Single Host Shielded VMs Lab/PoC

Hi, Matthew Walker again. Virtualization and High Availability PFE. Recently I worked with a few of my co-workers to present a lab on building out Shielded VMs and I thought this would be useful for those of you out there wanting to test this out in a lab environment.

First a little backstory on Shielded VMs and why you would want to use them.

Shielded VMs are new for Windows Server 2016, and in a production environment they can only be run on Windows Server 2016 Datacenter Edition. Shielded VMs, when properly configured, use Bitlocker to encrypt the drives, prevent access to the VM using the VMConnect utility, encrypt the data when doing a live migration, as well blocking the fabric admin by disabling a number of integration components, this way the only access to the VM is through RDP to the VM itself. With proper separation of duties this allows for sensitive systems to be protected and only allow those who need access to the systems to get the data and prevent VMs from being started on untrusted hosts. More information on Shielded VMs can be found at https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node

In my position I frequently have to demo or test in a number of different configurations so I have created a set of configurations to work with a scripted solution to build out labs. The solution is available on GitHub at https://aka.ms/labbuilder , in addition I have a fork of this at https://aka.ms/mwlabbuilder . At the moment there are some differences between the two and only my fork will work with the configurations I have. The configurations that I have created are at https://aka.ms/shieldedvmspoc.

Now, to setup your own environment I should lay out the specs of the environment I created this on.

I7 6820HQ 4 core Proc with Hyper-Threading enabled

32 GB of RAM

500 GB SSD to run VMs from (SSD is really important, the Disk IO load caused can have a negative effect on these VMs, and may cause failures on spinning drives.)

Windows Server 2016 with the latest cumulative update as the host.

(All of the above is actually a Hyper-V VM running on my Windows 10 system, I leverage nested virtualization to accomplish this, some of my configs require Windows Server)

There is a list of files that need to be downloaded in preparation

  1. LabBuilder scripts https://aka.ms/mwlabbuilder
  2. LabBuilderLabs scripts https://aka.ms/shieldedvmspoc
  3. Eval ISO for Windows Server 2016
  4. Eval Installer files for SCVMM https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-2016
  5. Eval Installer files for SQL 2014 SP2 https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2014-sp2
  6. ADK files compatible with Windows Server 2016 https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit

Optional items to download if you want to try some of the other configurations

  1. Eval ISO for Windows Server 2012 R2
  2. WMF 5.1 update for Windows Server 2012 R2

So first Download the LabBuilder and LabBuilderLabs files

Extract them to a directory on your system you want to run the scripts from. You will need a good bit of space as we will be creating template VMs here from the ISOs needed.

I used the E drive on my system.

Once you have extracted each of the files from GitHub you should have a folder that is like the screenshot below

By default these files should be marked as blocked and prevent the scripts from running, to unblock the files we will need to unblock them.

If you open an administrative PowerShell prompt and change to the directory the files are in you can use the Unblock-File cmdlet to resolve this.

I ran “Get-ChildItem -recurse | Unblock-File” to get all the folders and subfolders.

We need to create a few more folders and add in some additional items.

First, we need a Tools Folder

Within the Tools folder we need to create a few more subfolders, Files, Help, ISOs, SCVMM and SQL.

In the Files folder we will be placing some needed files for SCVMM, the Windows ADK installers

You will also require the Windows Assessment and Deployment Toolkit from https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit – Get the version for Windows 10, version 1607 or higher. This will require you to download the ADKSetup and run it and select to save the installer files.

Inside the Files folder it should look like the screenshot below.

The ADK folder should be like this.

Moving back up, we will need to download the Eval Copies of SQL and SCVMM from the TechNet Eval Center(You will have to register to download these)

The SQL eval edition is here https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2014-sp2 (SQL 2016 doesn’t work with these scripts at this time due to changes in the install routine), System Center Virtual Machine Manager is here https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-2016

Extract the downloaded files to the folders in the Tools directory, the SCVMM folder should look as below

And SQL folder should be as below

The Help folder under tools is not really necessary, however, to ensure I have the latest PowerShell help files available I will run the Save-Help PowerShell cmdlet to download and save the files so I can install them on other systems

Syntax is (again using the E: drive in my case) save-help
-DestinationPath
E:\BuildLabs\Tools\Help\
– by default this will only get the help files for installed modules so I generally run it on a system I have installed all the Remote server Admin tools onto to ensure I cover a many as possible.


Again, this isn’t necessary, but I do it to ensure I have those help files available to install on VMs using the Update-Help Cmdlet.

You don’t need anything in the ISOs folder, that will get auto-populated later.

Next, we move back up to the main folder and populate the Resources Folder, so again create a new folder named Resources

Inside this Folder we need the latest Cumulative Update for Server 2016 https://support.microsoft.com/en-us/help/4038782/windows-10-update-kb4038782 and servicing stack update https://support.microsoft.com/en-us/help/4035631/servicing-stack-update-for-windows-10-version-1607-and-windows-server so please download that from the Windows Update Catalog. While these are not the latest cumulative updates they were the latest I downloaded and tested with, and are referenced in the config files.

I also include the WMF 5.1 update for 2012 R2 for other lab scenarios but it isn’t needed here. (If you want to get the files the link is available at https://support.microsoft.com/en-us/help/3191564/update-for-windows-management-framework-5-1-for-windows-8-1-and-window )

Next, we need to go into the Configurations Folder

In the Configurations folder is another folder titled ISOFiles, this is where we will be placing our ISOs for Server 2016.

I know it seems like a lot, but now that we have all the necessary components we can go through the setup to create the VMs

Select the SetupLab.PS1 and select “Run with PowerShell”

You may receive a prompt to run the file depending on your execution policy settings, and you may be prompted for Admin password as the script is required to be run elevated.

Once the prompt is elevated it will have a “Press any key to continue…” prompt, just press enter or space bar

First it will download any DSC modules we need to work with the scripts.

You may get prompted to trust the NuGet repository to be able to download the modules – Type Y and hit enter

It will then display the current working directory and pop up a window to select the configuration to build. If you want to try the Hyper-V Demo, Combo or Software Defined Storage environments, they require a 2012 R2 ISO, so make sure you get the ISO form the Eval Center, but for this blog we want to select the Shielded VM Lab (DSC Lab environment doesn’t work at this time, it is in dev)

Click Ok.

You will then be prompted to provide a path to setup the VMs, (default is current drive\Labs, in my case E:\Labs)

I’m going to specify E:\SVMsLab in this case

The script will then verify that Hyper-V is installed and if it is server it will install the Failover Clustering feature if not installed (not needed for shielded VMs, sorry I need to change the logic on that)

The Script may appear to hang for a few minutes, but it is actually copying out the .Net 3.5 installer from the ISO and copying the ISO into the tools folder, so it can take a few minutes.

Once that completes it should start creating the necessary settings in Hyper-V (Virtual Switches) and creating the VHDX template files for creating VMs later. The error below is normal and not a concern.

Creating the Template files can take quite a long time, so just relax and let it run.

Once the first VM (Domain Controller is created, I have set up the script to ensure it is fully configured before the other VMs get created. You will see the following message when that occurs.

This piece can take a long time, as Desired State Configuration components are creating the domain and installing SQL and SCVMM on this host.

Periodically during this time you will see message such as the below indicating the status

Once all resources are in the desired state the next set of VMs will be created. Once the script finishes however those VMs are not completely configured, DSC is still running in them to finish out the configuration such as Joining the domain or installing roles and features. Inside those VMs you can run Get-DSCConfigurationStatus to determine the state of DSC and if it has finished. Usually doesn’t take too long.

When complete you should have the 3 VMs as shown below.

So, there you have it, a couple of VMs and DC to begin working on creating a virtualized environment that you can test and play with shielded VMs a bit.

Lab3_SHVMS2 is your DC, Lab3_SHVMS1 is host that can run Hyper-V and Lab3_SHVMS3 will be were you configure your Host Guardian Service.

So now grab the documentation linked at the top and you can get started without having to build out the base.

I hope this helps you get started playing with some of the new features we have in Windows Server 2016.

 

Matthew Walker, PFE