How to Deploy Host Guardian Service using VMM Service Templates in VMM Tech Preview 2

~ Maha Ibrahim | Software Engineer

HOWHost Guardian Service (HGS) is a main component for configuring guarded hosts and running shielded VMs in Windows Server and System Center Virtual Machine Manager Technical Preview 2. In this post I demonstrate how to automate the deployment of Host Guardian Service using VMM service templates. The resulting Host Guardian Service instance can be used for your test or demo environments. First we’ll cover the relevant VMM service template configuration details, then go through the steps needed to import and deploy the Host Guardian service template that can get you a virtualized HGS instance just in few clicks.

Note that this article assumes you have some background about using VMM service templates. If you’re interested in more details about HGS, you can refer to Windows Server TechNet articles about Guarded Fabric and Shielded VMs, or https://aka.ms/shieldedvms.

Requirements

1. Microsoft System Center Virtual Machine Manager – Technical Preview 2 – Download link

2. Windows Server Technical Preview 2 Virtual Hard Disk Image – Download link

Host Guardian Service VMM Service Template

Now let’s start with details about how we’re configuring the Host Guardian Service using VMM service template.

There are 2 key configurations for the template:

1. Enable the Windows Server role for “Host Guardian Service” in the operating system configuration of the service template:

clip_image002

2. Run application configuration scripts to install and configure the Host Guardian service. For this purpose we are using two scripts: Install-HostGuardianService.ps1 and Configure-HostGuardianService.ps1. To make it simple, both of the scripts are placed in a single custom resource folder named HostGuardianServiceScripts.cr

Now let’s take a deeper look at the contents of the two scripts:

1.     Install-HostGuardianService.ps1
2.    Configure-HostGuardianService.ps1

Install-HostGuardianService.ps1

 
# Purpose: Install Host Guardian Service (HGS)
# Arguments: <HGS Domain Name> <Safe Mode Admin Password>
# Example: ./Install-HostGuardianService.ps1 Relecloud.com Pass@word1
 
param(
    [Parameter(Mandatory=$true)]
    [string] $HgsDomainName,
 
    [Parameter(Mandatory=$true)]
    [string] $HgsSafeModeAdminPassword
    )
 
Set-ExecutionPolicy RemoteSigned -Force
$adminPassword = ConvertTo-SecureString $HgsSafeModeAdminPassword -AsPlainText -Force
 
Write-Host "Test HGS Pre-requisites.`n"
Test-HgsServer -HgsDomainName $HgsDomainName -SafeModeAdministratorPassword $adminPassword;
 
Write-Host "Install HGS Server.`n"
Install-HgsServer -HgsDomainName $HgsDomainName -SafeModeAdministratorPassword $adminPassword;
 
Write-Host "Exit and Reboot.`n"
[Environment]::Exit(“3011”)

In a nutshell, the script tests the prerequisites of the computer, installs the host guardian service then exits with an exit code that lets VMM orchestrate the machine reboot per the restart policy of the application script.

clip_image003

In the service template, the parameters will be passed to the script through VMM service settings:

clip_image005

Configure-HostGuardianService.ps1

 
# Purpose: Configure Host Guardian Service (HGS)
# Arguments: <HGS Server Name> <HGS Domain Name> [AD Mode] [Fabric AD Group SID] [Fabric DNS IP Address] [Fabric Domain Name] [Fabric Domain User] [Fabric Domain Password]
# Example1: AD Mode Partial Configuration:  ./Configure-HostGuardianService.ps1 MyHgsService Relecloud.com
# Example2: TPM Mode Full Configuration:    ./Configure-HostGuardianService.ps1 MyHgsService Relecloud.com 0
# Example3: AD Mode Full Configuration:     ./Configure-HostGuardianService.ps1 MyHgsService Relecloud.com 1 S-1-5-21-3623811015-3361044348-30300820-1013 1.2.3.4 Fabric.com FabricAdmin pass@word1
 
param(
    [Parameter(Mandatory=$true)]
    [string] $HgsServiceName,
 
    [Parameter(Mandatory=$true)]
    [string] $HgsDomainName,
       
    [Parameter(Mandatory=$false)]
    [bool] $AdMode=$true,
 
    [Parameter(Mandatory=$false)]
    [string] $FabricAdGroupSid,
 
    [Parameter(Mandatory=$false)]
    [string] $FabricDnsIpAddress,
 
    [Parameter(Mandatory=$false)]
    [string] $FabricDomainName,
       
    [Parameter(Mandatory=$false)]
    [string] $FabricDomainUser,
       
    [Parameter(Mandatory=$false)]
    [string] $FabricDomainPassword
    )
 
Write-Host "Initialize HGS Server.`n"
 
Initialize-HgsServer -HgsServiceName $HgsServiceName;
 
Write-Host "Register Attestation.`n"
 
if($AdMode -eq $true)
{
    Write-Host "Register Trusted Active Directory Mode.`n"
    Register-HgsAttestation -TrustActiveDirectory –force -confirm:$false
}
else
{
    Write-Host "Register Trusted Hardware TPM Mode.`n"
    Register-HgsAttestation -force -confirm:$false
}
 
Write-Host "Configure HGS Key Protection.`n"
 
$communicationCert = New-SelfSignedCertificate -DnsName "$env:computername.$env:userdnsdomain" -CertStoreLocation cert:\LocalMachine\MyKeyExportPolicy Exportable
 
$signingCert = New-SelfSignedCertificate -DnsName "Signing-$env:computername.$env:userdnsdomain" -CertStoreLocation cert:\LocalMachine\MyKeyExportPolicy Exportable
 
 
$encryptionCert = New-SelfSignedCertificate -DnsName "Encryption-$env:computername.$env:userdnsdomain" -CertStoreLocation cert:\LocalMachine\MyKeyExportPolicy Exportable
 
 
Export-Certificate -Cert $communicationCert -FilePath 'c:\communication.cer' 
 
Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath 'C:\communication.cer'
 
New-WebBinding –Name 'Default Web Site' –IP '*' –Port 443 –Protocol https
 
$communicationCert | New-Item IIS:\SslBindings\0.0.0.0!443 
 
Register-HgsKeyProtection -EncryptionCertificateThumbprint $encryptionCert.Thumbprint -SigningCertificateThumbprint $signingCert.Thumbprint -InitializeClusterConfig -Force
 
$attestationCert = dir Cert:\LocalMachine\My | Where-Object{ $_.Subject -eq 'CN=Microsoft Remote Attestation Service'} | select -First 1
 
Add-HgsKeyProtectionAttestationSignerCertificate -Certificate $attestationCert
 
 
if($AdMode -eq $true)
{  
    Write-Host "Configure AD Based Attestation.`n"
 
    if($FabricDnsIpAddress)
    {
        Write-Host "Add DNS Server forwarder to fabric domain.`n"
        Add-DnsServerForwarder –IPAddress $FabricDnsIpAddress
    }
   
    if($FabricDomainName -and $FabricDomainUser -and $FabricDomainPassword)
    {
        Write-Host "Set domain trust"
        netdom trust $HgsDomainName /domain:$FabricDomainName /userd:$FabricDomainName\$FabricDomainUser /passwordd:$FabricDomainPassword /add
    }
 
    if($FabricAdGroupSid)
    {
        Write-Host "Add Host Group Policy to HGS Server.`n"
        $GroupPolicyName = "HostGroup_" + $FabricAdGroupSid
        Add-HgsAttestationHostGroupPolicy -Name $GroupPolicyName -Identifier $FabricAdGroupSid 
    }
}
 
else
{
    Write-Host "Configure TPM Based Attestation.`n"
    if(Test-Path .\TpmHosts)
    {
        Write-Host "Add TPM Hosts.`n"
        Get-ChildItem -Path .\TpmHosts | ForEach { Add-HgsAttestationTpmHost -Name $_.BaseName -Path $_.FullName }
    }
 
    if(Test-Path .\TpmPolicies)
    {
        Write-Host "Add TPM Policies.`n"
        Get-ChildItem -Path .\TpmPolicies | ForEach { Add-HgsAttestationTpmPolicy -Name $_.BaseName -Path $_.FullName }
    }
 
    if(Test-Path .\CIPolicies)
    {
        Write-Host "Add CI Policies.`n"
        Get-ChildItem -Path .\CIPolicies | ForEach { Add-HgsAttestationCIPolicy -Name $_.BaseName -Path $_.FullName -ConvertToHash }
    }
}

This script has a number of input parameters that enable customizations which in turn result in the desired configuration for your HGS server, whether using AD or TPM based attestation.

For AD trust mode, the values for the parameters will control whether to configure domain trust and a DNS forwarder to the fabric domain, and whether to add the SID of the fabric AD group. Fabric hosts that are joined to this AD group are deemed guarded by HGS.

For Trusted Hardware TPM Mode, the content of HostGuardianServiceScripts.cr subfolders will determine whether and what TPM hosts and/or polices to add to the HGS server. If adding Code Integrity Policies, TPM Hosts or TPM policies is desired, then include the necessary files to your library in the respective subfolders prior to the deployment of the service configuration.

Below is the folder structure for the HostGuardianServiceScript.cr custom resource:

clip_image006

For details about how to create the files for TPM hosts, Code Integrity Policy or TPM policy, refer to the Windows Server TechNet articles about Guarded Fabric and Shielded VMs or https://aka.ms/shieldedvms.

In the service template, the parameters will be passed to the script through VMM service settings:

clip_image008

The full parameters field is shown below for reference

-file .\Configure-HostGuardianService.ps1 @HgsServiceName@ @HgsDomainName@ @AdMode@ @FabricAdGroupSid@ @FabricDnsIpAddress@ @FabricDomainName@ @FabricDomainUser@ @FabricDomainPassword@

Note that the order of the service settings must match the script parameters.

You’ll notice that the script command type is Creation: First VM. For Technical Preview 2, Host Guardian Service does not support highly availability mode so none of the scripts should run on additional VM instances if the tier is scale-out. In future, once HGS supports highly available mode, the template can be easily configured for the requirements of the additional nodes.

Now that we have a good understanding of the configuration required to orchestrate the deployment of the virtualized Host Guardian Service using VMM service template, the next section will cover how to download the service template, import it, and deploy the Host Guardian Service.

Installation Steps

1. Download the compressed file from this download link.

2. Extract the custom resource folder HostGuardianServiceScripts.cr and copy it to your VMM library, then refresh the library share.

3. Create a Run As account to be used for the Local Administrator of the HGS computer.

4. Verify that the Windows Server Technical Preview 2 VHD is imported in VMM library.

5. Import the XML file as a VMM service template and map the resources according to resources included in the library.

clip_image010

6. If needed, open the computer tier properties and update the product key in the operating system configuration.

clip_image012

7. Save and configure deployment.

8. Specify the VM Network to be used.

clip_image014

9. Specify the service settings per the configuration of the desired deployment. This is an example for settings needed to deploy a full-fledged AD mode HGS server:

clip_image015

Here’s an example of the settings needed to deploy a TPM Mode HGS server. Host, code integrity and CI policies will be added to the HGS server only if the respective files are included in the subfolders as mentioned earlier. If the files do not exist at the time of deployment, extra configuration steps will be needed before the HGS server can be used for host guarding.

clip_image016

Now the service configuration is ready to be deployed. Click Deploy Service and wait for the job to complete. Once complete, you’ll have a Host Guardian Service instance up and running!

Troubleshooting

  • When specifying the values for the service settings, be sure to choose different names for the HgsServiceName and the ComputerName of the VM.
  • If for any reason the service deployment fails, retrying the failed service deployment job may not work since the virtual machine will have joined a different domain than what VMM expects. Investigate the cause of the failure and remediate in a new service deployment job.

For failure analysis, the script output and error logs will be located inside the guest operating system under the C:\ drive (e.g. c:\hgs_install.* and c:\hgs_configure.*).

After the service deployment completes, before you can use the resulting instance for host guarding extra configurations may be needed:

· For Both TPM and AD setup: Configure name resolution between the existing fabric domain and the new HGS domain.

· For AD Setup: Verify that the hosts where guarding is desired are added to the AD group whose SID is added to the HGS.

Here’s an example for the Attestation and Key Protection servers URLs per the service setting example values used in this article:

AttestationServerUrl: http://MyHgsService.ReleCloud.com/Attestation

KeyProtectionServerURl: http://MyHgsService.ReleCloud.com/KeyProtection

Happy host guarding and virtual machine shielding!

Maha Ibrahim | Software Engineer | Microsoft

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

VMM 2012 R2