(預覽) 在現有虛擬機器擴展集上啟用可信啟動
適用於:✔️ Linux VM ✔️ Windows VM ✔️ 統一虛擬機器擴展集
Azure 虛擬機器擴展集支援在現有統一擴展集 VM 上啟用可信啟動,方法是升級至可信啟動安全性類型。
可信啟動可在 Azure 第 2 代虛擬機器和擴展集上啟用基礎計算安全性,並防範開機套件和 rootkit 等進階和持續性攻擊技術。 其方式是結合擴展集上的安全開機、vTPM 和開機完整性監視等基礎結構技術。
限制
目前不支援在已連結資料磁碟的現有虛擬機器擴展集上啟用可信啟動。
- 若要驗證是否已隨著資料磁碟設定擴展集,請瀏覽至擴展集 -> [設定] 功能表之下的 [磁碟] -> 在 [資料磁碟]
標題之下檢查
- 若要驗證是否已隨著資料磁碟設定擴展集,請瀏覽至擴展集 -> [設定] 功能表之下的 [磁碟] -> 在 [資料磁碟]
目前不支援在現有虛擬機器擴展集 Flex 上啟用可信啟動。
目前不支援在現有 Service Fabric 叢集和 Service Fabric 受控叢集上啟用可信啟動。
必要條件
- 在擴展集訂用帳戶的
Microsoft.Compute命名空間下註冊預覽功能ImageSkuGenUpdateWithVMSS。 如需詳細資訊,請參閱在 Azure 訂用帳戶中設定預覽功能 - 擴展集並未相依於可信啟動目前不支援的功能。
- 擴展集應隨著可信啟動支援的大小系列一起設定
注意
- 虛擬機器大小可隨著可信啟動升級一起變更。 請確定新 VM 大小的配額已備妥,以避免升級失敗。 請參閱檢查 vCPU 配額。
- 虛擬機器大小的變更將會以新的大小重建虛擬機器執行個體,而且個別虛擬機器執行個體需要停機。 它可以輪流升級方式完成,以避免擴展集停機。
- 擴展集應隨著可信啟動支援的 OS 映像一起設定。 針對 Azure 計算資源庫 OS 映像,確保映像定義標示為 TrustedLaunchSupported
在現有的統一擴展集上啟用可信啟動
本節記載使用 ARM 範本的步驟,在現有的統一虛擬機器擴展集上啟用可信啟動。
對現有 ARM 範本部署程式碼進行下列修改。 如需完整範本,請參閱快速入門可信啟動擴展集 ARM 範本。
重要
可信啟動安全性類型適用於擴展集 apiVersion2020-12-01 或更新版本。 在升級之前,確保已正確設定 API 版本。
OS 映像:將 OS 映像參考更新為 Gen2 可信啟動支援的 OS 映像。 如果使用 Azure 計算資源庫 OS 映像,請確定來源 Gen2 映像具有
TrustedLaunchSupported安全性類型。"storageProfile": { "osDisk": { "createOption": "FromImage", "caching": "ReadWrite" }, "imageReference": { "publisher": "MicrosoftWindowsServer", "offer": "WindowsServer", "sku": "2022-datacenter-azure-edition", "version": "latest" } }(選用) 擴展集大小:如果可信啟動安全性設定不支援目前的大小系列,請修改擴展集大小。
"sku": { "name": "Standard_D2s_v3", "tier": "Standard", "capacity": "[parameters('instanceCount')]" }安全性設定檔:在
virtualMachineProfile底下新增securityProfile區塊,以啟用可信啟動安全性設定。注意
建議的設定:
vTPM:true和secureBoot:如果您使用作業系統上任何未簽署的自訂驅動程式或核心,truesecureBoot應設定為false。"securityProfile": { "securityType": "TrustedLaunch", "uefiSettings": { "secureBootEnabled": true, "vTpmEnabled": true } }(建議) 客體證明延伸模組:為擴展集資源新增客體證明 (GA) 延伸模組,以對擴展集啟用開機完整性監視。
重要
客體證明延伸模組需要
secureBoot,且vTPM設定為true。{ "condition": "[and(parameters('vTPM'), parameters('secureBoot'))]", "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", "apiVersion": "2022-03-01", "name": "[format('{0}/{1}', parameters('vmssName'), GuestAttestation)]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Azure.Security.WindowsAttestation", "type": "GuestAttestation", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "enableAutomaticUpgrade": true, "settings": { "AttestationConfig": { "MaaSettings": { "maaEndpoint": "[substring('emptystring', 0, 0)]", "maaTenantName": "GuestAttestation" } } } }, "dependsOn": [ "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]" ] }延伸模組發行者的名稱:
OS 類型 延伸模組發行者名稱 Windows Microsoft.Azure.Security.WindowsAttestation Linux Microsoft.Azure.Security.LinuxAttestation 檢閱對範本所做的變更。
展開以檢視完整的範例 ARM 範本,其支援將現有擴展集升級至可信啟動和復原 (如有需要)。
{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "vmSku": { "type": "string", "defaultValue": "Standard_D2s_v3", "metadata": { "description": "Size of VMs in the VM Scale Set." } }, "sku": { "type": "string", "defaultValue": "2022-datacenter-azure-edition", "allowedValues": [ "2022-datacenter-azure-edition" ], "metadata": { "description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version." } }, "vmssName": { "type": "string", "maxLength": 61, "metadata": { "description": "String used as a base for naming resources. Must be 3-61 characters in length and globally unique across Azure. A hash is prepended to this string for some resources, and resource-specific information is appended." } }, "instanceCount": { "type": "int", "defaultValue": 2, "maxValue": 100, "minValue": 1, "metadata": { "description": "Number of VM instances (100 or less)." } }, "adminUsername": { "type": "string", "metadata": { "description": "Admin username on all VMs." } }, "adminPassword": { "type": "securestring", "metadata": { "description": "Admin password on all VMs." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Location for all resources." } }, "publicIpName": { "type": "string", "defaultValue": "myPublicIP", "metadata": { "description": "Name for the Public IP used to access the virtual machine Scale set." } }, "publicIPAllocationMethod": { "type": "string", "defaultValue": "Static", "allowedValues": [ "Dynamic", "Static" ], "metadata": { "description": "Allocation method for the Public IP used to access the virtual machine set." } }, "publicIpSku": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Basic", "Standard" ], "metadata": { "description": "SKU for the Public IP used to access the virtual machine Scale set." } }, "dnsLabelPrefix": { "type": "string", "defaultValue": "[toLower(format('{0}-{1}', parameters('vmssName'), uniqueString(resourceGroup().id)))]", "metadata": { "description": "Unique DNS Name for the Public IP used to access the virtual machine Scale set." } }, "healthExtensionProtocol": { "type": "string", "defaultValue": "TCP", "allowedValues": [ "TCP", "HTTP", "HTTPS" ] }, "healthExtensionPort": { "type": "int", "defaultValue": 3389 }, "healthExtensionRequestPath": { "type": "string", "defaultValue": "/" }, "overprovision": { "type": "bool", "defaultValue": false }, "upgradePolicy": { "type": "string", "defaultValue": "Manual", "allowedValues": [ "Manual", "Rolling", "Automatic" ] }, "maxBatchInstancePercent": { "type": "int", "defaultValue": 20 }, "maxUnhealthyInstancePercent": { "type": "int", "defaultValue": 20 }, "maxUnhealthyUpgradedInstancePercent": { "type": "int", "defaultValue": 20 }, "pauseTimeBetweenBatches": { "type": "string", "defaultValue": "PT5S" }, "securityType": { "type": "string", "defaultValue": "TrustedLaunch", "allowedValues": [ "Standard", "TrustedLaunch" ], "metadata": { "description": "Security Type of the Virtual Machine." } }, "encryptionAtHost": { "type": "bool", "defaultValue": false, "metadata": { "description": "This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine or virtual machine Scale set. This will enable the encryption for all the disks including Resource/Temp disk at host itself. The default behavior is: The Encryption at host will be disabled unless this property is set to true for the resource." } } }, "variables": { "namingInfix": "[toLower(substring(format('{0}{1}', parameters('vmssName'), uniqueString(resourceGroup().id)), 0, 9))]", "addressPrefix": "10.0.0.0/16", "subnetPrefix": "10.0.0.0/24", "virtualNetworkName": "[format('{0}vnet', variables('namingInfix'))]", "subnetName": "[format('{0}subnet', variables('namingInfix'))]", "loadBalancerName": "[format('{0}lb', variables('namingInfix'))]", "natPoolName": "[format('{0}natpool', variables('namingInfix'))]", "bePoolName": "[format('{0}bepool', variables('namingInfix'))]", "natStartPort": 50000, "natEndPort": 50119, "natBackendPort": 3389, "nicName": "[format('{0}nic', variables('namingInfix'))]", "ipConfigName": "[format('{0}ipconfig', variables('namingInfix'))]", "imageReference": { "2022-datacenter-azure-edition": { "publisher": "MicrosoftWindowsServer", "offer": "WindowsServer", "sku": "[parameters('sku')]", "version": "latest" } }, "extensionName": "GuestAttestation", "extensionPublisher": "Microsoft.Azure.Security.WindowsAttestation", "extensionVersion": "1.0", "maaTenantName": "GuestAttestation", "maaEndpoint": "[substring('emptyString', 0, 0)]", "uefiSettingsJson": { "secureBootEnabled": true, "vTpmEnabled": true }, "rollingUpgradeJson": { "maxBatchInstancePercent": "[parameters('maxBatchInstancePercent')]", "maxUnhealthyInstancePercent": "[parameters('maxUnhealthyInstancePercent')]", "maxUnhealthyUpgradedInstancePercent": "[parameters('maxUnhealthyUpgradedInstancePercent')]", "pauseTimeBetweenBatches": "[parameters('pauseTimeBetweenBatches')]" } }, "resources": [ { "type": "Microsoft.Network/virtualNetworks", "apiVersion": "2022-05-01", "name": "[variables('virtualNetworkName')]", "location": "[parameters('location')]", "properties": { "addressSpace": { "addressPrefixes": [ "[variables('addressPrefix')]" ] }, "subnets": [ { "name": "[variables('subnetName')]", "properties": { "addressPrefix": "[variables('subnetPrefix')]" } } ] } }, { "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2022-05-01", "name": "[parameters('publicIpName')]", "location": "[parameters('location')]", "sku": { "name": "[parameters('publicIpSku')]" }, "properties": { "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", "dnsSettings": { "domainNameLabel": "[parameters('dnsLabelPrefix')]" } } }, { "type": "Microsoft.Network/loadBalancers", "apiVersion": "2022-05-01", "name": "[variables('loadBalancerName')]", "location": "[parameters('location')]", "sku": { "name": "[parameters('publicIpSku')]", "tier": "Regional" }, "properties": { "frontendIPConfigurations": [ { "name": "LoadBalancerFrontEnd", "properties": { "publicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]" } } } ], "backendAddressPools": [ { "name": "[variables('bePoolName')]" } ], "inboundNatPools": [ { "name": "[variables('natPoolName')]", "properties": { "frontendIPConfiguration": { "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('loadBalancerName'), 'loadBalancerFrontEnd')]" }, "protocol": "Tcp", "frontendPortRangeStart": "[variables('natStartPort')]", "frontendPortRangeEnd": "[variables('natEndPort')]", "backendPort": "[variables('natBackendPort')]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]" ] }, { "type": "Microsoft.Compute/virtualMachineScaleSets", "apiVersion": "2022-03-01", "name": "[parameters('vmssName')]", "location": "[parameters('location')]", "sku": { "name": "[parameters('vmSku')]", "tier": "Standard", "capacity": "[parameters('instanceCount')]" }, "properties": { "virtualMachineProfile": { "storageProfile": { "osDisk": { "createOption": "FromImage", "caching": "ReadWrite" }, "imageReference": "[variables('imageReference')[parameters('sku')]]" }, "osProfile": { "computerNamePrefix": "[variables('namingInfix')]", "adminUsername": "[parameters('adminUsername')]", "adminPassword": "[parameters('adminPassword')]" }, "securityProfile": { "encryptionAtHost": "[parameters('encryptionAtHost')]", "securityType": "[parameters('securityType')]", "uefiSettings": "[if(equals(parameters('securityType'), 'TrustedLaunch'), variables('uefiSettingsJson'), null())]" }, "networkProfile": { "networkInterfaceConfigurations": [ { "name": "[variables('nicName')]", "properties": { "primary": true, "ipConfigurations": [ { "name": "[variables('ipConfigName')]", "properties": { "subnet": { "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]" }, "loadBalancerBackendAddressPools": [ { "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('loadBalancerName'), variables('bePoolName'))]" } ], "loadBalancerInboundNatPools": [ { "id": "[resourceId('Microsoft.Network/loadBalancers/inboundNatPools', variables('loadBalancerName'), variables('natPoolName'))]" } ] } } ] } } ] }, "extensionProfile": { "extensions": [ { "name": "HealthExtension", "properties": { "publisher": "Microsoft.ManagedServices", "type": "ApplicationHealthWindows", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": false, "settings": { "protocol": "[parameters('healthExtensionProtocol')]", "port": "[parameters('healthExtensionPort')]", "requestPath": "[if(equals(parameters('healthExtensionProtocol'), 'TCP'), null(), parameters('healthExtensionRequestPath'))]" } } } ] }, "diagnosticsProfile": { "bootDiagnostics": { "enabled": true } } }, "orchestrationMode": "Uniform", "overprovision": "[parameters('overprovision')]", "upgradePolicy": { "mode": "[parameters('upgradePolicy')]", "rollingUpgradePolicy": "[if(equals(parameters('upgradePolicy'), 'Rolling'), variables('rollingUpgradeJson'), null())]", "automaticOSUpgradePolicy": { "enableAutomaticOSUpgrade": true } } }, "dependsOn": [ "[resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName'))]", "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]" ] }, { "condition": "[and(equals(parameters('securityType'), 'TrustedLaunch'), and(equals(variables('uefiSettingsJson').secureBootEnabled, true()), equals(variables('uefiSettingsJson').vTpmEnabled, true())))]", "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", "apiVersion": "2022-03-01", "name": "[format('{0}/{1}', parameters('vmssName'), variables('extensionName'))]", "location": "[parameters('location')]", "properties": { "publisher": "[variables('extensionPublisher')]", "type": "[variables('extensionName')]", "typeHandlerVersion": "[variables('extensionVersion')]", "autoUpgradeMinorVersion": true, "enableAutomaticUpgrade": true, "settings": { "AttestationConfig": { "MaaSettings": { "maaEndpoint": "[variables('maaEndpoint')]", "maaTenantName": "[variables('maaTenantName')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]" ] } ] }執行 ARM 範本部署。
$resourceGroupName = "myResourceGroup" $parameterFile = "folderPathToFile\parameters.json" $templateFile = "folderPathToFile\template.json" New-AzResourceGroupDeployment ` -ResourceGroupName $resourceGroupName ` -TemplateFile $templateFile -TemplateParameterFile $parameterFile驗證部署是否成功。 使用 Azure 入口網站檢查統一擴展集的安全性類型和 UEFI 設定。 檢查 [概觀] 頁面中的 [安全性類型] 區段。
如果統一擴展集升級模式設定為
Manual,請手動更新 VM 執行個體。$resourceGroupName = "myResourceGroup" $vmssName = "VMScaleSet001" Update-AzVmssInstance -ResourceGroupName $resourceGroupName -VMScaleSetName $vmssName -InstanceId "0"
復原
若要將可信啟動的變更復原至先前已知的良好設定,您必須將擴展集的 securityType 設定為 [標準]。
若要將可信啟動的變更復原至先前已知的良好設定,請將 securityProfile 設定為 [標準],如下所示。 您也可以選擇性地還原其他參數變更 - OS 映像、VM 大小,以及重複步驟 5-8,如在現有擴展集上啟用可信啟動所述
"securityProfile": {
"securityType": "Standard",
"uefiSettings": "[null()]"
}
下一步
(建議) 升級後啟用開機完整性監視,透過適用於雲端的 Microsoft Defender 監視 VM 的健康情況。