Shulou(Shulou.com)06/02 Report--

Which systems are supported by Hyper-V second-generation virtual machines can be found in:

Https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v

Protected virtual machines are made up of two main parts:

VHDx will sign and encrypt VHDx through the template disk Wizard

Password, RDP certificate and other confidential information generate protected data file PDK through the "Protection data File Wizard"

Only signed VHDx combined with PDK files can be a protected virtual machine (VM):

Among them, there are two PDK methods: one is data encryption, which is not protected; the other is that data encryption is protected at the same time, so protected data encryption can only be started on protected Hyper-V hosts.

Protected virtual machines are primarily protected data files:

Protected data files (also known as configuration data files (PDK files) are encrypted files created by tenants or VM owners to protect important VM configuration information, such as administrator passwords, RDP certificates and other identity-related certificates, domain join credentials, and so on. Administrators use protected data files (PDK) when creating protected VM, but cannot view or use the information contained in the file (the contents of the file are encrypted and compiled)

The protected data file (PDK) contains sensitive information as follows:

Administrator credential

Answer file (unattend.xml)

A security policy that determines whether a VM created with this protected data (PDK) is configured to be protected or supports encryption

Keep in mind that VM configured to be protected is protected by the administrator, while VM that only supports encryption is not protected

RDP certificate used to secure a remote desktop connection to VM

Volume signature directory containing a list of trusted signature templates disk signatures allowed to create a new VM from

Key protector (or KPS) that defines the protected Hyper-V environment in which the shielded virtual machine is authorized to run

The protected data file (PDK file) guarantees that the VM will be created in the way that the VM owner wants. For example, when the VM owner places an answer file (unattend.xml) in a protected data file (PDK) and passes it to a protected Hyper-V host, the IT administrator of the protected Hyper-V environment cannot view or change the answer file. Similarly, the IT administrator of a protected Hyper-V environment cannot replace a different VHDX file when creating a protected VM because the protected data file (PDK) contains a specific signature encrypted VHDx file encryption information that matches it.

The following figure shows the protected data file (PDK) and related configuration elements

Traditional existing virtual machines can also be protected, and the process is as follows:

To prepare to create a protected data file (PDK), you need to complete the following steps one by one:

Get the certificate for the remote Desktop connection

Create an answer file

Get volume signature directory file

Select a trusted HGS cluster for verification

You can then create a mask data file:

When creating a new virtual machine, make the new virtual machine protected data file (PDK) and add a guardian domain (person)

When creating a new virtual machine, let the new virtual machine only encrypt the data files (PDK) and add the guardian domain (person)

Create data files (PDK) that protect existing virtual machines and add guardian domains (people)

Create a data file (PDK) that encrypts only the existing virtual machine and add a guardian domain (person)

The following articles will be shared for you one by one.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.