准备好要上传到 Azure 的 Windows VHD 或 VHDXPrepare a Windows VHD or VHDX to upload to Azure

在将 Windows 虚拟机 (VM) 从本地上传到 Azure 之前,必须准备好虚拟硬盘(VHD 或 VHDX)。Before you upload a Windows virtual machine (VM) from on-premises to Azure, you must prepare the virtual hard disk (VHD or VHDX). Azure 支持采用 VHD 文件格式且具有固定大小磁盘的第 1 代和第 2 代 VM。Azure supports both generation 1 and generation 2 VMs that are in VHD file format and that have a fixed-size disk. 第 1 代 VM 上的 OS VHD 允许的最大大小为 2 TB。The maximum size allowed for the OS VHD on a generation 1 VM is 2 TB.

可以将 VHDX 文件转换为 VHD,将动态扩展磁盘转换为固定大小的磁盘,但无法更改 VM 的代次。You can convert a VHDX file to VHD, convert a dynamically expanding disk to a fixed-size disk, but you can't change a VM's generation. 有关详细信息,请参阅应在 Hyper-V 中创建第 1 代还是第 2 代 VM?Azure 对第 2 代 VM 的支持For more information, see Should I create a generation 1 or 2 VM in Hyper-V? and Support for generation 2 VMs on Azure.

有关 Azure VM 的支持策略的信息,请参阅 Microsoft 服务器软件支持 Azure VMFor information about the support policy for Azure VMs, see Microsoft server software support for Azure VMs.

备注

本文中的说明适用于:The instructions in this article apply to:

  • 64 位版本的 Windows Server 2008 R2 以及更高版本的 Windows Server 操作系统。The 64-bit version of Windows Server 2008 R2 and later Windows Server operating systems. 若要了解如何在 Azure 中运行 32 位操作系统,请参阅 Azure VM 中的 32 位操作系统支持For information about running a 32-bit operating system in Azure, see Support for 32-bit operating systems in Azure VMs.
  • 如果将使用任何灾难恢复工具(如 Azure Site Recovery 或 Azure Migrate)来迁移工作负荷,则在来宾 OS上仍需要此过程以在迁移之前准备映像。If any Disaster Recovery tool will be used to migrate the workload, like Azure Site Recovery or Azure Migrate, this process is still required on the Guest OS to prepare the image before the migration.

系统文件检查器System File Checker

在 OS 映像通用化之前运行 Windows 系统文件检查器实用工具Run Windows System File Checker utility before generalization of OS image

系统文件检查器 (SFC) 用于验证和替换 Windows 系统文件。The System File Checker (SFC) is used to verify and replace Windows system files.

重要

使用提升权限的 PowerShell 会话中运行本文中所述的示例。Use an elevated PowerShell session to run the examples in this article.

运行 SFC 命令:Run the SFC command:

sfc.exe /scannow
Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

完成 SFC 扫描后,请尝试安装 Windows 更新并重启计算机。After the SFC scan completes, install Windows Updates and restart the computer.

设置 Azure 的 Windows 配置Set Windows configurations for Azure

备注

使用通用化映像创建 Windows VM 时,Azure 平台会将 ISO 文件装载到 DVD-ROM。Azure platform mounts an ISO file to the DVD-ROM when a Windows VM is created from a generalized image. 出于这个原因,必须在通用化映像的 OS 中启用 DVD-ROM。For this reason, the DVD-ROM must be enabled in the OS in the generalized image. 如果禁用了它,Windows VM 会停滞在“全新安装体验”(OOBE)。If it is disabled, the Windows VM will be stuck at out-of-box experience (OOBE).

  1. 删除路由表中的所有静态持久性路由:Remove any static persistent routes in the routing table:

    • 若要查看路由表,请运行 route.exe printTo view the routing table, run route.exe print.
    • 请查看持久性路由部分。Check the Persistence Routes section. 如果有持久性路由,请使用 route.exe delete 命令将其删除。If there's a persistent route, use the route.exe delete command to remove it.
  2. 删除 WinHTTP 代理:Remove the WinHTTP proxy:

    netsh.exe winhttp reset proxy
    

    如果 VM 需要使用特定代理,请为 Azure IP 地址 (168.63.129.16) 添加代理例外,使 VM 能够连接到 Azure:If the VM needs to work with a specific proxy, add a proxy exception for the Azure IP address (168.63.129.16) so the VM can connect to Azure:

    $proxyAddress='<your proxy server>'
    $proxyBypassList='<your list of bypasses>;168.63.129.16'
    netsh.exe winhttp set proxy $proxyAddress $proxyBypassList
    
  3. 打开 DiskPart:Open DiskPart:

    diskpart.exe
    

    将磁盘 SAN 策略设置为 OnlineallSet the disk SAN policy to Onlineall:

    DISKPART> san policy=onlineall
    DISKPART> exit
    
  4. 为 Windows 设置协调世界时 (UTC) 时间。Set Coordinated Universal Time (UTC) time for Windows. 此外,将 Windows 时间服务 w32time 的启动类型设置为“自动” :Also, set the startup type of the Windows time service w32time to Automatic :

    Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation -Name RealTimeIsUniversal -Value 1 -Type DWord -Force
    Set-Service -Name w32time -StartupType Automatic
    
  5. 将电源配置文件设置为“高性能”:Set the power profile to high performance:

    powercfg.exe /setactive SCHEME_MIN
    
  6. 确保将环境变量 TEMP 和 TMP 设为其默认值 :Make sure the environmental variables TEMP and TMP are set to their default values:

    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name TEMP -Value "%SystemRoot%\TEMP" -Type ExpandString -Force
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name TMP -Value "%SystemRoot%\TEMP" -Type ExpandString -Force
    

查看 Windows 服务Check the Windows services

确保下面的每个 Windows 服务均设置为 Windows 默认值。Make sure that each of the following Windows services is set to the Windows default value. 最起码需要配置这些服务,才能确保 VM 能够建立连接。These services are the minimum that must be configured to ensure VM connectivity. 若要设置启动设置,请运行以下示例:To set the startup settings, run the following example:

Get-Service -Name BFE, Dhcp, Dnscache, IKEEXT, iphlpsvc, nsi, mpssvc, RemoteRegistry |
  Where-Object StartType -ne Automatic |
    Set-Service -StartupType Automatic

Get-Service -Name Netlogon, Netman, TermService |
  Where-Object StartType -ne Manual |
    Set-Service -StartupType Manual

更新远程桌面注册表设置Update remote desktop registry settings

确保正确配置以下设置以进行远程访问:Make sure the following settings are configured correctly for remote access:

备注

如果在运行 Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -Name <string> -Value <object> 时收到错误消息,可以忽略该错误消息。If you receive an error message when running Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -Name <string> -Value <object>, you can safely ignore it. 这意味着域未通过组策略对象设置该配置。It means the domain isn't setting that configuration through a Group Policy Object.

  1. 已启用远程桌面协议 (RDP):Remote Desktop Protocol (RDP) is enabled:

    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 0 -Type DWord -Force
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name fDenyTSConnections -Value 0 -Type DWord -Force
    
  2. 使用默认端口为 3389 正确设置 RDP 端口:The RDP port is set up correctly using the default port of 3389:

    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name PortNumber -Value 3389 -Type DWord -Force
    

    部署 VM 时,将为端口 3389 创建默认规则。When you deploy a VM, the default rules are created for port 3389. 若要更改端口号,请在 VM 部署到 Azure 以后再进行。To change the port number, do that after the VM is deployed in Azure.

  3. 侦听器在每个网络接口中侦听:The listener is listening on every network interface:

    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name LanAdapter -Value 0 -Type DWord -Force
    
  4. 配置用于 RDP 连接的网络级身份验证 (NLA) 模式:Configure network-level authentication (NLA) mode for the RDP connections:

    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 1 -Type DWord -Force
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name SecurityLayer -Value 1 -Type DWord -Force
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name fAllowSecProtocolNegotiation -Value 1 -Type DWord -Force
    
  5. 设置 keep-alive 值:Set the keep-alive value:

    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name KeepAliveEnable -Value 1  -Type DWord -Force
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name KeepAliveInterval -Value 1  -Type DWord -Force
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name KeepAliveTimeout -Value 1 -Type DWord -Force
    
  6. 设置重新连接选项:Set the reconnect options:

    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name fDisableAutoReconnect -Value 0 -Type DWord -Force
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name fInheritReconnectSame -Value 1 -Type DWord -Force
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name fReconnectSame -Value 0 -Type DWord -Force
    
  7. 限制并发连接数:Limit the number of concurrent connections:

    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name MaxInstanceCount -Value 4294967295 -Type DWord -Force
    
  8. 删除任何已绑定到 RDP 侦听器的自签名证书:Remove any self-signed certificates tied to the RDP listener:

    if ((Get-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp').Property -contains 'SSLCertificateSHA1Hash')
    {
       Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name SSLCertificateSHA1Hash -Force
    }
    

    此代码可确保在部署 VM 时可以连接。This code ensures that you can connect when you deploy the VM. 在 Azure 中部署 VM 后,还可以查看这些设置。You can also review these settings after the VM is deployed in Azure.

  9. 如果 VM 是域的一部分,请检查以下策略,确保未还原以前的设置。If the VM is part of a domain, check the following policies to make sure the previous settings aren't reverted.

    目标Goal 策略Policy ValueValue
    RDP 已启用RDP is enabled 计算机配置\策略\Windows 设置\管理模板\组件\远程桌面服务\远程桌面会话主机\连接Computer Configuration\Policies\Windows Settings\Administrative Templates\Components\Remote Desktop Services\Remote Desktop Session Host\Connections 允许用户使用远程桌面进行远程连接Allow users to connect remotely by using Remote Desktop
    NLA 组策略NLA group policy 设置\管理模板\组件\远程桌面服务\远程桌面会话主机\安全性Settings\Administrative Templates\Components\Remote Desktop Services\Remote Desktop Session Host\Security 需要完成用户身份验证才能使用 NLA 进行远程访问Require user authentication for remote access by using NLA
    Keep-Alive 设置Keep-alive settings 计算机配置\策略\Windows 设置\管理模板\Windows 组件\远程桌面服务\远程桌面会话主机\连接Computer Configuration\Policies\Windows Settings\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections 配置保持活动状态的连接间隔Configure keep-alive connection interval
    重新连接设置Reconnect settings 计算机配置\策略\Windows 设置\管理模板\Windows 组件\远程桌面服务\远程桌面会话主机\连接Computer Configuration\Policies\Windows Settings\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections 自动重新连接Reconnect automatically
    “限制连接数”设置Limited number of connection settings 计算机配置\策略\Windows 设置\管理模板\Windows 组件\远程桌面服务\远程桌面会话主机\连接Computer Configuration\Policies\Windows Settings\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections 限制连接数Limit number of connections

配置 Windows 防火墙规则Configure Windows Firewall rules

  1. 在三个配置文件(“域”、“标准”和“公共”)上启用 Windows 防火墙:Turn on Windows Firewall on the three profiles (domain, standard, and public):

    Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled True
    
  2. 运行以下示例,允许 WinRM 通过三个防火墙配置文件(“域”、“专用”和“公共”)并启用 PowerShell 远程服务:Run the following example to allow WinRM through the three firewall profiles (domain, private, and public), and enable the PowerShell remote service:

    Enable-PSRemoting -Force
    Set-NetFirewallRule -DisplayName 'Windows Remote Management (HTTP-In)' -Enabled True
    
  3. 启用以下防火墙规则以允许 RDP 流量:Enable the following firewall rules to allow the RDP traffic:

    Set-NetFirewallRule -DisplayGroup 'Remote Desktop' -Enabled True
    
  4. 启用文件和打印机共享规则,使 VM 能够在虚拟网络中响应 ping 请求:Enable the rule for file and printer sharing so the VM can respond to ping requests inside the virtual network:

    Set-NetFirewallRule -DisplayName 'File and Printer Sharing (Echo Request - ICMPv4-In)' -Enabled True
    
  5. 为 Azure 平台网络创建规则:Create a rule for the Azure platform network:

    New-NetFirewallRule -DisplayName AzurePlatform -Direction Inbound -RemoteAddress 168.63.129.16 -Profile Any -Action Allow -EdgeTraversalPolicy Allow
    New-NetFirewallRule -DisplayName AzurePlatform -Direction Outbound -RemoteAddress 168.63.129.16 -Profile Any -Action Allow
    
  6. 如果 VM 是域的一部分,请检查以下 Azure AD 策略,确保未还原以前的设置。If the VM is part of a domain, check the following Azure AD policies to make sure the previous settings aren't reverted.

    目标Goal 策略Policy ValueValue
    启用 Windows 防火墙配置文件Enable the Windows Firewall profiles 计算机配置\策略\Windows 设置\管理模板\网络\网络连接\Windows 防火墙\域配置文件\Windows 防火墙Computer Configuration\Policies\Windows Settings\Administrative Templates\Network\Network Connection\Windows Firewall\Domain Profile\Windows Firewall 保护所有网络连接Protect all network connections
    启用 RDPEnable RDP 计算机配置\策略\Windows 设置\管理模板\网络\网络连接\Windows 防火墙\域配置文件\Windows 防火墙Computer Configuration\Policies\Windows Settings\Administrative Templates\Network\Network Connection\Windows Firewall\Domain Profile\Windows Firewall 允许入站远程桌面异常Allow inbound Remote Desktop exceptions
    计算机配置\策略\Windows 设置\管理模板\网络\网络连接\Windows 防火墙\标准配置文件\Windows 防火墙Computer Configuration\Policies\Windows Settings\Administrative Templates\Network\Network Connection\Windows Firewall\Standard Profile\Windows Firewall 允许入站远程桌面异常Allow inbound Remote Desktop exceptions
    启用 ICMP-V4Enable ICMP-V4 计算机配置\策略\Windows 设置\管理模板\网络\网络连接\Windows 防火墙\域配置文件\Windows 防火墙Computer Configuration\Policies\Windows Settings\Administrative Templates\Network\Network Connection\Windows Firewall\Domain Profile\Windows Firewall 允许 ICMP 异常Allow ICMP exceptions
    计算机配置\策略\Windows 设置\管理模板\网络\网络连接\Windows 防火墙\标准配置文件\Windows 防火墙Computer Configuration\Policies\Windows Settings\Administrative Templates\Network\Network Connection\Windows Firewall\Standard Profile\Windows Firewall 允许 ICMP 异常Allow ICMP exceptions

验证 VMVerify the VM

确保 VM 正常、安全并可使用 RDP 访问:Make sure the VM is healthy, secure, and RDP accessible:

  1. 若要确保磁盘运行状况正常且一致,请在下次重启 VM 时检查磁盘:To make sure the disk is healthy and consistent, check the disk at the next VM restart:

    chkdsk.exe /f
    

    确保报告显示磁盘干净且运行状况正常。Make sure the report shows a clean and healthy disk.

  2. 设置引导配置数据 (BCD) 设置。Set the Boot Configuration Data (BCD) settings.

    bcdedit.exe /set "{bootmgr}" integrityservices enable
    bcdedit.exe /set "{default}" device partition=C:
    bcdedit.exe /set "{default}" integrityservices enable
    bcdedit.exe /set "{default}" recoveryenabled Off
    bcdedit.exe /set "{default}" osdevice partition=C:
    bcdedit.exe /set "{default}" bootstatuspolicy IgnoreAllFailures
    
    #Enable Serial Console Feature
    bcdedit.exe /set "{bootmgr}" displaybootmenu yes
    bcdedit.exe /set "{bootmgr}" timeout 5
    bcdedit.exe /set "{bootmgr}" bootems yes
    bcdedit.exe /ems "{current}" ON
    bcdedit.exe /emssettings EMSPORT:1 EMSBAUDRATE:115200
    
  3. 转储日志可帮助排查 Windows 崩溃问题。The dump log can be helpful in troubleshooting Windows crash issues. 启用转储日志收集:Enable the dump log collection:

    # Set up the guest OS to collect a kernel dump on an OS crash event
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl' -Name CrashDumpEnabled -Type DWord -Force -Value 2
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl' -Name DumpFile -Type ExpandString -Force -Value "%SystemRoot%\MEMORY.DMP"
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl' -Name NMICrashDump -Type DWord -Force -Value 1
    
    # Set up the guest OS to collect user mode dumps on a service crash event
    $key = 'HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps'
    if ((Test-Path -Path $key) -eq $false) {(New-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting' -Name LocalDumps)}
    New-ItemProperty -Path $key -Name DumpFolder -Type ExpandString -Force -Value 'C:\CrashDumps'
    New-ItemProperty -Path $key -Name CrashCount -Type DWord -Force -Value 10
    New-ItemProperty -Path $key -Name DumpType -Type DWord -Force -Value 2
    Set-Service -Name WerSvc -StartupType Manual
    
  4. 验证 Windows Management Instrumentation (WMI) 存储库是否一致:Verify that the Windows Management Instrumentation (WMI) repository is consistent:

    winmgmt.exe /verifyrepository
    

    如果存储库已损坏,请参阅 WMI:存储库是否损坏If the repository is corrupted, see WMI: Repository corruption or not.

  5. 确保没有其他应用程序正在使用端口 3389。Make sure no other application is using port 3389. 此端口用于 Azure 中的 RDP 服务。This port is used for the RDP service in Azure. 若要查看 VM 上使用的端口,请运行 netstat.exe -anobTo see which ports are used on the VM, run netstat.exe -anob:

    netstat.exe -anob
    
  6. 若要上传用作域控制器的 Windows VHD:To upload a Windows VHD that's a domain controller:

    • 请执行这些额外的步骤来准备磁盘。Follow these extra steps to prepare the disk.

    • 确保知道目录服务还原模式 (DSRM) 密码,以防你必须在 DSRM 下启动 VM。Make sure you know the Directory Services Restore Mode (DSRM) password in case you ever have to start the VM in DSRM. 有关详细信息,请参阅设置 DSRM 密码For more information, see Set a DSRM password.

  7. 确保知道内置的管理员帐户和密码。Make sure you know the built-in administrator account and password. 可能需要重置当前的本地管理员密码,确保可以使用此帐户通过 RDP 连接登录 Windows。You might want to reset the current local administrator password and make sure you can use this account to sign in to Windows through the RDP connection. 此访问权限由“允许通过远程桌面服务登录”组策略对象控制。This access permission is controlled by the "Allow log on through Remote Desktop Services" Group Policy Object. 在本地组策略编辑器中查看此对象:View this object in the Local Group Policy Editor:

    • Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
  8. 检查以下 Azure AD 策略,确保它们不会阻止 RDP 访问:Check the following Azure AD policies to make sure they're not blocking RDP access:

    • Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network

    • Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services

  9. 检查以下 Azure AD 策略,确保它们不会删除任何必需的访问帐户:Check the following Azure AD policy to make sure they're not removing any of the required access accounts:

    • Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network

    策略应列出以下组:The policy should list the following groups:

    • 管理员Administrators

    • 备份操作员Backup Operators

    • 所有人Everyone

    • 用户Users

  10. 重启 VM,确保 Windows 仍可正常运行,并可通过 RDP 连接来访问。Restart the VM to make sure that Windows is still healthy and can be reached through the RDP connection. 此时,请考虑在本地 Hyper-V 服务器中创建一个 VM,以确保该 VM 完全启动。At this point, consider creating a VM on your local Hyper-V server to make sure the VM starts completely. 然后通过测试来确保可通过 RDP 来访问该 VM。Then test to make sure you can reach the VM through RDP.

  11. 删除所有其他传输驱动程序接口 (TDI) 筛选器。Remove any extra Transport Driver Interface (TDI) filters. 例如,删除用于分析 TCP 数据包的软件或多余的防火墙。For example, remove software that analyzes TCP packets or extra firewalls.

  12. 卸载与物理组件相关的任何其他第三方软件或驱动程序,或卸载任何其他虚拟化技术。Uninstall any other third-party software or driver that's related to physical components or any other virtualization technology.

安装 Windows 更新Install Windows updates

理想情况下,应将计算机更新为补丁级别;如果无法实现,请确保已安装下列更新。Ideally, you should keep the machine updated to the patch level , if this isn't possible, make sure the following updates are installed. 若要获取最新的更新,请查看 Windows 更新历史记录页:Windows 10 和 Windows Server 2019Windows 8.1 和 Windows Server 2012 R2,以及 Windows 7 SP1 和 Windows Server 2008 R2 SP1To get the latest updates, see the Windows update history pages: Windows 10, and Windows Server 2019, Windows 8.1, and Windows Server 2012 R2 and Windows 7 SP1, and Windows Server 2008 R2 SP1.


组件Component 二进制Binary Windows 7 SP1、Windows Server 2008 R2 SP1Windows 7 SP1, Windows Server 2008 R2 SP1 Windows 8、Windows Server 2012Windows 8, Windows Server 2012 Windows 8.1、Windows Server 2012 R2Windows 8.1, Windows Server 2012 R2 Windows 10 v1607、Windows Server 2016 v1607Windows 10 v1607, Windows Server 2016 v1607 Windows 10 v1703Windows 10 v1703 Windows 10 v1709、Windows Server 2016 v1709Windows 10 v1709, Windows Server 2016 v1709 Windows 10 v1803、Windows Server 2016 v1803Windows 10 v1803, Windows Server 2016 v1803
存储Storage disk.sysdisk.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.17638 / 6.2.9200.21757 - KB31370616.2.9200.17638 / 6.2.9200.21757 - KB3137061 6.3.9600.18203 - KB31370616.3.9600.18203 - KB3137061 - - - -
storport.sysstorport.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.17188 / 6.2.9200.21306 - KB30184896.2.9200.17188 / 6.2.9200.21306 - KB3018489 6.3.9600.18573 - KB40227266.3.9600.18573 - KB4022726 10.0.14393.1358 - KB402271510.0.14393.1358 - KB4022715 10.0.15063.33210.0.15063.332 - -
ntfs.sysntfs.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.17623 / 6.2.9200.21743 - KB31212556.2.9200.17623 / 6.2.9200.21743 - KB3121255 6.3.9600.18654 - KB40227266.3.9600.18654 - KB4022726 10.0.14393.1198 - KB402271510.0.14393.1198 - KB4022715 10.0.15063.44710.0.15063.447 - -
Iologmsg.dllIologmsg.dll 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.16384 - KB29953876.2.9200.16384 - KB2995387 - - - - -
Classpnp.sysClasspnp.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.17061 / 6.2.9200.21180 - KB29953876.2.9200.17061 / 6.2.9200.21180 - KB2995387 6.3.9600.18334 - KB31726146.3.9600.18334 - KB3172614 10.0.14393.953 - KB402271510.0.14393.953 - KB4022715 - - -
Volsnap.sysVolsnap.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.17047 / 6.2.9200.21165 - KB29753316.2.9200.17047 / 6.2.9200.21165 - KB2975331 6.3.9600.18265 - KB31453846.3.9600.18265 - KB3145384 - 10.0.15063.010.0.15063.0 - -
partmgr.syspartmgr.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.16681 - KB28771146.2.9200.16681 - KB2877114 6.3.9600.17401 - KB30008506.3.9600.17401 - KB3000850 10.0.14393.953 - KB402271510.0.14393.953 - KB4022715 10.0.15063.010.0.15063.0 - -
volmgr.sysvolmgr.sys 10.0.15063.010.0.15063.0 - -
Volmgrx.sysVolmgrx.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 - - - 10.0.15063.010.0.15063.0 - -
Msiscsi.sysMsiscsi.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.21006 - KB29551636.2.9200.21006 - KB2955163 6.3.9600.18624 - KB40227266.3.9600.18624 - KB4022726 10.0.14393.1066 - KB402271510.0.14393.1066 - KB4022715 10.0.15063.44710.0.15063.447 - -
Msdsm.sysMsdsm.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.21474 - KB30461016.2.9200.21474 - KB3046101 6.3.9600.18592 - KB40227266.3.9600.18592 - KB4022726 - - - -
Mpio.sysMpio.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.21190 - KB30461016.2.9200.21190 - KB3046101 6.3.9600.18616 - KB40227266.3.9600.18616 - KB4022726 10.0.14393.1198 - KB402271510.0.14393.1198 - KB4022715 - - -
vmstorfl.sysvmstorfl.sys 6.3.9600.18907 - KB40726506.3.9600.18907 - KB4072650 6.3.9600.18080 - KB30631096.3.9600.18080 - KB3063109 6.3.9600.18907 - KB40726506.3.9600.18907 - KB4072650 10.0.14393.2007 - KB434541810.0.14393.2007 - KB4345418 10.0.15063.850 - KB434541910.0.15063.850 - KB4345419 10.0.16299.371 - KB434542010.0.16299.371 - KB4345420 -
Fveapi.dllFveapi.dll 6.1.7601.23311 - KB31255746.1.7601.23311 - KB3125574 6.2.9200.20930 - KB29302446.2.9200.20930 - KB2930244 6.3.9600.18294 - KB31726146.3.9600.18294 - KB3172614 10.0.14393.576 - KB402271510.0.14393.576 - KB4022715 - - -
Fveapibase.dllFveapibase.dll 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.20930 - KB29302446.2.9200.20930 - KB2930244 6.3.9600.17415 - KB31726146.3.9600.17415 - KB3172614 10.0.14393.206 - KB402271510.0.14393.206 - KB4022715 - - -
网络Network netvsc.sysnetvsc.sys - - - 10.0.14393.1198 - KB402271510.0.14393.1198 - KB4022715 10.0.15063.250 - KB402000110.0.15063.250 - KB4020001 - -
mrxsmb10.sysmrxsmb10.sys 6.1.7601.23816 - KB40227226.1.7601.23816 - KB4022722 6.2.9200.22108 - KB40227246.2.9200.22108 - KB4022724 6.3.9600.18603 - KB40227266.3.9600.18603 - KB4022726 10.0.14393.479 - KB402271510.0.14393.479 - KB4022715 10.0.15063.48310.0.15063.483 - -
mrxsmb20.sysmrxsmb20.sys 6.1.7601.23816 - KB40227226.1.7601.23816 - KB4022722 6.2.9200.21548 - KB40227246.2.9200.21548 - KB4022724 6.3.9600.18586 - KB40227266.3.9600.18586 - KB4022726 10.0.14393.953 - KB402271510.0.14393.953 - KB4022715 10.0.15063.48310.0.15063.483 - -
mrxsmb.sysmrxsmb.sys 6.1.7601.23816 - KB40227226.1.7601.23816 - KB4022722 6.2.9200.22074 - KB40227246.2.9200.22074 - KB4022724 6.3.9600.18586 - KB40227266.3.9600.18586 - KB4022726 10.0.14393.953 - KB402271510.0.14393.953 - KB4022715 10.0.15063.010.0.15063.0 - -
tcpip.systcpip.sys 6.1.7601.23761 - KB40227226.1.7601.23761 - KB4022722 6.2.9200.22070 - KB40227246.2.9200.22070 - KB4022724 6.3.9600.18478 - KB40227266.3.9600.18478 - KB4022726 10.0.14393.1358 - KB402271510.0.14393.1358 - KB4022715 10.0.15063.44710.0.15063.447 - -
http.syshttp.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.17285 - KB30425536.2.9200.17285 - KB3042553 6.3.9600.18574 - KB40227266.3.9600.18574 - KB4022726 10.0.14393.251 - KB402271510.0.14393.251 - KB4022715 10.0.15063.48310.0.15063.483 - -
vmswitch.sysvmswitch.sys 6.1.7601.23727 - KB40227196.1.7601.23727 - KB4022719 6.2.9200.22117 - KB40227246.2.9200.22117 - KB4022724 6.3.9600.18654 - KB40227266.3.9600.18654 - KB4022726 10.0.14393.1358 - KB402271510.0.14393.1358 - KB4022715 10.0.15063.13810.0.15063.138 - -
核心Core ntoskrnl.exentoskrnl.exe 6.1.7601.23807 - KB40227196.1.7601.23807 - KB4022719 6.2.9200.22170 - KB40227186.2.9200.22170 - KB4022718 6.3.9600.18696 - KB40227266.3.9600.18696 - KB4022726 10.0.14393.1358 - KB402271510.0.14393.1358 - KB4022715 10.0.15063.48310.0.15063.483 - -
远程桌面服务Remote Desktop Services rdpcorets.dllrdpcorets.dll 6.2.9200.21506 - KB40227196.2.9200.21506 - KB4022719 6.2.9200.22104 - KB40227246.2.9200.22104 - KB4022724 6.3.9600.18619 - KB40227266.3.9600.18619 - KB4022726 10.0.14393.1198 - KB402271510.0.14393.1198 - KB4022715 10.0.15063.010.0.15063.0 - -
termsrv.dlltermsrv.dll 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 6.2.9200.17048 - KB29735016.2.9200.17048 - KB2973501 6.3.9600.17415 - KB30008506.3.9600.17415 - KB3000850 10.0.14393.0 - KB402271510.0.14393.0 - KB4022715 10.0.15063.010.0.15063.0 - -
termdd.systermdd.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 - - - - - -
win32k.syswin32k.sys 6.1.7601.23807 - KB40227196.1.7601.23807 - KB4022719 6.2.9200.22168 - KB40227186.2.9200.22168 - KB4022718 6.3.9600.18698 - KB40227266.3.9600.18698 - KB4022726 10.0.14393.594 - KB402271510.0.14393.594 - KB4022715 - - -
rdpdd.dllrdpdd.dll 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 - - - - - -
rdpwd.sysrdpwd.sys 6.1.7601.23403 - KB31255746.1.7601.23403 - KB3125574 - - - - - -
安全性Security MS17-010MS17-010 KB4012212KB4012212 KB4012213KB4012213 KB4012213KB4012213 KB4012606KB4012606 KB4012606KB4012606 - -
KB4012216KB4012216 KB4013198KB4013198 KB4013198KB4013198 - -
KB4012215KB4012215 KB4012214KB4012214 KB4012216KB4012216 KB4013429KB4013429 KB4013429KB4013429 - -
KB4012217KB4012217 KB4013429KB4013429 KB4013429KB4013429 - -
CVE-2018-0886CVE-2018-0886 KB4103718KB4103718 KB4103730KB4103730 KB4103725KB4103725 KB4103723KB4103723 KB4103731KB4103731 KB4103727KB4103727 KB4103721KB4103721
KB4103712KB4103712 KB4103726KB4103726 KB4103715KB4103715

备注

为避免在 VM 预配期间意外重新启动,我们建议确保所有 Windows 更新安装均已完成,并且没有任何更新待处理。To avoid an accidental reboot during VM provisioning, we recommend ensuring that all Windows Update installations are finished and that no updates are pending. 完成此操作的一种方法是在运行 sysprep.exe 命令之前安装所有可能的 Windows 更新并重新启动一次。One way to do this is to install all possible Windows updates and reboot once before you run the sysprep.exe command.

确定何时使用 sysprepDetermine when to use Sysprep

系统准备工具 (sysprep.exe) 是一个可以重置 Windows 安装的进程。System Preparation Tool (sysprep.exe) is a process you can run to reset a Windows installation. Sysprep 会删除所有个人数据并重置多个组件,从而为你提供“全新安装”体验。Sysprep provides an "out of the box" experience by removing all personal data and resetting several components.

通常你会运行 sysprep.exe 来创建一个模板,然后从中部署多个具有特定配置的其他 VM。You typically run sysprep.exe to create a template from which you can deploy several other VMs that have a specific configuration. 该模板称为“通用化映像”。The template is called a generalized image .

若要只从一个磁盘创建一个 VM,则不需使用 Sysprep。To create only one VM from one disk, you don't have to use Sysprep. 可以从专用化映像创建 VM。Instead, you can create the VM from a specialized image . 有关如何从专用化磁盘创建 VM 的信息,请参阅:For information about how to create a VM from a specialized disk, see:

若要创建通用化映像,则需运行 Sysprep。To create a generalized image, you need to run Sysprep. 有关详细信息,请参阅如何使用 Sysprep:简介For more information, see How to use Sysprep: An introduction.

并非每个安装在基于 Windows 的计算机上的角色或应用程序都支持通用化映像。Not every role or application that's installed on a Windows-based computer supports generalized images. 因此,在使用此过程之前,请确保 Sysprep 支持该计算机的角色。Before you use this procedure, make sure Sysprep supports the role of the computer. 有关详细信息,请参阅 Sysprep 对服务器角色的支持For more information, see Sysprep support for server roles.

特别是,Sysprep 要求在执行之前完全解密驱动器。In particular, Sysprep requires the drives to be fully decrypted before execution. 如果在 VM 上启用了加密,请在运行 Sysprep 之前将其禁用。If you have enabled encryption on your VM, disable it before running Sysprep.

通用化 VHDGeneralize a VHD

备注

在以下步骤中运行 sysprep.exe 后,请关闭 VM。After you run sysprep.exe in the following steps, turn off the VM. 在 Azure 中从该 VM 创建映像之前,请不要将其重新打开。Don't turn it back on until you create an image from it in Azure.

  1. 登录到 Windows VM。Sign in to the Windows VM.

  2. 以管理员身份运行 PowerShell 会话。Run a PowerShell session as an administrator.

  3. 将目录切换到 %windir%\system32\sysprepChange the directory to %windir%\system32\sysprep. 然后运行 sysprep.exeThen run sysprep.exe.

  4. 在“系统准备工具”对话框中,选择“进入系统全新体验(OOBE)”,确保已选中“通用化”复选框 。In the System Preparation Tool dialog box, select Enter System Out-of-Box Experience (OOBE) , and make sure the Generalize checkbox is selected.

    系统准备工具

  5. 在“关机选项”中选择“关机”。In Shutdown Options , select Shutdown .

  6. 选择“确定” 。Select OK .

  7. 当 Sysprep 完成后,关闭 VM。When Sysprep finishes, shut down the VM. 请勿使用“重启”来关闭 VM。Don't use Restart to shut down the VM.

现在,VHD 已准备就绪,可以上传了。Now the VHD is ready to be uploaded. 有关如何从通用化磁盘创建 VM 的详细信息,请参阅上传通用化 VHD 并使用它在 Azure 中创建新的 VMFor more information about how to create a VM from a generalized disk, see Upload a generalized VHD and use it to create a new VM in Azure.

备注

不支持自定义的 unattend.xml 文件。A custom unattend.xml file is not supported. 尽管我们确实支持 additionalUnattendContent 属性,但针对向 Azure 预配代理使用的 unattention.xml 文件添加 microsoft-windows-shell-setup 选项,它只提供有限的支持。Although we do support the additionalUnattendContent property, that provides only limited support for adding microsoft-windows-shell-setup options into the unattend.xml file that the Azure provisioning agent uses. 例如,可以使用 additionalUnattendContent 添加 FirstLogonCommands 和 LogonCommands。You can use, for example, additionalUnattendContent to add FirstLogonCommands and LogonCommands. 有关详细信息,请参阅 additionalUnattendContent FirstLogonCommands 示例For more information, see additionalUnattendContent FirstLogonCommands example.

将虚拟磁盘转换为固定大小的 VHDConvert the virtual disk to a fixed size VHD

使用本部分中的一个方法,将虚拟磁盘转换为 Azure 所需的格式并调整其大小:Use one of the methods in this section to convert and resize your virtual disk to the required format for Azure:

  1. 在运行虚拟磁盘转换或调整大小过程之前备份 VM。Back up the VM before you run the virtual disk conversion or resize process.

  2. 确保 Windows VHD 在本地服务器上正常工作。Make sure that the Windows VHD works correctly on the local server. 尝试转换磁盘或将其上传到 Azure 之前,先解决 VM 本身内部的所有错误。Resolve any errors within the VM itself before you try to convert or upload it to Azure.

  3. 将虚拟磁盘转换为固定类型。Convert the virtual disk to type fixed.

  4. 调整虚拟磁盘的大小以满足 Azure 要求:Resize the virtual disk to meet Azure requirements:

    1. Azure 上的磁盘必须已将虚拟大小调整为 1 MiB。Disks in Azure must have a virtual size aligned to 1 MiB. 如果 VHD 的大小不是 1 MiB 的整数倍,需要将磁盘大小调整为 1 MiB 的倍数。If your VHD is a fraction of 1 MiB, you'll need to resize the disk to a multiple of 1 MiB. 基于上传的 VHD 创建映像时,不到 1 MiB 的磁盘将导致错误。Disks that are fractions of a MiB cause errors when creating images from the uploaded VHD. 若要验证该大小,可使用 PowerShell Get-VHD comdlet 来显示“大小”和“文件大小”,其中大小在 Azure 中必须是 1 MiB 的倍数,而文件大小将等于“大小”加上 VHD 页脚的 512 字节。To verify the size you can use the PowerShell Get-VHD cmdlet to show "Size", which must be a multiple of 1 MiB in Azure, and "FileSize", which will be equal to "Size" plus 512 bytes for the VHD footer.

    2. 第 1 代 VM 的 OS VHD 允许的最大大小为 2,048 GiB (2 TiB),The maximum size allowed for the OS VHD with a generation 1 VM is 2,048 GiB (2 TiB),

    3. 数据磁盘的最大大小为 32,767 GiB (32 TiB)。The maximum size for a data disk is 32,767 GiB (32 TiB).

备注

  • 如果要在转换为固定磁盘并根据需要调整大小后准备 Windows OS 磁盘,请创建使用该磁盘的 VM。If you are preparing a Windows OS disk after you convert to a fixed disk and resize if needed, create a VM that uses the disk. 启动并登录到该 VM,然后继续根据本文内容,完成上传准备。Start and sign in to the VM and continue with the sections in this article to finish preparing it for uploading.
  • 如果你正在准备数据磁盘,可以停止学习此部分,继续上传磁盘。If you are preparing a data disk you may stop with this section and proceed to uploading your disk.

使用 Hyper-V 管理器转换磁盘Use Hyper-V Manager to convert the disk

  1. 打开 Hyper-V 管理器,在左侧选择本地计算机。Open Hyper-V Manager and select your local computer on the left. 在计算机列表上方的菜单中,选择“操作” > “编辑磁盘”。In the menu above the computer list, select Action > Edit Disk .
  2. 在“查找虚拟硬盘”页上,选择你的虚拟磁盘。On the Locate Virtual Hard Disk page, select your virtual disk.
  3. 在“选择操作”页上选择“转换” > “下一步”。On the Choose Action page, select Convert > Next .
  4. 若要从 VHDX 进行转换,请选择“VHD” > “下一步” 。To convert from VHDX, select VHD > Next .
  5. 若要从动态扩展磁盘进行转换,请选择“固定大小” > “下一步” 。To convert from a dynamically expanding disk, select Fixed size > Next .
  6. 找到并选择新 VHD 文件的保存路径。Locate and select a path to save the new VHD file.
  7. 选择“完成”。Select Finish .

使用 PowerShell 转换磁盘Use PowerShell to convert the disk

可以使用 PowerShell 中的 Convert-VHD cmdlet 转换虚拟磁盘。You can convert a virtual disk using the Convert-VHD cmdlet in PowerShell. 如需了解如何安装此 cmdlet,请参阅安装 Hyper-V 角色If you need information about installing this cmdlet see Install the Hyper-V role.

以下示例将磁盘从 VHDX 转换为 VHD。The following example converts the disk from VHDX to VHD. 该示例还会将动态扩展磁盘转换为固定大小的磁盘。It also converts the disk from a dynamically expanding disk to a fixed-size disk.

Convert-VHD -Path C:\test\MyVM.vhdx -DestinationPath C:\test\MyNewVM.vhd -VHDType Fixed

在此示例中,请将路径的值替换为要转换的虚拟硬盘的路径。In this example, replace the value for Path with the path to the virtual hard disk that you want to convert. 将 DestinationPath 的值替换为已转换的磁盘的新路径和名称。Replace the value for DestinationPath with the new path and name of the converted disk.

使用 Hyper-V 管理器调整磁盘大小Use Hyper-V Manager to resize the disk

  1. 打开 Hyper-V 管理器,在左侧选择本地计算机。Open Hyper-V Manager and select your local computer on the left. 在计算机列表上方的菜单中,选择“操作” > “编辑磁盘”。In the menu above the computer list, select Action > Edit Disk .
  2. 在“查找虚拟硬盘”页上,选择你的虚拟磁盘。On the Locate Virtual Hard Disk page, select your virtual disk.
  3. 在“选择操作”页上选择“展开” > “下一步” 。On the Choose Action page, select Expand > Next .
  4. 在“查找虚拟硬盘”页上,以 GiB 为单位输入新的大小,然后选择“下一步” 。On the Locate Virtual Hard Disk page, enter the new size in GiB > Next .
  5. 选择“完成”。Select Finish .

使用 PowerShell 调整磁盘大小Use PowerShell to resize the disk

可以使用 PowerShell 中的 Resize-VHD cmdlet 调整虚拟磁盘的大小。You can resize a virtual disk using the Resize-VHD cmdlet in PowerShell. 如需了解如何安装此 cmdlet,请参阅安装 Hyper-V 角色If you need information about installing this cmdlet see Install the Hyper-V role.

下面的示例将磁盘大小从 100.5 MiB 调整到 101 MiB,以满足 Azure 的一致性要求。The following example resizes the disk from 100.5 MiB to 101 MiB to meet the Azure alignment requirement.

Resize-VHD -Path C:\test\MyNewVM.vhd -SizeBytes 105906176

在此示例中,请将路径的值替换为要调整大小的虚拟硬盘的路径。In this example, replace the value for Path with the path to the virtual hard disk that you want to resize. 将 SizeBytes 的值替换为磁盘的新大小(以字节为单位)。Replace the value for SizeBytes with the new size in bytes for the disk.

以下设置不影响 VHD 上传。The following settings don't affect VHD uploading. 但是,强烈建议配置这些设置。However, we strongly recommend that you configured them.

  • 安装 Azure 虚拟机代理Install the Azure Virtual Machine Agent. 然后即可启用 VM 扩展。Then you can enable VM extensions. VM 扩展实现了可能需要用于 VM 的大多数关键功能。The VM extensions implement most of the critical functionality that you might want to use with your VMs. 例如,需要使用这些扩展来重置密码或配置 RDP。You'll need the extensions, for example, to reset passwords or configure RDP. 有关详细信息,请参阅 Azure 虚拟机代理概述For more information, see the Azure Virtual Machine Agent overview.

  • 在 Azure 中创建 VM 后,建议将 pagefile 置于临时驱动器卷以改进性能。After you create the VM in Azure, we recommend that you put the page file on the temporal drive volume to improve performance. 可按如下所示设置文件位置:You can set up the file placement as follows:

    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' -Name PagingFiles -Value 'D:\pagefile.sys' -Type MultiString -Force
    

    如果某个数据磁盘已附加到 VM,则临时驱动器卷的驱动器号通常为 D 。此驱动器号可能有所不同,具体取决于你的设置,以及可用驱动器的数目。If a data disk is attached to the VM, the temporal drive volume's letter is typically D . This designation could be different, depending on your settings and the number of available drives.

    • 我们建议禁用防病毒软件可能提供的脚本阻止程序。We recommend disabling script blockers that might be provided by antivirus software. 这些阻止程序可能会干扰并阻止从映像部署新 VM 时执行的 Windows 预配代理脚本。They might interfere and block the Windows Provisioning Agent scripts executed when you deploy a new VM from your image.

后续步骤Next steps