Six new security features for Windows Server 2022
Shielded
Checking Hardware Requirements
If you start with a fresh installation of a physical system that has not yet run a Secured-core server, you first need to make sure that your hardware has and uses a modern UEFI. Current systems that are certified to run Windows Server 2022 come with the necessary prerequisites. The chances are still good if you are using hardware that is three to five years old. If the option of a legacy BIOS mode does exist in the firmware settings for downward compatibility with older operating systems, it must be disabled. The further steps for enabling hardware-supported virtualization differ depending on the processor manufacturer, the other server hardware, and the UEFI version.
Hardware virtualization is called Intel VT-d/VT-x or AMD IOMMU, depending on the CPU vendor, but it can also be hidden under other terms or in a submenu depending on the manufacturer and version of the UEFI. Look for menu items such as Advanced , Processor Configuration , CPU Configuration , System Configuration , Chipset , Security , or Northbridge . Intel simply refers to hardware virtualization as Intel Virtualization Technology, VT-x, or on older systems, perhaps Vanderpool after the original internal code name from the development of this technology. AMD also refers to the whole thing as the Secure Virtual Machine (SVM) or AMD-V.
The Secure Boot and TPM configuration can be found in areas with titles like Advanced , Security , or Trusted Computing . Alternative locations for configuration are also Security Device , Security Device Support , AMD fTPM , AMD PSP fTPM , or Intel Platform Trust Technology (PTT). If in doubt, the documentation of the server or mainboard manufacturer will help.
Configuring Virtual Machines
System monitoring and DMA protection at startup time are reserved for instances of Windows Server 2022 that you install directly on a physical system. You can also use the remaining four components on virtual machines if the underlying hypervisor passes the necessary functions to VMs. To do this, create a second-generation VM in Microsoft Hyper-V and check the Enable Secure Boot and Enable Trusted Platform Module options in the Security area. Hyper-V meets the requirements for VBS and HVCI without any further action.
For virtualization with VMware vSphere or ESXi, you need to enable VBS when creating a new VM in the sixth dialog step that determines the guest operating system family and version by checking the Enable Windows Virtualization Based Security [5] box. In the dialog that follows, define your VM's hardware configuration. You can add a virtual TPM by selecting Add New Device , but this only works if you have configured a key provider in your vSphere environment up front [6].
Securing VMs in Azure and Azure HCI
What works for VMs in your on-premises data center works just as well in the cloud. Microsoft supports the Secured-core server components in both its Azure Cloud and Azure Stack hyperconverged infrastructure (HCI). As part of this infrastructure, Microsoft, in cooperation with OEMs, offers certified hardware that you can run in your own data center while still managing it in a unified way with your resources in the cloud in the Azure portal.
If you want to install a Secured-core server in Azure, it is important to note that you need to make this decision when you create the VM. Secured-core server cannot be retrofitted to existing VMs, leaving a new installation as your only option. You will find the settings for this on the first page of the New Virtual Machine Wizard. In the Security type drop-down box, select Trusted launch virtual machines instead of Standard . As on a local Hyper-V host, this is a second-generation VM [7]. A link will then appear below the drop-down box; you can use it to configure the VM's security features. Two options, Secure boot and vTPM , are already enabled by default.
Now you have all the prerequisites for the Secured-core server in place at the hardware and virtualization levels. Everything else is done at the operating system level.
Buy this article as PDF
(incl. VAT)