Table of contents
Collapse the table of content
Expand the table of content

Verify the HGS configuration

Ryan Puffer|Last Updated: 3/8/2017
1 Contributor

Applies To: Windows Server 2016

Next, we need to validate that things are working as expected. To do so, run the following command in an elevated Windows PowerShell console:

Get-HgsTrace -RunDiagnostics

Because the HGS configuration does not yet contain information about the hosts that will be in the guarded fabric, the diagnostics will indicate that no hosts will be able to attest successfully yet. Ignore this result, and review the other information provided by the diagnostics.


When running the Guarded Fabric diagnostics tool (Get-HgsTrace -RunDiagnostics), incorrect status may be returned claiming that the HTTPS configuration is broken when it is, in fact, not broken or not being used. This error can be returned regardless of HGS’ attestation mode. The possible root-causes are as follows:

  • HTTPS is indeed improperly configured/broken
  • You’re using admin-trusted attestation and the trust relationship is broken
        - This is irrespective of whether HTTPS is configured properly, improperly, or not in use at all.

Note that the diagnostics will only return this incorrect status when targeting a Hyper-V host. If the diagnostics are targeting the Host Guardian Service, the status returned will be correct.

Run the diagnostics on each node in your HGS cluster.

© 2017 Microsoft