Your Browser is Out of Date

Nytro.ai uses technology that works best in other browsers.
For a full experience use one of the browsers below
HCI Operations Guide—Managing and Monitoring the Solution Infrastructure Life Cycle
Notes, cautions, and warnings Copyright Introduction Day 1 operations Managing and monitoring clusters with Windows Admin Center Dell EMC OpenManage Integration with Windows Admin Center
Dell EMC OpenManage Integration with Windows Admin Center
Overview
Prerequisites for managing AX nodes
Installing the OMIMSWAC license
Managing Microsoft HCI-based clusters
Full Stack Cluster-Aware Offline Updating
Full Stack Cluster-Aware Updating for Azure Stack HCI clusters using the OpenManage Integration snap-in
Updating a stand-alone node before adding it to the cluster
Updating a single node cluster
Secure cluster with Secured-core
Enabling operating system features
Protect your infrastructure with infrastructure lock
Manage CPU cores in Azure Stack HCI clusters
Cluster expansion
Validate and remediate Azure Stack HCI clusters
Onboard Dell policies to Azure Arc from Windows Admin Center to manage Azure Stack HCI clusters
View recommendations for storage expansion
Known issues
Updates and maintenance

Secure cluster with Secured-core

Secure cluster with Secured-core

  • A malicious hacker who has physical access to a system can tamper with the BIOS. A tampered BIOS code poses a high security threat and makes the system vulnerable to further attacks. With the Secured-core feature, OMIMSWAC ensures that your cluster boots only using the software that is trusted by Dell EMC.

    Secured-core feature is supported on the following configurations:
    • AMD processor types:
      • AMD Milan with cluster nodes BIOS version must be 2.3.6 or above.
    • Intel processor types:
      • Cluster nodes BIOS version must be 1.3.8 or above.
      Note: The following Intel processor types are not supported for Secured-core feature:

      • E-23 series and Pentium SKUs such as G6605, G6505, G6505T, G6405, and G6405T.
    • OS versions:
      • Windows Server 2022 and Azure Stack HCI OS 21H2 or higher.
    • TPM V2.0 module must be installed with firmware 7.2.2.0 or above.
    • OMIWAC Premium License must be installed on each cluster node.
    Note: To ensure proper functioning of the System Guard OS feature, ensure that the TPM Hierarchy under System Security section is enabled in the BIOS settings.

    Secured-core feature includes enabling BIOS and OS security features. Both Dell Technologies and Microsoft recommend enabling BIOS security features and OS security features respectively to protect infrastructure from external threats. In Windows Admin Center, use Dell EMC OpenManage Integration with Microsoft Windows Admin Center extension to enable BIOS security features and use Security extension to enable OS security features. For more information about OS security features, see the Microsoft guidelines.

    Enable BIOS security features as follows:

    1. Log in to Windows Admin Center and launch Dell EMC OpenManage Integration with Microsoft Windows Admin Center extension.
    2. Go to Security > Secured-core.
    3. Specify Manage as credentials if prompted.
      The Dell EMC OpenManage Integration with Microsoft Windows Admin Center validates if the following prerequisites are fulfilled on the target or cluster nodes:
      • The supported platform and processor types
      • The supported BIOS version
      • The supported OS version
      • The OMIWAC Premium License is installed

      See Prerequisites for more information.

    4. If one or more prerequisites are not fulfilled, Dell EMC OpenManage Integration with Microsoft Windows Admin Center displays the list of prerequisites and its overall status and recommendation. Review the recommendations with the status showing or and resolve the prerequisites. To see the prerequisites to be fulfilled for each cluster node, switch Show Node Level Details. After resolving the perquisites, go to Security > Secured-core again to display the overall status. If all the perquisites are met, OMIMSWAC displays the overall secured-core status for both BIOS and OS. The overall BIOS/OS status is the summary of all BIOS/OS feature configuration statuses for the entire cluster.
    5. If infrastructure lock is enabled, click Disable. You must disable the infrastructure lock before enabling the BIOS configurations.
    6. Review all the BIOS feature status and the corresponding OS feature status. A consolidated view of all BIOS/OS feature configuration status that is displayed in the Cluster level BIOS Features and Status and Cluster level OS Features and Status' sections.

      The following table lists are of the BIOS and corresponding OS features with security functionalities:

      BIOS Feature Security Function

      Corresponding OS Features

      		Other Information
      Virtualization Technology Helps BIOS to enable processor virtualization features (such as protecting against exploits in user-mode drivers and applications) and provide virtualization support to the Operating System (OS) through the DMAR table.
      • Hypervisor-Protected Code Integrity (HVCI)
      • Virtualization-Based Security (VBS)
      Kernel DMA Protection When enabled, both BIOS and OS protects devices from Direct Memory Access attacks in early boot by leveraging the Input/Output Memory Management Unit (IOMMU). Boot DMA Protection
      Secure Boot Secure Boot ensures that the device boots with trusted, Dell EMC signed software. Secure Boot
      Trusted Platform Module (TPM) 2.0

      TPM PPI Bypass Provision

      TPM PPI Bypass Clear

      TPM2 Algorithm Selection

      		Trusted Platform Module (TPM) is a dedicated microprocessor that is designed to secure hardware by integrating cryptographic keys into devices. Software can use a TPM to authenticate hardware devices.
      • Trusted Platform Module (TPM) 2.0
      • System Guard
      Note: To ensure proper functioning of the System Guard OS feature, ensure that the TPM Hierarchy under the System Security section is enabled in the BIOS settings.

      Note: If TPM firmware version is less than the 7.2.2.0, Enable BIOS Configuration button is disabled. You must replace with a hardware that has TPM firmware version 7.2.2.0 or above.

      Note: TPM2 Algorithm Selection is set to SHA256.

      (AMD) Dynamic Root of Trust Measurement Enables AMD Dynamic Root of Trust Measurement (DRTM). Also enables AMD secure encryption features such as Secure Memory Encryption (SME) and Transparent Secure Memory Encryption (SME). This feature is available for AMD based processors.
      [Intel] Trusted Execution Technology Enhances platform security by using Virtualization Technology, TPM Security, and TPM2 Algorithm (must be SHA256). Intel TXT provides security against hypervisor, BIOS, firmware, and other pre-launch software-based attacks by establishing a root of trust' during the boot process. This feature is available for Intel-based processors.
    7. To configure secured core for all BIOS attributes, click Enable BIOS Configuration.
    8. To apply the BIOS configuration, perform one of the following actions:
      • Apply and Reboot Now: Applies the BIOS configuration changes in all cluster nodes and reboot the cluster using Cluster Aware Updating method (without impacting the workload).
      • Apply at Next Reboot: Saves the changes and applies the BIOS configuration in all cluster nodes at the next reboot.

      If you choose this option, ensure to exit the Dell EMC OpenManage Integration with Microsoft Windows Admin Center extension and restart the cluster using the Windows Admin Center before performing any cluster management operations.

    9. When finished, click Apply.

      The operation enables CredSSP. To improve the security, disable CredSSP after the operation is complete.

    10. Click View Details to see the status of the BIOS configuration changes at node level.