Secure Virtualization Infrastructure Flashcards

Question 1

Q

What is the Host Guardian Service?

Answer

A

A server role installed on a secure cluster of bare-metal servers that are able to measure the health of a Hyper-V host and release keys for powering on or live migrating shielded VMs. Runs the attestation service and key protection service.

Question 2

Q

What are the necessary requirements of a Guarded Fabric?

Answer

A

1 Host Guardian Service (usually cluster of 3 nodes)
1 or more guarded hosts
A set of shielded VMs

Question 3

Q

What are the requirements for deploying a host guardian service

Answer

A

At least 2 HGS Servers: Servers can be physical or virtual (3 total recommended)
Servers should have TPMs (2.0 recommended, 1.2 supported)
Server Core 2016+
Network line-of-site to fabric allowing HTTP
HTTPS certificate for access
Every 4C/4GB can handle 1000 Hyper-V Hosts

Question 4

Q

How do you handle disaster recovery for a Host Guardian Service?

Answer

A

Choose One

Install separate HGS in each DC to authorize shielded VMs
Install HGS stretch cluster between two or more datacenters
Register Hyper-V with another HGS as a failover

NOTE: HGS should be backed up by exporting its configuration for local recovery

Question 5

Q

What services (functions) are provided by the host guardian service?

Answer

A

Attestation: Ensures only trusted Hyper-V Hosts can run shielded VMs
Key Protection: Provides keys necessary to power on and live migrate shielded VMs to other guarded hosts.

Question 6

Q

What security benefit is gained from shielded VMs?

Answer

A

If a VM is exported or copied, the VM cannot be run as it is only allowed to run from protected systems.

Question 7

Q

What are the different attestation modes?

Answer

A

TPM-Trusted attestation (Hardware based)
Host Key Attestation (based on asymmetric key pairs)
Admin-trusted attestation (AD based; depreciated in Server 2019)

Question 8

Q

What attestation mode is recommended in a guarded fabric?

Answer

A

TPM-Trusted mode. It offers stronger assurances bv ensuring the guarded hosts are approved based on their TPM identity, measured boot sequence, and code integrity policies.

Question 9

Q

What are the requirements for TPM-trusted attestation/

Answer

A

TPM 2.0 and UEFI 2.3.1 with Secure Boot

Question 10

Q

If a Hyper-V Host does not have TPM 2.0 can it still be part of a guarded fabric?

Answer

A

Yes. It requires a compromise by using Hosted Key Attestation instead of TPM attestation. Hosted Key Attestation utilizes asymmetric keys to validate hosts.

Question 11

Q

What is Admin-trusted attestation?

Answer

A

This attestation mode uses AD Group Membership to attest a guarded fabric. It is being deprecated in Server 2019 in favor of Host Key Attestation.

Question 12

Q

What are the primary use cases for Shielded VMs and Guarded Fabric?

Answer

A

Cloud Providers and Enterprise Clouds

Question 13

Q

What types of VMs can be run on a guarded fabric?

Answer

A

Normal VMs with no protection
Encryption-supported VMS who can be configured by fabric admins
Shielded VMs who are protected in a way that cannot be disabled by fabric admins

Question 14

Q

How does the guarded host determine a VM is still protected after the VM has been started?

Answer

A

In addition to the initial check of the VM at boot, TPM-trusted attestation checks the VM every 8 hours after its boot.

Question 15

Q

Which HGS attestation mode would you use if the goal is to protect VMs from malicious admins or a compromised fabric?

Answer

A

TPM attestation. This mode works well for multi-tenant hosting as well as high-value enterprise environments.

Question 16

Q

You work for a company that has industry-specific compliance settings that require that VMs be encrypted at rest and in flight. Which HGS attestation mode accommodates this requirement?

Answer

A

Host Key Attestation. Works well for general purpose data centers where fabric admins are trusted and are allowed access to guest VMs.

Question 17

Q

What powershell cmdlets can be used to backup and restore an HGS?

Answer

A

Export-HgsServerState

Import-HgsServerState

Question 18

Q

What version of Windows Server is required for a server to be made a Guarded Host?

Answer

A

Host Key Attestation: Server 2019 Standard or Datacenter

- TPM-Based: Server 2016+ Standard or Datacenter

Question 19

Q

What needs configured so the fabric (host) domain and the HGS domain can communicate?

Answer

A

DNS forwarding

Question 20

Q

Why is HGS relegated to its own forest?

Answer

A

The AD for HGS is treated as sensitive because its administrators have access to the keys that control shielded VMs. The environment is self-contained and thus a known good source.

Question 21

Q

Can an HGS be installed in an existing Bastion forest?

Answer

A

Yes. HGS can be installed in an existing bastion forest. The only real forest requirement for the HGS is that it be configured in the root domain of the forest.

Question 22

Q

What cmdlet will install the Host Guardian Service role?

Answer

A

Install-WindowsFeature -Name HostGuardianServiceRole - IncludeManagementTools -Restart

Question 23

Q

What command will install an HGS in its own dedicated forest?

Answer

A

Install-HgsServer -HsgDomainName $DomainName -SafeModeAdministratorPassword $PwdSecString -Restart

Question 24

Q

What is the process to add HGS to an existing Bastion Forest?

Answer

A

Install HGS Role
Join HGS to existing domain (HGS must be added to the root domain)
Create security group for HGS Nodes
Create gMSA for the HGS (gMSA will need to be able to generate events in the security log on the HGS server)
Configure/Create JEA Security Groups. JEA is not required to manage HGS but it must be configured.
Create 2 groups: Admins and Reviewers
Configure/Create cluster computer objects
Prestage the computer accounts if the Hgs Account cannot create computers. Whoever runs the Initialize-HgsServer command needs full control over the cluster object and the security object.
Configure security.

Question 25

Q

What is the function of the certificates on the HGS?

Answer

A

HGS certificates are used to protect the sensitive information needed to start a shielded VM. They never leave the HGS are are only used to decrypt VM keys.

Question 26

Q

What are the requirements of the HGS Certificate?

Answer

A

Key Algorithm: RSA
Minimum key size: 2048 bits
Signature Algorithm: Recommended SHA256
Key Usage: Digital Signature and Data Encipherment
EKU: Server Authentication
Key renewal policy: Renew with the same key
Subject Name: Recommended to use the company web address

Question 27

Q

What names are required on the HGS SSL Certificate?

Answer

A

Subject Name: Name of the HGS Cluster. This is the name supplied with Initialize-HGSServer
SAN: If a different DNS name is used to access the cluster, include it as a SAN

Question 28

Q

In which version of Windows was the ability to list a second set of HGS Urls for the Shielded VMs made available?

Answer

A

Server 2016 version 1709

Question 29

Q

If you configure a failback HGS, what must be done to ensure that VMs can attest?

Answer

A

Ensure that either the servers have a shared encryption and signing certificates, or separate certificates are used to configure the HGS shielded VMs to use both HGS Servers
Attestation policies need to be in sync between the two clusters
Hyper-V hosts need to be Server 2016 version 1709 or Server 2019.
Run the command: Set-HgsClientConfiguration -FallBackKeyProtectionServerUrl $URL1 -FallbackAttestationServerUrl $URL2

Question 30

Q

How do you undo the fall back configuration for an HGS?

Answer

A

Run the command: Set-HgsClientConfiguration and omit any of the fallback data

Question 31

Q

How may certificates are needed on the HGS Cluster?

Answer

A

Two: One for signing and one for encryption

Question 32

Q

What cmdlet would configure an HGS Cluster using TPM attestation?

Answer

A

Initialize-HgsServer -TrustTPM

Question 33

Q

What cmdlet would allow you to run diagnostics against the HGS?

Answer

A

Get-HgsTrace -RunDiagnostics

Question 34

Q

How do you get a TPM’s Endorsement Key to use with TPM-trusted attestation?

Answer

A

Use the cmdlet Get-PlatformIdentifer to grab the key. You’ll need to output the XML portion of the command to a file

Question 35

Q

For (legacy) Admin-trusted delegation, how do you authorize servers to be part of the attestation service?

Answer

A

Add-HgsAttestationHostGroup -Name $GroupName -Identifier $GroupSID

Question 36

Q

What trusts need configured between the HGS Cluster and the production forest?

Answer

A

A one-way trust needs configured with the HGS trusting production

Question 37

Q

How does Active DIrectory-trusted attestation validate the guarded host’s configuration file?

Answer

A

It doesn’t. This can only be done with TPM-trusted attestation.

Question 38

Q

What cmdlet generates a new Code Integrity Policy?

Answer

A

New-CIPolicy
Note: You need to copy the policy file to the HGS using the following cmdlet: Add-HgsAttestationCIPolicy -Name $Policy -Path $PolicyP7B

Question 39

Q

How do you gather the TPM baseline policy from every host?

Answer

A

Get-HgsAttestationBaselinePolicy -Path $PolicyPath

Note: This needs run on every host with a different hardware profile.

Question 40

Q

How do you register the TPM policy with the attestation service?

Answer

A

Add-HgsAttestationTPMPolicy -Name $Policy -Path $PolicyPath

Question 41

Q

How do you configure guarded hosts to request keys for HGS Servers?

Answer

A

Run Get-HgsServer on the HGS Server to get the attestation URLs.
Run Set-HgsClientConfiguration -KeyProtectionServerURL $KPSUrl -AttestationUrl $AttestURL

Question 42

Q

What general steps need performed to create a guarded host using SCVMM?

Answer

A

Attestation Service Url - URL of the attestation service, part of the HGS. Confirms the host is authorized to run shielded VMs
Key Protection Service URL - URL of the key protection service, part of the HGS. Once a host passes attestation, it retrieves the key required to decrypt VMs from this service.
Code Integrity Policy File Share Path (Only required for TPM attested mode) - TPM Attestation requires a host to have a TPM 2.0 chip. A code integrity policy restricts the software that can run at the kernel level to only what the code integrity policy has.
Shielding Help VHD - Includes tools to convert existing non-shielded vms to shielded.

Question 43

Q

What are the steps to create a guarded host in SCVMM?

Answer

A

VMM Console \ Settings \ Host Guardian Service Settings.
a. Provide the attestation and Key Protection URLs (must be the same URLs across all hosts in VMM). Needs to be exactly what was entered on the hosts.
b. Add any CI Policies to VMM
c. Specify the location of the shielding helper VHD
For TPM-basted attestation: R-Click the Host \ Start Maintenance Mode
Configure Guarded Host: R-Click Host \ Host Guardian Service
a. Check “Enable the Host Guardian Service and use the URLs configured as global settings in VMM”
b. Check “Use a code integrity policy to restrict the software that can run on the host”
R-Click Host \ Stop Maintenance Mode

Question 44

Q

In which version of Windows were Shielded VMs introduced?

Answer

A

Server 2016

Question 45

Q

What generations of VMs do shielded VMs support?

Answer

A

Generation 2 VMs

Question 46

Q

What is a shielded VM?

Answer

A

A Generation 2 VM with virtual TPM, encrypted with BitLocker, and is restricted to run on healthy and approved hosts.

Question 47

Q

What assurances are offered by the Host Guardian Service?

Answer

A

BitLocker encrypted Disks (OS disks and data disks)
Deployment of new shiedled VMs from a trusted template
Protection of Passwords and other secrets
Tenant control of where a VM can be started

Question 48

Q

What are shielded template disks?

Answer

A

Trusted template disks for deploying shielded VMs that have computed signatures. These signatures are stored in a catalog.

When a shielded VM is provisioned the signature of the disk is computed and compared to the trusted signature. If the signatures match, the VM is deployed. If they do not match, the shielded VM is determined to be untrustworthy and the deployment fails.

Question 49

Q

What is a PDK File?

Answer

A

PDK files are known as shielding data files and are used to protect tenant keys and are uploaded to the fabric by the tenant. They protect important VM configuration data (admin password, RDP, and other certificates, domain join credentials, etc.).

Question 50

Q

Where are the tenant domain join credentials stored for shielded VMs?

Answer

A

PDK Files

These files also store certificates, admin password, and other important secure information.

Question 51

Q

What types of data is protected by a PDK file?

Answer

A

Administrator credentials
Answer file (unattend.xml)
Security Policy that determines whether the created VMs are configured as shielded or encryption supported
RDP Certificate
Volume signature catalog
Key protector that defines which guarded fabrics a VM is authorized to run on.

Question 52

Q

What is the difference in function between shielded VMs and encryption-supported VMs?

Answer

A

Shielded VMs are encrypted and protected from access by fabric admins.
Encryption-supported VMs can be encrypted but still are accessible by fabric admins.

Question 53

Q

What is the use case for encryption supported VMs?

Answer

A

Encryption-supported VMs are intended for use where the fabric admins are fully trusted. Fabric Admins can continue to manage the VMs in a convenient way.

Question 54

Q

What is the use case for shielded VMs?

Answer

A

Shielded VMs are intended to be used on fabrics where the data and the state of the VM must be secured from the fabric admins and untrusted software.

They never permit console connections or Powershell Direct connections.

Question 55

Q

What are the major differences between a shielded VM and encryption-supported VMs?

Answer

A

Shielded VMs require secure boot, vTPM, and that the VM state and live migration traffic be encrypted. Encryption supported VMs require these features but they are allowed to be modified.
Shielded VMs cannot use certain VM integration components (e.g. Data Exchange and Powershell Direct). ES-VMs can use all integration services.
Shielded VMs cannot use VM connection console and HID Devices. ES-VMs can use these (In Server 2016 1803 Shielded Vms can use some of these features)
Shielded VMs do not allow for COM/Serial ports for debuggers to be attached to the VM process.

Question 56

Q

What process is performed on the guarded host before a shielded VM can be turned on?

Answer

A

The VM is tested to be healthy by presenting a certificate of health to the Key Protection Service (KPS)

Question 57

Q

What information is sent as part of the host attestation process when a shielded VM is turned on?

Answer

A

For TPM-Trusted Attestation:

Identifying information about the TPM (endorsement key)
Information about started processes (TCG Log)
Code Integrity Policy

Host Key Attestation
- Hyper-V checks the key pair. HGS validates the key is registered

Admin-Trusted Attestation
- Hyper-V sends a Kerberos ticket identifying which security groups the host is in. HGS validates the host belongs to the correct security group.

Question 58

Q

What is the boot process for a shielded VM?

Answer

A

VM is powered on
Host requests attestation
Attestation is checked
Attestation certificate is sent to host
Host requests VM key
Key is released to host
Key is returned to host

Question 59

Q

Which versions of Windows can have shielded VMs?

Answer

A

Any version of Windows that supports Generation 2 VMs (2012 and newer)

Question 60

Q

When should you configure a shielded VM over an encryption supported VM?

Answer

A

Shielded VMs protect the VM from a compromised fabric.

Shielded VMs should be used where the fabric and the fabric administrators are not trusted.

Question 61

Q

What is required to decrypt a shielded VM?

Answer

A

An owner key - Cryptographic Key maintained by the owner that is used for last-resort recovery or troubleshooting - and one or more guardians (guarded host keys) - Each guardian is a server/fabric that an owner authorizes a VM to run on

Question 62

Q

What is an Owner Key?

Answer

A

Cryptographic key maintained by the owner that is used for decrypting a shielded VM. Often used as a last resort in troubleshooting. It consists of two certificates: encryption and signing and it can be created with a private or public PKI.

Only one owner key should ever be created, but multiple are allowed.

Host guardian keys should be different from owner keys.

Question 63

Q

How many owner keys can be created for a shielded VM?

Answer

A

Many. The best practice is only one should be created.

Question 64

Q

Should owner keys and host guardian keys be the same keys?

Answer

A

No. It is best practice they be created separately.

Answer 65

A

Security Level : Shielded or Encryption-supported
Owner and list of trusted Host Guardians where the VM can run
VM initialization data (unattend.xml, RDP Cert, etc.)
List of trusted signed template disks for creating the VM in the virtualization environment.

Answer 66

A

If a given VM requires any of the four items in a data file (security level, owner, initialization data, and trusted template disks) to be different, a new data file is needed. Shielding data files can be used over and over again so a single file can be used to create multiple VMs.

Answer 67

A

Create a shielded VM in the environment and upload it to the virtualization fabric.
Create a new shielded VM from a signed template on the fabric.
Shield an existing VM (Must be Generation 2 and running Server 2012+)

Answer 68

A

Use an existing signed template disk provided by the virtualization provider. VM Provider maintains the signed template disk.
Upload a signed template to the virtualization fabric. VM owner maintains the template.

Answer 69

A

Offline mode allows a shidled VM to turn on if an HGS cannot be reached as long as the configuration of the Hyper-V host has not changed. Offline mode utilizes a special version of the VM TPM key protector and requires the absolute latest version of Windows Server (not GA).

Answer 70

A

Use the Shielded Template Creation WIzard

Powershell: Protect-TemplateDisk

Answer 71

A

Must use a GPT disk
Disk type must be basic
Disk must be two partitions: OS and BootLoader
Must use NTFS
OS must be Server 2012/Windows 8 or newer
OS must be sysprepped

Answer 72

A

Install-WindowsFeature -Name RSAT-Shielded-VM-Tools -Restart

Answer 73

A

Copy generalized VHDX with proper configuration to the server.
Install t he shielded VM tools (RSAT-Shielded-VM-Tools)
Obtain or create a certificate to sign the VSC for the VHDX
Launch the template disk wizard (TemplateDiskWizard.exe)
Choose the certificate
Provide a friendly disk name and version
Generate the disk

Answer 74

A

Create a template disk VHDX u sing the standard creation process
Refresh the library server. Navigate to Library \ expand Library Servers \ R-Click the library and choose Refresh
Provide VMM with information about the OS on the disk

Answer 75

A

The icon has a shield next to it. You can also enable the shielded column which will tell if a template is shielded or not.

Answer 76

A

Library \ Create VM Template
Choose “Use an existing VM Template or virtual hard disk stored in the library” \ Click Browse
Enable the shielded column for easier searching and select a prepared template disk from the library
Specify the VM Name
Specify the VM capabilities
Provide the correct OS Product Key

Answer 77

A

Protect-TemplateDisk -Certificate $Cert -path $VhdPath -TemplateName $TemplateName -Version $VersionNum

Answer 78

A

Save-VolumeSignatureCatalog -TemplateDiskPath $VhdPath -VolumeSignatureCatalogPath $VSCPath

Answer 79

A

THis file is used to provide information about the signing certificate, disk name, and version to the VM owners wanting to use a protected VM template. This file needs to be imported into the Shielding Data File Wizard to authorize someone to create template disk for them.

Answer 80

A

Management Features like console connection, Powershell Direct, and some integration components are disabled.
Secure Boot, TPM, and Encrypt State and Virtual Machine traffic are automatically enabled with shielding

Answer 81

A

Yes. However, to move the VM to another host requires the Key Protector for the VM to authorize the host.

Answer 82

A

Install HGS Feature
Install-WindowsFeature -Name HostGuardianServiceRole -IncludeManagementTools -Restart
Install HGS Server (possibly after reboot)
Install-HgsServer -HgsDomainName $HgsDomain -SafeModeAdministratorPassword $SecureString -Restart
Create a self signed cert: one for signing and one for encryption - Export them as PFX
- $Cert = New-SelfSignedCertificate -Subject “CN=Hgs Signing Certificate”
- Export-PfxCertificate -FIlePath $SignCertPath -Password $CertPass -Cert $Cert
- Remove-Item $Cert.PSPath
- $EncCert = New-SelfSignedCertificate -Subject “CN=HGS Encryption Certificate”
- Export-PfxCertificate -FilePath $EncCertPath -Password $CertPass -Cert $EncCert
- Remove-Item $EncCert.PSPath
Initialize HGS - Configure HGS Cluster and WebServices
- Initialize-HgsServer -LogDirectory $Directory -HgsServiceName HGS -Http -TrustActiveDirectory -SigningCertificatePath $SignCertPath -SigningCertificatePassword $SignPwd -EncryptionCertificatePath $EncCertPath -EncryptionCertificatePassword $EncPwd
Validate HGS Server configuration
- Get-HgsTrace -RunDiagnostics

Answer 83

A

Install-WindowsFeature HostGuardianService
Install-HgsServer
Create 2 Certificates: Signing and Encryption
Initialize-HgsServer
Get-HgsTrace -RunDiagnostics

Answer 84

A

The Fabric AD must trust the HGS Forest
A DNS Conditional Forwarder must be configured in the fabric AD
A HgsHosts group needs configured in the fabric AD

Answer 85

A

One HGS Server running Server 2016

- One guarded Hyper-V host running Server 2016

Answer 86

A

Shielded VM Started
Attestation Client initializes the attestation
Host presents a Kerberos Service Ticket
HGS validates group membership in the AD attestation group
HGS issues a signed certificate encrypted to the host.

Answer 87

A

Fabric AD must trust the HGS FOrest
DNS conditional Forwarder must be configured in the fabric ad
A HGSHosts group needs configured in the fabric AD

Answer 88

A

Add-DnsConditionalForwarderZone

Answer 89

A

Netdom trust $DomainA /domain:$DomainB /userD:$DomainBUser /passwordD:$DomainBPassword /ad

Answer 90

A

Add-HgsAttestationHostGroup -Name $GroupName -Identifier $SID-of-Group

Answer 91

A

It secures the system at the hardware level.

Answer 92

A

You cannot. The Key is fixed into the TPM at manufacture and cannot be changed.

Answer 93

A

Initialize HGS Cluster in New Forest
Install Trusted Root TPM Certificates
Configure DNS on the Fabric
Retrieve the TPM Identifier (guarded host’s TPM 2.0 EK)
Create CI Policy that will be used
Capture TPM Baseline
Configure Hyper-V Guarded Host’s HGS Server

Answer 94

A

Get-PlatformIdentifier -Name $Name

Answer 95

A

Add-HgsAttestationTpmHost -Name $Name -Path $TPM _EK.xml

Answer 96

A

Add-HgsAttestationCIPolicy -Name $Policy -Path $Policy_P7B

Answer 97

A

Get-HgsAttestationBaselinePolicy - Path $BaseLinePath_Bin

Answer 98

A

Add-HgsAttestationTPMPolicy -Name $TPMPolicy -Path $BaselinePath

Answer 99

A

It provides the transport keys that are required to unlock and run shielded VMs on healthy Hyper-V hosts.

Answer 100

A

Use HSM-backed keys

Answer 101

A

Initialize-HgsServer

Answer 102

A

Add-HgsKeyProtectionCertificate

Answer 103

A

Get-HgsKeyProtectionCertificate

Answer 104

A

Set-HgsKeyProtectionCertificate

Answer 105

A

Local Computer

Answer 106

A

Launch IIS
Select Application Protocols
Open “Local Machine Certificate Management Console” (Certlm.msc)
Locate encryption and signing keys
Right Click each certificate \ All Tasks \ Manage Private Keys \ Grant Read permissions to the KPS Service \ Choose the KeyProtection App pool

Answer 107

A

No. They all utilize the same keys and will need to have them exported to them and have access granted so they can all be read.

Answer 108

A

Get-HgsClientConfiguration

Answer 109

A

Get-HgsClientConfiguration

Answer 110

A

Open the follwoing URL in the browser: http://localhost/KeyProtection/service/metadata/2014-07/metadata.xml

Answer 111

A

Normal VMs (No Protections)
Encryption Supported VMs
Shielded VMs

Answer 112

A

Open fabric workspace \ Find host group with guarded hosts
Find the host to inspect \ R-Click and choose View Status \ Find measurements under HGS Client Overall
Rectify any warnings.

Answer 113

A

Configure VMM globals with the URLs of the fabric’s HGS Cluster

Answer 114

A

Remote Powershell

- Microsoft Scripts (e.g. PrepareNanoTP5.ps1)

Answer 115

A

Copy NanoServerImageGenerator to local system
Run Powershell
Navigate to the folder where NanoServerImageGenerator lives
Import-Module .\NanoServerImageGenerator
Create Media Path
Copy the required files to enable Nano to work with the Guarded Hosts.

Answer 116

A

New-NanoServerImage -MediaPath $MediaPath -TargetPath $NanoVHDPath -ComputerName $NanoName -OEMDrivers -Computer -DeploymentType Host -Edition Datacenter -Packages Microsoft-NanoServer-SecureStartup-Package,Microsoft-NanoServer-ShieldedVM-Package -EnableRemoteManagementPort -CopyFiles $FIlesToCopy -SetupCompleteCommands @(“Powershell.exe -noninteractive -executionpolicy bypass -file C:\PrepareNanoTP5.ps1) -Domain $Domain

Answer 117

A

Microsoft-NanoServer-SecureStartup-Package

Microsoft-NanoServer-ShieldedVM-Package

Answer 118

A

Mount the generated VHDx
Run bcdboot $VHDXDriveLetter\Windows
Unmount VHDX
Restart Computer

Answer 119

A

VM must use GPT Disks (pre-req for Gen 2 VMs and UEFI)
Basic Disks must be used (BitLocker doesn’t support Dynamic Disks)
Disks must have a least 2 partitions: Windows OS Secured with BitLocker and the unencrypted bootloader
NTFS
Guest OS must support Gen 2 VMs and Secure Boot
OS must be generalized via Sysprep
VMs must be running Server 2016 Enterprise Edition

Answer 120

A

No. The ability to attach a debugger is disabled and cannot be enabled for Generation 2 VMs

Answer 121

A

Export HGS configuration locally
Stop the VM
Create a new Key Protector
Ensure vTPM is enabled

Answer 122

A

Invoke-WebRequest Http://$HgsHost/KeyProtection/service/metadata/2014-07/metadata.xml -Outfile $FilePath

Answer 123

A

$KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian -AllowUntrustedBoot
Set-KeyProtector -VMName $VM -KeyProtector $KP.RawData
Set-VMSecurityPolicy -VMName $VMName -Shielded $True

Answer 124

A

Enable-VMTPM -VMName $VM

Answer 125

A

Ensure the HGS is available and that the VMs are running on a healthy Hyper-V Host
Make sure VMs are all Gen 2

Answer 126

A

Try one of the following

Disable the shielded data security profile
Copy the VM VHDX file to a secure host, create a new Gen 2 VM based on the VHDX and use the BitLocker Recovery Key to access the VM

Answer 127

A

Export the VM from the guarded host
Import the VM into Hyper-V
Powershell: Set-VMSecurityProfile -VMName $VM -ShieldingRequested $false
Hyper V \ Open VM Settings \ Security \ Security Profile \ Set “Shielded” to “No Additional Protection”

Answer 128

A

Get-VMSecurity -VMName $VM | Select-Object ShieldedRequested,Shielded

Answer 129

A

Get-VMSecurity -VMName $VM | Select-Object TpmEnabled

Answer 130

A

The VM has moved from its Host Guardian and should be moved back to another HGS server with the proper configuration.
NOTE: This shows in VMM as “Error 12700 VMM cannot complete the host configuration”

Answer 131

A

Self Signed certificates are being used as the guardian keys
Use the parameter -AllowUntrustedRoot with the New-HgsKeyProtector command to allow self signed certificates.

Brainscape's Knowledge GenomeTM

Secure Virtualization Infrastructure Flashcards

Guarded Fabric Shielded VMs Encryption Supported VMs

Brainscape's Knowledge Genome^TM