-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathEnable-vTPMMigration.ps1
150 lines (117 loc) · 6.59 KB
/
Enable-vTPMMigration.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
######################################################################################################################################
# #
# This script will copy existing default HGS certificates to all cluster nodes in order to enable live migration for VMs where #
# TPM is enabled. #
# Will not enable shielded VMs #
# VTPM is a feature need to encrypt data and use features like bitlocker. #
# When enabling vTPM on a clustered environment the VMs will need the certificate on each host to allow Live migration between nodes #
# #
######################################################################################################################################
Function Enable-vTPMMigration
{
<#
.SYNOPSIS
Enable migration for VTPM enabled virtual machines on a Hyper-V cluster.
.DESCRIPTION
This script will copy existing default HGS certificates to all cluster nodes in order to enable live migration for VMs where
TPM is enabled.
!!IMPORTANT!!
Make sure you create a VM on all nodes and enable TPM, that will create the default guardian and its certificates.
Without that step, the script will not work!
The script will prompt for a password to secure the exported certificates.
VTPM is a feature need to encrypt data and use features like bitlocker.
When enabling vTPM on a clustered environment the VMs will need the certificate on each host to allow Live migration between nodes
.PARAMETER ClusterName
Name of the cluster
.PARAMETER CertPath
Working path where the certificates will be exported (C:\CLHGSCerts by default)
.EXAMPLE
PS> Enable-SecuredVMMigration -ClusterName Cluster01
#>
Param
(
[Parameter(Mandatory=$true)]
[string]$ClusterName = (Read-host -Prompt "Cluster's name"),
[Parameter(Mandatory=$false)]
$CertPath = ("C:\CLHGSCERTS\")
)
#Reading password for certs
#Gathering nodes
$Nodes = Get-ClusterNode -cluster $clustername
If ($Nodes -ne $null)
{
$CertificatePassword = (Read-Host -Prompt 'Please enter a password to secure the certificate files' -AsSecureString)
If ((get-item $certpath) -eq $null)
{
Write-Host "Setting up Certificate export directory"
new-item -type directory $CertPath
}
$workpath = (Get-Item -Path $CertPath).FullName
foreach ($Node in $Nodes)
{
Write-Host "Checking if default guardian exists on $Node"
If ((Get-HgsGuardian -Name "UntrustedGuardian" -CimSession $Node.name -ErrorAction SilentlyContinue) -ne $null)
{
[array]$guardians += $node.name
}
Else
{
[array]$missing += $node.name
}
}
If ($Guardians.count -eq $Nodes.count)
{
ForEach ($Node in $Nodes)
{
Write-Host "$Node exports certs"
#Creating remote session to $node
$session = New-PSSession -ComputerName $Node.Name
#Exporting certs to local workfolder
Invoke-Command -Session $session -ScriptBlock {
$guardian = Get-HgsGuardian -Name "UntrustedGuardian"
$encryptionCertificate = Get-Item -Path "Cert:\LocalMachine\Shielded VM Local Certificates\$($guardian.EncryptionCertificate.Thumbprint)";
$signingCertificate = Get-Item -Path "Cert:\LocalMachine\Shielded VM Local Certificates\$($guardian.SigningCertificate.Thumbprint)";
New-Item -ItemType Directory -Path C:\ -Name HGSCerts;
Export-PfxCertificate -Cert $encryptionCertificate -FilePath "C:\HGSCerts\$Using:Node-encryption.pfx" -Password $Using:CertificatePassword;
Export-PfxCertificate -Cert $signingCertificate -FilePath "C:\HGSCerts\$Using:Node-signing.pfx" -Password $Using:CertificatePassword
}
#Exporting certs to global workfolder
Write-Host "copy cert from $name"
Copy-Item C:\HgsCerts\* -Include *.pfx -Destination $workpath -Recurse -Verbose -FromSession $session
Remove-PSSession $session
}
#Importing certs to each nodes
ForEach ($Node in $Nodes)
{
Write-Host "$Node imports certs"
$session = New-PSSession -ComputerName $Node.Name
Copy-Item -Path "$workpath\*" -Include *.pfx -ToSession $session -Destination c:\hgscerts\ -Recurse
Invoke-Command -Session $session -ScriptBlock {
$certs = Get-Childitem -Path c:\HGSCerts\ "*pfx";
ForEach ($cert in $certs)
{
If ($cert.fullname -notlike "*$using:Node*")
{
write-host "$cert";
Import-PfxCertificate -FilePath $cert.fullname -CertStoreLocation "Cert:\LocalMachine\Shielded VM Local Certificates\" -Password $using:CertificatePassword;
}
};
Get-Item -Path "Cert:\LocalMachine\Shielded VM Local Certificates\*" ;
Remove-Item -Path c:\HGSCerts -Recurse -Force;
}
Remove-PSSession $session
}
}
Else
{
Write-Host -ForegroundColor Yellow "Not all nodes have default guardian enabled, the following node(s) needs it:"
$missing
Write-Host -ForegroundColor Yellow "Please deploy a VM on the node(s) listed above and enable vTPM on them via Hyper-V manager (MMC)"
}
Remove-Item $workpath -Recurse
}
Else
{
Write-Host -ForegroundColor Red "!!!$Clustername not found/cannot be connected, exiting..."
}
}