Shielded VMs – additional considerations when running a guarded fabric

So you’ve deployed a guarded fabric and your VMs are running happily.  Having now reached that perfect steady state, let’s have a look at the operational and administrative differences relative to a regular fabric.  The purpose of this blog isn’t to exhaustively walk you through some mundane day-to-day set of administrative or operational duties, rather, I…

1

Shielded VMs: A conceptual review of the components and steps necessary to deploy a guarded fabric

[This post was authored by Dean Wells, Principal Program Manager on the Windows Server team] If you’re anything like me, you probably find it immensely helpful having an end-to-end conceptual view of what you’re doing before actually doing it–that’s the purpose of this blog. Deploying a guarded fabric involves several new concepts so, in this…

0

Join Host Guardian Servers to an existing bastion forest

Shielded VM prevents unauthorized access from the host. To achieve this security assurance, there must be a role separation between the fabric admins (who manage the Guarded Hosts) and the HGS admins (who manage the Host Guardian Servers). By default, when you install the first HGS server, it will create its own forest, this will…


Host Guardian Service - AD-based vs. TPM-based attestation

[This post is authored by Dean Wells, Principal Program Manager for the Windows Server Security Product Team] Overview The Host Guardian Service (HGS) is a new role in Windows Server 2016 that provides health attestation and key protection/release services for Hyper-V hosts running Shielded VMs. This blog describes the differences between HGS’ two mutually-exclusive attestation…


Step-by-step: Quick reference guide to deploying guarded hosts

My original blog post on the topic of deploying Shielded VMs without VMM included the instructions to deploy guarded hosts.  Based on feedback around keeping the blog posts short and scenario-focused, I split the content into 2. This blog serves as a quick reference to deploy guarded hosts. Once again, I highly recommend you read…


Overview of Host Guardian Service (HGS) Diagnostics

[This post is authored by Jim Hughes, Software Engineer for the Windows Server Team] The Host Guardian Service (HGS) is a principal component in enabling Hyper-V to host Shielded VMs in Windows Server 2016. Shielded VMs are your typical Hyper-V virtual machines, but protected from tampering and inspection by platform administrators and malicious actors. The initial deployment of HGS…


Step by Step - Configuring Key Protection for the Host Guardian Service in Windows Server 2016

[This post is authored by Sumesh Kumar, Program Manager for the Enterprise and Security Product Team] The “Key Protection Service” (KPS) is one of the two services that run as part of a Windows Server role called the Host Guardian Service (or HGS). The second of those two services is called Attestation and will be…


Step by Step - Configuring Guarded Hosts with Virtual Machine Manager 2016

  [This post is authored by John Patterson, Program Manager for the System Center Product Team] In this blog I want to talk about setting up guarded hosts using Virtual Machine Manager (VMM). A guarded host is just a host that can run shielded VMs. Once your Host Guardian Service has been set up and configured, configuring…


Step by Step - Configuring the Host Guardian Service in Windows Server 2016

  [This post is authored by Amitabh Tamhane, Senior Program Manager and Ryan Puffer, Program Manager for the Windows Server Product Team] The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. HGS provides Attestation and Key Protection services that enable Hyper-V to run Shielded virtual machines. A Hyper-V host…