This article provides information on enhancements to shielded virtual machines (VMs) in Windows Server 2019.
Summary:This article provides information on enhancements to shielded virtual machines (VMs) in Windows Server 2019.
This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.
Article Content
Instructions
Shielded VM is a unique security feature introduced by Microsoft in Windows Server 2016 and has undergone a lot of enhancements in the Windows Server 2019 edition. This blog mainly aims at calling out the improvements in the feature. For the basic introduction to the feature and detailed steps for deployment, please refer to the following links:
Attestation Modes The feature initially supported two attestation modes – Active Directory-based attestation and TPM based attestation. TPM based attestation provides enhanced security protections as it uses TPM as hardware root of trust and supports measured boot and code integrity. Key mode attestation is the new addition, supplanting AD based attestation (which is still present, but deprecated from Windows Server 2019 onwards). The following link contains the information to set up the HGS (Host Guardian Service) node using Key Mode Attestation. https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-initialize-hgs-key-mode-default Key mode attestation is preferred or used in the scenarios when TPM hardware is unavailable for usage. It’s easier to configure but again comes with set of security risks as it does not involve hardware root of trust. HGS Backup feature Since the HGS cluster is a critical piece in the shielded VM solution, Microsoft has provided an enhancement to easily incorporate a backup for the HGS URLs so that even if the primary HGS server is unresponsive, the Hyper-V guarded hosts are able to attest and launch the shielded VMs without any downtime. This requires two HGS servers to be set up, with the VMs independently attested with both the servers during deployment. The following commands are used to enable the VMs to be attested by both HGS clusters. # Replace https://hgs.primary.com and https://hgs.backup.com with your own domain names and protocols Set-HgsClientConfiguration -KeyProtectionServerUrl 'https://hgs.primary.com/KeyProtection'; -AttestationServerUrl 'https://hgs.primary.com/Attestation'; -FallbackKeyProtectionServerUrl 'https://hgs.backup.com/KeyProtection'; -FallbackAttestationServerUrl 'https://hgs.backup.com/Attestation'; In order for the Hyper-V host to pass attestation with both the primary and fallback servers, you will need to ensure that your attestation information is up to date with both HGS clusters. Offline Mode This is again a special mode introduced by Microsoft which allows the Shielded VMs to turn on even when the HGS node is unreachable. To enable this mode for the VMs, we need to run the following command on the HGS node: Set-HgsKeyProtectionConfiguration –AllowKeyMaterialCaching Once this is done, we need to restart all the Virtual machines to enable the cacheable key protector for the Virtual Machines. Note: Any security configuration changes on the local machine will cause this offline mode to become invalid. The VMs will need to attest with HGS server before turning on the offline mode again. Linux Shielded VM Microsoft also extended the support for hosting the VMs having Linux as the guest OS. For more details on which OS flavor and version can be used, please check the following link. https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-create-a-linux-shielded-vm-template Important Guidelines There are few important guidelines to be followed when we are deploying Shielded VMs:
While performing upgrade from Windows Server 2016 to Windows Server 2019, we need to clear all the security configurations and apply them again after the upgrade on the HGS and the guarded hosts for the solution to work seamlessly.
Template disks can only be used with the secure shielded VM provisioning process. Attempting to boot a regular (unshielded) VM using a template disk will likely result in a stop error (blue screen) and is unsupported.
DELL support All the options from WS2016 and 2019 are supported on Dell PowerEdge 13 & 14G systems. For most stringent security, using TPM-based attestation along with a TPM 2.0 is recommended.