Event banner

Windows Server 2025 ReFS booted images for confidential VMs

Event Ended
Wednesday, Mar 27, 2024, 01:30 PM PDT
Online

Event details

The Resilient File System (ReFS) is Microsoft's newest file system, designed to maximize data availability, scale efficiently to large data sets across diverse workloads, and provide integrity against data tampering. Azure confidential VMs run in a hardware-based isolation environment that gives a higher level of protection from hypervisor and datacenter admins with encrypted memory and guest attestation capability rooted to the hardware.  With Windows ReFS support for confidential VMs, we are introducing new features such as data integrity protection and rollback protection for the OS disk to further improve the security posture and protect your data end to end.

 

Speakers: Simran Parkhe, Tina Wu, and Vikas Tikoo

 
Thanks for tuning in to the Windows Server Summit on demand!
Char_Cheesman
Updated Nov 19, 2024
  • Heather_Poulsen's avatar
    Heather_Poulsen
    Icon for Community Manager rankCommunity Manager
    Mar 27, 2024

    Welcome! Windows Server 2025 ReFS booted images for confidential VMs is starting now. If you have any questions or feedback for our product teams, please post them here in the Comments.

  • Olaf_Engelke's avatar
    Olaf_Engelke
    Iron Contributor
    Mar 27, 2024
    Does rollback protection also "protect" from an intended rollback through backup software?
    • Vikas_Tikoo's avatar
      Vikas_Tikoo
      Icon for Microsoft rankMicrosoft
      Mar 27, 2024
      Intentional rollback wouldn't look any different than malicious rollback, ReFS will detect that this is a older copy of the volume. User can however configure whether they want to block or allow boot in case rollback is detected by ReFS.
  • Karl-WE's avatar
    Karl-WE
    MVP
    Mar 28, 2024

    Can you please elaborate on ReFS Boot? I understood confidential computing in VMs is the motion why ReFS now has been improved to support OS boot in the first place, which wasn't possible for long time and as a base made compatible with dism? TYVM.

    • Vikas_Tikoo's avatar
      Vikas_Tikoo
      Icon for Microsoft rankMicrosoft
      Mar 29, 2024
      As you mentioned we extended ReFS so that it can be used as a boot volume. Earlier ReFS volumes could only be attached as data disks. This was important for the Confidential VM scenario as we wanted to have an FS with integrity protection capabilities right after boot.
      • HotCakeX's avatar
        HotCakeX
        MVP
        Jun 01, 2024
        Hi, will it be also available on Windows 11? What about Windows Server 2025 installed locally on a physical machine or Hyper-V VM? Thanks
  • Karl-WE's avatar
    Karl-WE
    MVP
    Mar 29, 2024

    How can we ensure that
    - UEFI updates
    - Reset of Secure Boot keys
    - changing mainboard in case of events (like BMC defect or mainboard defect)

    can be compensated?

    In these cases I could imagine that the root of trust (PCR / TPM) are invalidated and in result this might prevent VMs from booting.

    Lately I had a similar "lesson", without confidential VM, just vTPM enabled on the Hyper-V VMs and they refused booting after an UEFI update which fussed around with my Secure Boot so I had to delete the keys and redeploy them. Can you follow me?

    Understood that's is a double-edged sword and trade-offs between confidentially and unexpected things that can happen.

    I suppose that CVM are likely used in areas where confidentially comes along with high costs for outages. Thanks for sharing your thoughts!

    • Vikas_Tikoo's avatar
      Vikas_Tikoo
      Icon for Microsoft rankMicrosoft
      Mar 29, 2024
      Great question. Yes things like UEFI or key updates do require care in ensuring secure boot will still work. Secure boot is however an important primitive for Confidential VMs and generally for VMs deployed with Trusted launch. It helps ensure integrity of early boot components. Also since you mentioned UEFI state, wanted to call out that ReFS rollback protection capability relies on UEFI variable store being protected. In Confidential VMs we take measures to protect the UEFI state through authenticated encryption. Hope this helps!
  • Char_Cheesman's avatar
    Char_Cheesman
    Icon for Community Manager rankCommunity Manager
    Mar 29, 2024

    Thank you for joining us this week for the Windows Server Summit! Q&A is now closed, but all sessions are available on demand so you can watch and learn when it is convenient for you. We hope you enjoyed the event.

Date and Time
Mar 27, 20241:30 PM - 2:00 PM PDT