在现有统一规模集上启用受信任启动

以下步骤详细介绍了如何使用 Azure 门户在现有统一规模集上启用受信任的启动。

1. （可选） 规模集大小：导航到 Size 以下 Availability + scale -> 如果 受信任的启动 安全配置不支持当前大小系列，则修改规模集大小 -> 单击 “应用”。

2. OS 映像：导航到 Operating system 下 Settings -> 点击 Change image reference。

3. 请将 OS 映像的引用更新为 Gen2-Trusted 启动时所支持的 OS 映像。 确保在使用 Azure 计算库 OS 映像时，源 Gen2 映像具有 TrustedLaunchSupported 安全类型 -> 单击“应用”。

4. 安全类型：在规模集的页面上单击“标准Security typeOverview”或导航到Configuration“下Settings”。

   

5. 在Configuration页面上，将“安全类型”下拉菜单从Standard更新为Trusted launch，并勾选Enable secure boot和Enable vTPM以启用“受信任启动”安全配置。 单击 Yes 以确认更改。

   注意

   • 默认情况下 vTPM 处于启用状态。
   • 如果未使用自定义未签名内核或驱动程序，则应启用安全启动（默认情况下未启用）。 “安全启动”可保留启动完整性，并为 VM 启用基础安全性。

   

6. 验证规模集页面上的更改Overview。

7. （建议）来宾证明扩展：为规模集资源添加来宾证明 (GA) 扩展，从而为规模集启用启动完整性监视。

8. 如果规模集统一升级模式设置为 Manual，请手动更新 VM 实例。

以下步骤详细介绍了如何使用 ARM 模板 在现有统一规模集上启用受信任的启动。

进行以下修改，以使用现有的 ARM 模板部署代码启用受信任的启动。 有关完整的模板，请参阅“快速入门受信任启动规模集 ARM 模板”。

1. OS 映像：更新对 Gen2 受信任启动支持的 OS 映像的 OS 映像引用。 如果使用 Azure Compute Gallery OS 映像，请确保源 Gen2 映像具有 TrustedLaunchSupported 安全类型。

   "storageProfile": { 
           "osDisk": { 
               "createOption": "FromImage", 
               "caching": "ReadWrite" 
           }, 
           "imageReference": { 
               "publisher": "MicrosoftWindowsServer", 
               "offer": "WindowsServer", 
               "sku": "2022-datacenter-azure-edition", 
               "version": "latest" 
           } 
   }
   

2. （可选）规模集大小：如果当前大小系列不支持 受信任的启动 安全配置，请修改规模集大小。

       "sku": { 
           "name": "Standard_D2s_v3", 
           "tier": "Standard", 
           "capacity": "[parameters('instanceCount')]" 
       } 
   

3. 安全配置文件：在 securityProfile 下添加 virtualMachineProfile 块以启用受信任启动安全配置。

   注意

   建议设置：vTPM：true和secureBoot：truesecureBoot应设置为false，如果在操作系统上使用未签名的自定义驱动程序或内核。

   "securityProfile": { 
       "securityType": "TrustedLaunch", 
       "uefiSettings": { 
         "secureBootEnabled": true, 
         "vTpmEnabled": true
       } 
   }
   

4. （建议）来宾证明扩展：为规模集资源添加来宾证明 (GA) 扩展，从而为规模集启用启动完整性监视。

   重要

   来宾证明扩展需要将 secureBootvTPM 设置为 true。

   { 
       "condition": "[and(parameters('vTPM'), parameters('secureBoot'))]", 
       "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", 
       "apiVersion": "2022-03-01", 
       "name": "[format('{0}/{1}', parameters('vmssName'), GuestAttestation)]", 
       "location": "[parameters('location')]", 
       "properties": { 
         "publisher": "Microsoft.Azure.Security.WindowsAttestation", 
         "type": "GuestAttestation", 
         "typeHandlerVersion": "1.0", 
         "autoUpgradeMinorVersion": true, 
         "enableAutomaticUpgrade": true, 
         "settings": { 
           "AttestationConfig": { 
             "MaaSettings": { 
               "maaEndpoint": "[substring('emptystring', 0, 0)]", 
               "maaTenantName": "GuestAttestation" 
             } 
           } 
         } 
       }, 
       "dependsOn": [ 
         "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]" 
       ] 
   } 
   

   扩展发布者的名称：

   OS 类型	扩展发布者名称
   Windows操作系统	Microsoft.Azure.Security.WindowsAttestation
   Linux	Microsoft.Azure.Security.LinuxAttestation

5. 查看对模板所做的更改。

   展开以查看完整的 ARM 模板示例，该模板支持将现有规模集升级到受信任启动和回滚（如果需要）。

   {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "parameters": {
       "vmSku": {
         "type": "string",
         "defaultValue": "Standard_D2s_v3",
         "metadata": {
           "description": "Size of VMs in the VM Scale Set."
         }
       },
       "sku": {
         "type": "string",
         "defaultValue": "2022-datacenter-azure-edition",
         "allowedValues": [
           "2022-datacenter-azure-edition"
         ],
         "metadata": {
           "description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version."
         }
       },
       "vmssName": {
         "type": "string",
         "maxLength": 61,
         "metadata": {
           "description": "String used as a base for naming resources. Must be 3-61 characters in length and globally unique across Azure. A hash is prepended to this string for some resources, and resource-specific information is appended."
         }
       },
       "instanceCount": {
         "type": "int",
         "defaultValue": 2,
         "maxValue": 100,
         "minValue": 1,
         "metadata": {
           "description": "Number of VM instances (100 or less)."
         }
       },
       "adminUsername": {
         "type": "string",
         "metadata": {
           "description": "Admin username on all VMs."
         }
       },
       "adminPassword": {
         "type": "securestring",
         "metadata": {
           "description": "Admin password on all VMs."
         }
       },
       "location": {
         "type": "string",
         "defaultValue": "[resourceGroup().location]",
         "metadata": {
           "description": "Location for all resources."
         }
       },
       "publicIpName": {
         "type": "string",
         "defaultValue": "myPublicIP",
         "metadata": {
           "description": "Name for the Public IP used to access the virtual machine Scale set."
         }
       },
       "publicIPAllocationMethod": {
         "type": "string",
         "defaultValue": "Static",
         "allowedValues": [
           "Dynamic",
           "Static"
         ],
         "metadata": {
           "description": "Allocation method for the Public IP used to access the virtual machine set."
         }
       },
       "publicIpSku": {
         "type": "string",
         "defaultValue": "Standard",
         "allowedValues": [
           "Basic",
           "Standard"
         ],
         "metadata": {
           "description": "SKU for the Public IP used to access the virtual machine Scale set."
         }
       },
       "dnsLabelPrefix": {
         "type": "string",
         "defaultValue": "[toLower(format('{0}-{1}', parameters('vmssName'), uniqueString(resourceGroup().id)))]",
         "metadata": {
           "description": "Unique DNS Name for the Public IP used to access the virtual machine Scale set."
         }
       },
       "healthExtensionProtocol": {
         "type": "string",
         "defaultValue": "TCP",
         "allowedValues": [
           "TCP",
           "HTTP",
           "HTTPS"
         ]
       },
       "healthExtensionPort": {
         "type": "int",
         "defaultValue": 3389
       },
       "healthExtensionRequestPath": {
         "type": "string",
         "defaultValue": "/"
       },
       "overprovision": {
         "type": "bool",
         "defaultValue": false
       },
       "upgradePolicy": {
         "type": "string",
         "defaultValue": "Manual",
         "allowedValues": [
           "Manual",
           "Rolling",
           "Automatic"
         ]
       },
       "maxBatchInstancePercent": {
         "type": "int",
         "defaultValue": 20
       },
       "maxUnhealthyInstancePercent": {
         "type": "int",
         "defaultValue": 20
       },
       "maxUnhealthyUpgradedInstancePercent": {
         "type": "int",
         "defaultValue": 20
       },
       "pauseTimeBetweenBatches": {
         "type": "string",
         "defaultValue": "PT5S"
       },
       "securityType": {
         "type": "string",
         "defaultValue": "TrustedLaunch",
         "allowedValues": [
           "Standard",
           "TrustedLaunch"
         ],
         "metadata": {
           "description": "Security Type of the Virtual Machine."
         }
       },
       "encryptionAtHost": {
           "type": "bool",
           "defaultValue": false,
           "metadata": {
               "description": "This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine or virtual machine Scale set. This will enable the encryption for all the disks including Resource/Temp disk at host itself. The default behavior is: The Encryption at host will be disabled unless this property is set to true for the resource."
           }
       }
     },
     "variables": {
       "namingInfix": "[toLower(substring(format('{0}{1}', parameters('vmssName'), uniqueString(resourceGroup().id)), 0, 9))]",
       "addressPrefix": "10.0.0.0/16",
       "subnetPrefix": "10.0.0.0/24",
       "virtualNetworkName": "[format('{0}vnet', variables('namingInfix'))]",
       "subnetName": "[format('{0}subnet', variables('namingInfix'))]",
       "loadBalancerName": "[format('{0}lb', variables('namingInfix'))]",
       "natPoolName": "[format('{0}natpool', variables('namingInfix'))]",
       "bePoolName": "[format('{0}bepool', variables('namingInfix'))]",
       "natStartPort": 50000,
       "natEndPort": 50119,
       "natBackendPort": 3389,
       "nicName": "[format('{0}nic', variables('namingInfix'))]",
       "ipConfigName": "[format('{0}ipconfig', variables('namingInfix'))]",
       "imageReference": {
         "2022-datacenter-azure-edition": {
           "publisher": "MicrosoftWindowsServer",
           "offer": "WindowsServer",
           "sku": "[parameters('sku')]",
           "version": "latest"
         }
       },
       "extensionName": "GuestAttestation",
       "extensionPublisher": "Microsoft.Azure.Security.WindowsAttestation",
       "extensionVersion": "1.0",
       "maaTenantName": "GuestAttestation",
       "maaEndpoint": "[substring('emptyString', 0, 0)]",
       "uefiSettingsJson": {
           "secureBootEnabled": true,
           "vTpmEnabled": true
       },
       "rollingUpgradeJson": {
         "maxBatchInstancePercent": "[parameters('maxBatchInstancePercent')]",
         "maxUnhealthyInstancePercent": "[parameters('maxUnhealthyInstancePercent')]",
         "maxUnhealthyUpgradedInstancePercent": "[parameters('maxUnhealthyUpgradedInstancePercent')]",
         "pauseTimeBetweenBatches": "[parameters('pauseTimeBetweenBatches')]"
       }
     },
     "resources": [
       {
         "type": "Microsoft.Network/virtualNetworks",
         "apiVersion": "2022-05-01",
         "name": "[variables('virtualNetworkName')]",
         "location": "[parameters('location')]",
         "properties": {
           "addressSpace": {
             "addressPrefixes": [
               "[variables('addressPrefix')]"
             ]
           },
           "subnets": [
             {
               "name": "[variables('subnetName')]",
               "properties": {
                 "addressPrefix": "[variables('subnetPrefix')]"
               }
             }
           ]
         }
       },
       {
         "type": "Microsoft.Network/publicIPAddresses",
         "apiVersion": "2022-05-01",
         "name": "[parameters('publicIpName')]",
         "location": "[parameters('location')]",
         "sku": {
           "name": "[parameters('publicIpSku')]"
         },
         "properties": {
           "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]",
           "dnsSettings": {
             "domainNameLabel": "[parameters('dnsLabelPrefix')]"
           }
         }
       },
       {
         "type": "Microsoft.Network/loadBalancers",
         "apiVersion": "2022-05-01",
         "name": "[variables('loadBalancerName')]",
         "location": "[parameters('location')]",
         "sku": {
           "name": "[parameters('publicIpSku')]",
           "tier": "Regional"
         },
         "properties": {
           "frontendIPConfigurations": [
             {
               "name": "LoadBalancerFrontEnd",
               "properties": {
                 "publicIPAddress": {
                   "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]"
                 }
               }
             }
           ],
           "backendAddressPools": [
             {
               "name": "[variables('bePoolName')]"
             }
           ],
           "inboundNatPools": [
             {
               "name": "[variables('natPoolName')]",
               "properties": {
                 "frontendIPConfiguration": {
                   "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('loadBalancerName'), 'loadBalancerFrontEnd')]"
                 },
                 "protocol": "Tcp",
                 "frontendPortRangeStart": "[variables('natStartPort')]",
                 "frontendPortRangeEnd": "[variables('natEndPort')]",
                 "backendPort": "[variables('natBackendPort')]"
               }
             }
           ]
         },
         "dependsOn": [
           "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]"
         ]
       },
       {
         "type": "Microsoft.Compute/virtualMachineScaleSets",
         "apiVersion": "2022-03-01",
         "name": "[parameters('vmssName')]",
         "location": "[parameters('location')]",
         "sku": {
           "name": "[parameters('vmSku')]",
           "tier": "Standard",
           "capacity": "[parameters('instanceCount')]"
         },
         "properties": {
           "virtualMachineProfile": {
             "storageProfile": {
               "osDisk": {
                 "createOption": "FromImage",
                 "caching": "ReadWrite"
               },
               "imageReference": "[variables('imageReference')[parameters('sku')]]"
             },
             "osProfile": {
               "computerNamePrefix": "[variables('namingInfix')]",
               "adminUsername": "[parameters('adminUsername')]",
               "adminPassword": "[parameters('adminPassword')]"
             },
             "securityProfile": {
                 "encryptionAtHost": "[parameters('encryptionAtHost')]",
                 "securityType": "[parameters('securityType')]",
                 "uefiSettings": "[if(equals(parameters('securityType'), 'TrustedLaunch'), variables('uefiSettingsJson'), null())]"
                 
             },
             "networkProfile": {
               "networkInterfaceConfigurations": [
                 {
                   "name": "[variables('nicName')]",
                   "properties": {
                     "primary": true,
                     "ipConfigurations": [
                       {
                         "name": "[variables('ipConfigName')]",
                         "properties": {
                           "subnet": {
                             "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]"
                           },
                           "loadBalancerBackendAddressPools": [
                             {
                               "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('loadBalancerName'), variables('bePoolName'))]"
                             }
                           ],
                           "loadBalancerInboundNatPools": [
                             {
                               "id": "[resourceId('Microsoft.Network/loadBalancers/inboundNatPools', variables('loadBalancerName'), variables('natPoolName'))]"
                             }
                           ]
                         }
                       }
                     ]
                   }
                 }
               ]
             },
             "extensionProfile": {
               "extensions": [
                 {
                   "name": "HealthExtension",
                   "properties": {
                     "publisher": "Microsoft.ManagedServices",
                     "type": "ApplicationHealthWindows",
                     "typeHandlerVersion": "1.0",
                     "autoUpgradeMinorVersion": false,
                     "settings": {
                       "protocol": "[parameters('healthExtensionProtocol')]",
                       "port": "[parameters('healthExtensionPort')]",
                       "requestPath": "[if(equals(parameters('healthExtensionProtocol'), 'TCP'), null(), parameters('healthExtensionRequestPath'))]"
                     }
                   }
                 }
               ]
             },
             "diagnosticsProfile": {
               "bootDiagnostics": {
                 "enabled": true
               }
             }
           },
           "orchestrationMode": "Uniform",
           "overprovision": "[parameters('overprovision')]",
           "upgradePolicy": {
             "mode": "[parameters('upgradePolicy')]",
             "rollingUpgradePolicy": "[if(equals(parameters('upgradePolicy'), 'Rolling'), variables('rollingUpgradeJson'), null())]",
             "automaticOSUpgradePolicy": {
               "enableAutomaticOSUpgrade": true
             }
           }
         },
         "dependsOn": [
           "[resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName'))]",
           "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"
         ]
       },
       {
         "condition": "[and(equals(parameters('securityType'), 'TrustedLaunch'), and(equals(variables('uefiSettingsJson').secureBootEnabled, true()), equals(variables('uefiSettingsJson').vTpmEnabled, true())))]",
         "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
         "apiVersion": "2022-03-01",
         "name": "[format('{0}/{1}', parameters('vmssName'), variables('extensionName'))]",
         "location": "[parameters('location')]",
         "properties": {
           "publisher": "[variables('extensionPublisher')]",
           "type": "[variables('extensionName')]",
           "typeHandlerVersion": "[variables('extensionVersion')]",
           "autoUpgradeMinorVersion": true,
           "enableAutomaticUpgrade": true,
           "settings": {
             "AttestationConfig": {
               "MaaSettings": {
                 "maaEndpoint": "[variables('maaEndpoint')]",
                 "maaTenantName": "[variables('maaTenantName')]"
               }
             }
           }
         },
         "dependsOn": [
           "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]"
         ]
       }
     ]
   }
   

6. 执行 ARM 模板部署。

   $resourceGroupName = "myResourceGroup"
   $parameterFile = "folderPathToFile\parameters.json"
   $templateFile = "folderPathToFile\template.json"
   
   New-AzResourceGroupDeployment `
       -ResourceGroupName $resourceGroupName `
       -TemplateFile $templateFile -TemplateParameterFile $parameterFile
   

7. 验证部署是否成功。 使用 Azure 门户检查规模集统一的安全类型和 UEFI 设置。 查看“概述”页中的“安全类型”部分。

   

8. 如果规模集统一升级模式设置为 Manual，请手动更新 VM 实例。

   $resourceGroupName = "myResourceGroup"
   $vmssName = "VMScaleSet001"
   Update-AzVmssInstance -ResourceGroupName $resourceGroupName -VMScaleSetName $vmssName -InstanceId "0"
   

本部分分步介绍如何使用 Azure CLI 在现有 Azure 规模集统一资源上启用受信任启动。

确保已安装最新版本的 Azure CLI ，并使用 az login 登录到 Azure 帐户。

1. 登录 Azure 订阅

   az cloud set -n AzureChinaCloud
   az login
   
   az account set --subscription 00000000-0000-0000-0000-000000000000
   

2. 使用命令 az vmss update 启用受信任启动，方法为设置 --security-type：TrustedLaunch，virtualMachineProfile.storageProfile.imageReference.sku：Gen2 受信任启动支持的 OS 映像，--vm-sku：第 2 代受信任启动支持的 VM 大小。

   az vmss update --name MyScaleSet `
       --resource-group MyResourceGroup `
       --set virtualMachineProfile.storageProfile.imageReference.sku='2022-datacenter-azure-edition' `
       --security-type TrustedLaunch --enable-secure-boot $true --enable-vtpm $true
   

   注意

   使用的 az vmss update OS 映像 SKU 应来自同一 OS 映像发行方和产品系列。

3. 验证上一个命令的输出。 securityProfile 配置随命令输出一起返回。

   {
     "securityProfile": {
       "securityType": "TrustedLaunch",
       "uefiSettings": {
         "secureBootEnabled": true,
         "vTpmEnabled": true
       }
     }
   }
   

4. 如果规模集统一升级模式设置为 Manual，请手动更新 VM 实例。

   az vmss update-instances --instance-ids 1 --name MyScaleSet --resource-group MyResourceGroup
   

5. 如果规模集统一升级模式设置为 RollingUpgrade，则开始滚动升级。

   az vmss rolling-upgrade start --name MyScaleSet --resource-group MyResourceGroup
   

本部分分步介绍如何使用 Azure PowerShell 在现有 Azure 虚拟机规模集统一上启用受信任启动。

确保已安装最新的 Azure PowerShell ，并使用 Connect-AzAccount 登录到 Azure 帐户。

1. 登录 Azure 订阅

   Connect-AzAccount  -Environment AzureChinaCloud -SubscriptionId 00000000-0000-0000-0000-000000000000
   

2. 使用命令 Update-AzVMSS 启用受信任启动，方法为设置 -SecurityType：TrustedLaunch，ImageReferenceSku：Gen2 受信任启动支持的 OS 映像，-SkuName：第 2 代受信任启动支持的 VM 大小。

   $vmss = Get-AzVmss -VMScaleSetName MyVmssName -ResourceGroupName MyResourceGroup
   
   # Enable Trusted Launch
   $vmss = Set-AzVmssSecurityProfile -virtualMachineScaleSet $vmss -SecurityType TrustedLaunch
   
   # Enable Trusted Launch settings
   $vmss = Set-AzVmssUefi -VirtualMachineScaleSet $vmss -EnableVtpm $true -EnableSecureBoot $true
   
   Update-AzVmss -ResourceGroupName $vmss.ResourceGroupName `
       -VMScaleSetName $vmss.Name -VirtualMachineScaleSet $vmss `
       -SecurityType TrustedLaunch -EnableVtpm $true -EnableSecureBoot $true `
       -ImageReferenceSku 2022-datacenter-azure-edition
   

   注意

   Update-AzVMSS 命令中使用的 OS 映像 SKU 应来自同一 OS 映像发布服务器和产品/服务。

3. 使用 securityProfile 命令输出验证 配置。

   {
     "securityProfile": {
       "securityType": "TrustedLaunch",
       "uefiSettings": {
         "secureBootEnabled": true,
         "vTpmEnabled": true
       }
     }
   }
   

4. 如果规模集统一升级模式设置为 Manual，请手动更新 VM 实例。

   Update-AzVmssInstance -ResourceGroupName "MyResourceGroup" -VMScaleSetName "MyScaleSet" -InstanceId "0"
   

5. 如果规模集统一升级模式设置为 RollingUpgrade，则开始滚动升级。

   Start-AzVmssRollingOSUpgrade -ResourceGroupName "MyResourceGroup" -VMScaleSetName "MyScaleSet"
   

1. OS 映像：导航到 Operating system 下 Settings。 单击 Change image reference。

2. 将 OS 映像引用更新为上一个已知良好的配置 -> 单击 “应用”。

3. 安全类型：导航到 Configuration 下面的 Settings 页面 -> 从页面更新安全类型下拉列表 ConfigurationTrusted launchStandard 以禁用受信任的启动安全配置。 单击 Yes 以确认更改。

4. 验证规模集页面上的更改Overview。

5. 如果规模集统一升级模式设置为 Manual，请手动更新 VM 实例。

若要将“受信任的启动”中的更改回滚到以前的已知良好配置，请设置为“标准”securityProfile，如下所示。 （可选）还可以还原其他参数更改 - OS 映像、VM 大小，并重复在现有规模集上启用受信任启动所述的步骤 5-8

"securityProfile": {
    "securityType": "Standard",
    "uefiSettings": "[null()]"
}

若要将“受信任的启动”中的更改回滚到以前的已知良好配置，请设置为--security-typeStandard如下所示。 （可选）还可以还原其他参数更改 - OS 映像、虚拟机大小，并重复在现有规模集上启用受信任启动所述的步骤 2-5

az vmss update --name MyScaleSet `
        --resource-group MyResourceGroup `
        --security-type Standard

若要将“受信任的启动”中的更改回滚到以前的已知良好配置，请设置为-SecurityTypeStandard如下所示。 （可选）还可以还原其他参数更改 - OS 映像、虚拟机大小，并重复在现有规模集上启用受信任启动所述的步骤 2-5

$vmss = Get-AzVmss -VMScaleSetName MyVmssName -ResourceGroupName MyResourceGroup

# roll back Trusted Launch
Set-AzVmssSecurityProfile -virtualMachineScaleSet $vmss -SecurityType Standard

Update-AzVmss -ResourceGroupName $vmss.ResourceGroupName `
    -VMScaleSetName $vmss.Name -VirtualMachineScaleSet $vmss `
    -SecurityType Standard `
    -ImageReferenceSku 2022-datacenter-azure-edition