Deploy guarded hosts
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016
The topics in this section describe the steps that a fabric administrator takes to configure Hyper-V hosts to work with the Host Guardian Service (HGS). Before you can start these steps, at least one node in the HGS cluster must be set up.
For TPM-trusted attestation:
- Configure the fabric DNS: Tells how to set up a DNS forwarder from the fabric domain to the HGS domain.
- Capture information required by HGS: Tells how to capture TPM identifiers (also called platform identifiers), create a Code Integrity policy, and create a TPM baseline. Then you will provide this information to the HGS administrator to configure attestation.
- Confirm guarded hosts can attest
For host key attestation:
- Create a host key: Tells how to set up a DNS forwarder from the fabric domain to the HGS domain.
- Add the host key to the attestation service: Tells how to set up an Active Directory security group in the fabric domain, add guarded hosts as members of that group, and provide that group identifier to the HGS administrator.
- Confirm guarded hosts can attest
For Admin-trusted attestation:
- Configure the fabric DNS: Tells how to set up a DNS forwarder from the fabric domain to the HGS domain.
- Create a security group: Tells how to set up an Active Directory security group in the fabric domain, add guarded hosts as members of that group, and provide that group identifier to the HGS administrator.
- Confirm guarded hosts can attest
Additional References
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for