service account to local administrators. Configure SQL Server for Virtual Machine Manager 1. 2. 3. 4. 5. 6. 7. 8. From the shortcut on the desktop, start SQL Configuration. Click Eval > Next. Read and accept the license if you agree with it. Click Check for updates > Next. Click Next for image rules. Select Default Instance > Next. Click Next for Features > Next for Instance configuration > Configure Instance. Close the SQL Server configuration. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 45 Configure Virtual Machine Manager 1. 2. 3. 4. 5. 6. 7. Click the Configure VMM shortcut on the desktop. Specify the name and organization. Read the terms of the license. If you agree to them, click Next. Choose the customer experience option > Next. Select an update option > Next. From the dropdown Instance menu, click MSSQLSERVER > Next. Specify a domain account for the VMM service. Note: This account has to be member of Local Administrators. 8. Select default path for VMM library, or enter another path if desired > Next > Install. 9. When the installation completes, click Close. Add a Hyper-V host to Virtual Machine Manager 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. From the Start menu, start the VMM console. In the left pane, click Fabric, and then in the left menu, click Servers. Click Add Resources, and then select Hyper-V Host or Cluster. Depending on where your Hyper-V host is located, select Windows Server in a domain or non-domain. Select Manually enter credentials, enter the username and password for a user who has administrator access to the Hyper-V host > Next. Select Specify Windows Server Computer Names. Enter the name of the Hyper-V host that was installed with Windows Server vNext build 9926 > Next. Under Discovered computers, select the server > Next. Read the warning > OK. On the Host group page, click Next > Finish. Close the job window, and then in the Servers view, verify that the host is running as healthy. Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 46 Appendix B – Enable HTTPS communication on the HGS server 1. Create and export the HGS HTTPS certificate $HttpsCertificate = New-SelfSignedCertificate -DnsName "$HgsServiceName.$env:userdnsdomain" –CertStoreLocation Cert:\LocalMachine\My Export-PfxCertificate -Cert $HttpsCertificate -Password $certificatePassword -FilePath 'c:\HttpsCertificate.pfx' Initialize HGS server with HTTPS Certificate To enable HTTPS communication on the HGS server, you need to pass in the HTTPS certificate when initializing the HGS server. Modify the following example as appropriate, and then run it in place of the cmdlet in Section 6.4. Initialize-HgsServer –HgsServiceName $HgsServiceName EncryptionCertificateThumbprint $encryptionCert.Thumbprint SigningCertificateThumbprint $signingCert.Thumbprint CommunicationsCertificateThumbprint $signingCert.Thumbprint – TrustActiveDirectory –Http –Https –HttpsCertificatePath ‘C:\HttpsCertificate.pfx’ –HttpsCertificatePassword $certificatePassword -Force Note: If you are setting up multiple HGS servers in a High Availability configuration, be sure to import the same HTTPS certificate on each machine. The bolded part of the cmdlet above should be included every time you initialize an HGS server in your environment. Configure VMM with HTTPS HGS endpoints In order to take advantage of the SSL encryption, you must specify the secure endpoints when configuring the HGS settings in VMM. For example, instead of the addresses shown in Section 8.1.1, provide the following addresses: 1. https://Relecloud.com/Attestation for the Attestation URL 2. https://Relecloud.com/KeyProtection for the KPS URL Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 47 Ensure guarded hosts trust the HTTPS certificate If you chose to use a self-signed certificate for your HTTPS certificate, you will need to import the certificate into the Trusted Root Certificate Authorities store on every host. To do this, run the following cmdlet on each host machine, where the certificate file is the one generated in Section 6.3: Import-Certificate –FilePath “C:\temp\HttpsCertificate.cer” – CertStoreLocation Cert:\LocalMachine\Root 10 Sample unattend.xml file The following is a sample unattend.xml file that you can use when creating your Shielding Data File. This file assumes that you are including a certificate named RDPCert.pfx in your Shielding Data File that will be used to secure your RDP communications. You must update the RDP Certificate password and thumbprint (highlighted in yellow) with the appropriate values for your certificate. You may also want to change the administrator password, uncomment the section to join the VM to a domain, or add your own specialization steps to the script. For general unattend.xml information, see Section 8.3.5. <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <servicing></servicing> <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ComputerName>@ComputerName@</ComputerName> <!-- If you are installing an evaluation edition of Windows that does not require a product key, remove the following <ProductKey> node --> <ProductKey>@ProductKey@</ProductKey> </component> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Order>1</Order> <!-- Update with your certificate password --> <Path>certutil -p &quot;!!123abc&quot; -importpfx %SYSTEMDRIVE%\temp\RDPCert.pfx</Path> <WillReboot>OnRequest</WillReboot> <Description>Import certificate</Description> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Description>If there is one, copy original setupcomplete.cmd to a unique file</Description> <Order>2</Order> <Path>cmd /C if exist {%WINDIR%\Setup\Scripts\SetupComplete.cmd} (copy %WINDIR%\Setup\Scripts\SetupComplete.cmd %WINDIR%\Setup\Scripts\SC3746EE82-EA9D-423E-B99F510F9D7FF4F5.cmd /y)</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>3</Order> Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 48 <Description>mkdir Scripts since Windows looks for SetupComplete.cmd in that dir. If the dir exists, it should be fine.</Description> <Path>cmd.exe /C mkdir %WINDIR%\Setup\Scripts</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>4</Order> <Description>Put certificate configuration command in SetupComplete.cmd</Description> <Path>cmd /C echo wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=&quot;f5d17b3d2fe391480e7532764026d6129884862b&quot; &gt;&gt; %WINDIR%\Setup\Scripts\SetupComplete.cmd</Path> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Order>5</Order> <Description>Put shutdown VM in SetupComplete.cmd</Description> <Path>cmd /C echo shutdown /s /f &gt;&gt; %WINDIR%\Setup\Scripts\SetupComplete.cmd</Path> <WillReboot>OnRequest</WillReboot> </RunSynchronousCommand> </RunSynchronous> <!---> </component> For VM to Domain Join use this section. Please ensure VM can reach domain controller <!-<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Identification> <Credentials> <Domain>contoso.com</Domain> <Username>Administrator</Username> <Password>ContosoAdminPassword1!</Password> </Credentials> <JoinDomain>contoso.com</JoinDomain> </Identification> </component> --> <component name="Microsoft-Windows-TerminalServices-LocalSessionManager" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <fDenyTSConnections>false</fDenyTSConnections> </component> <component name="Networking-MPSSVC-Svc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <FirewallGroups> <!-- Allow RDP connections through the firewall --> <FirewallGroup wcm:action="add" wcm:keyValue="RDGroup"> <Active>true</Active> <Group>@FirewallAPI.dll,-28752</Group> <Profile>all</Profile> </FirewallGroup> </FirewallGroups> </component> <component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 49 versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <UserAuthentication>0</UserAuthentication> </component> </settings> <settings pass="oobeSystem"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <OOBE> <HideEULAPage>true</HideEULAPage> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> <UserAccounts> <AdministratorPassword> <Value>ExampleAdminPassword1!</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> <TimeZone>@TimeZone@</TimeZone> </component> <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <UserLocale>en-US</UserLocale> <SystemLocale>en-US</SystemLocale> <UILanguage>en-US</UILanguage> <InputLocale>0409:00000409</InputLocale> </component> </settings> </unattend> Technical Preview 4 Guide Microsoft Windows Server © 2015 Microsoft Corporation. All rights reserved. 50