Disclaimer: Dell does not offer support for Windows Server 2016 at this time. Dell is actively testing and working closely with Microsoft on Windows Server 2016, but since it is still in development, the exact hardware components/configurations that Dell will fully support are still being determined. The information divulged in our online documents prior to Dell launching and shipping Windows Server 2016 may not directly reflect Dell supported product offerings with the final release of Windows Server 2016. We are, however, very interested in your results/feedback/suggestions. Please send them to WinServerBlogs@dell.com
One of the major challenges for customers to move their workloads to the virtualized datacenter or public cloud is the security concern due to their sensitivity of their workloads. To protect the tenant’s workloads from compromised storage, networks, host administrators, and malware, the upcoming Windows Server 2016 introduces the concept of Guarded Fabric to implement a new trust boundary between the tenant and the datacenter administrators or cloud service providers. Running shielded Virtual Machines on a Guarded Fabric provides the tenants security assurance for virtualizing their sensitive workloads such as Active Directory domain controllers.
With Windows Server 2016 Technical Preview, the Guarded Fabric can be deployed by using Active-Directory-based attestation or using hardware-based attestation which requires the Trusted Platform Module (TPM) v2.0. TPM 2.0 is now available on the selected 13th Generation PowerEdge servers such as R730, R730XD, R630, T630, etc., as an orderable configuration option.
Prior to deploy the Guarded Fabric with the HW-based attestation, the following settings are needed in the system BIOS:
Boot Settings: UEFI System Security > TPM Security: ON System Security > TPM Advanced > TPM PPI(Physical Presence Interface) Bypass Clear: EnabledSystem Security > TPM Advanced > TPM PPI Bypass Provision: Enabled System Security > Secure Boot > Secure Boot Enabled
These system settings can be configured remotely via the integrated Dell Remote Access Controller (iDRAC) by using racadm included in the Dell OpenManage DRAC Tools package. Here are the related racadm commands under PowerShell:First, define a variable for iDRAC IP address:$ip = "<iDRAC IP>"
View the current settings on boot settings:racadm -r $ip -u root -p calvin get BIOS.BiosBootSettings.Bootmode
View the current settings on TPM, secure boot:racadm -r $ip -u root -p calvin get BIOS.syssecurity
Change the boot mode into UEFI:racadm -r $ip -u root -p calvin set BIOS.BiosBootSettings.Bootmode Uefi
Enable the TPM Security:racadm -r $ip -u root -p calvin set BIOS.SysSecurity.TpmSecurity On
Disable PPI pop-up for Clear TPM Task during POST:racadm -r $ip -u root -p calvin set Bios.Tpmadvanced.TpmPpiByPassClear Enabled
Enable the secure boot:racadm -r $ip -u root -p calvin set Bios.syssecurity.secureboot Enabled
All the changes are still in the pending state. Apply these changes: racadm -r $ip -u root -p calvin jobqueue create BIOS.Setup.1-1 -r pwrcycle -s TIME_NOW -e TIME_NA
More detailed information is available in the attached document.