How to Deploy Host Guardian Service using Service Templates in VMM Tech Preview 3

~ Maha Ibrahim | Senior Software Engineer

HOW

Updated 12/1/2015: A newer version of this article for Tech Preview 4 is available here.

=====

Host Guardian Service (HGS) is a main component for configuring guarded hosts and running shielded VMs in Windows Server and System Center Virtual Machine Manager Technical Preview 3.

In this post we will demonstrate how to automate the deployment of Host Guardian Service using VMM service templates. The resulting Host Guardian Service instance can be used for your test or demo environments.

First, we will cover the relevant VMM service template configuration details, then show the steps needed to import and deploy the Host Guardian service template that can get you a virtualized HGS instance just in few clicks.

This post assumes you have some background about using VMM service templates, however if you’re interested in more details about HGS outside of the scope of this article you can refer to Windows Server TechNet articles about Guarded Fabric and Shielded VMs, or https://aka.ms/shieldedvms

Requirements

  1. Microsoft System Center Virtual Machine Manager – Technical Preview 3 – Download link
  2. Windows Server Technical Preview 3 Virtual Hard Disk Image – Download link

Host Guardian Service VMM Service Template

Now let’s start with details about how we’re configuring the Host Guardian Service using VMM service template.

There are 2 key configurations for the template:

1. Enable the Windows Server role for “Host Guardian Service” in the operating system configuration of the service template.

clip_image002

2. Run application configuration scripts to install and configure the Host Guardian service. For this purpose we are using two scripts: Install-HostGuardianService.ps1 and Configure-HostGuardianService.ps1. To make it simple, both of the scripts are placed in a single custom resource folder named HostGuardianServiceScripts.cr.

Now let’s take a deeper look at the contents of the two scripts:

Install-HostGuardianService.ps1

 
# Purpose: Install Host Guardian Service (HGS)
# Arguments: <HGS Domain Name> <Safe Mode Admin Password>
# Example: ./Install-HostGuardianService.ps1 Relecloud.com Pass@word1
 
param(
    [Parameter(Mandatory=$true)]
    [string] $HgsDomainName,
 
    [Parameter(Mandatory=$true)]
    [string] $HgsSafeModeAdminPassword
    )
 
Set-ExecutionPolicy RemoteSigned -Force
$adminPassword = ConvertTo-SecureString $HgsSafeModeAdminPassword -AsPlainText -Force
 
Write-Host "Test HGS Pre-requisites.`n"
Test-HgsServer -HgsDomainName $HgsDomainName -SafeModeAdministratorPassword $adminPassword;
 
Write-Host "Install HGS Server.`n"
Install-HgsServer -HgsDomainName $HgsDomainName -SafeModeAdministratorPassword $adminPassword;
 
Write-Host "Exit and Reboot.`n"

[Environment]::Exit(“3011”)

In a nutshell, the script tests the pre-requisites of the machine, installs host guardian service, then exits with an exit code that allows VMM to orchestrate the machine reboot per the restart policy of the application script.

clip_image003

In the service template, the parameters will be passed to the script through VMM service settings:

clip_image005

Configure-HostGuardianService.ps1

 
# Purpose: Configure Host Guardian Service (HGS)
# Arguments: <HGS Server Name> <HGS Domain Name> [AD Mode] [Fabric AD Group SID] [Fabric DNS IP Address] [Fabric Domain Name] [Fabric Domain User] [Fabric Domain Password]
# Example1: AD Mode Partial Configuration:  ./Configure-HostGuardianService.ps1 MyHgsService Relecloud.com
# Example2: TPM Mode Full Configuration:    ./Configure-HostGuardianService.ps1 MyHgsService Relecloud.com 0
# Example3: AD Mode Full Configuration:     ./Configure-HostGuardianService.ps1 MyHgsService Relecloud.com 1 S-1-5-21-3623811015-3361044348-30300820-1013 1.2.3.4 Fabric.com FabricAdmin pass@word1
 
param(
    [Parameter(Mandatory=$true)]
    [string] $HgsServiceName,
 
    [Parameter(Mandatory=$true)]
    [string] $HgsDomainName,
       
    [Parameter(Mandatory=$false)]
    [bool] $AdMode=$true,
 
    [Parameter(Mandatory=$false)]
    [string] $FabricAdGroupSid,
 
    [Parameter(Mandatory=$false)]
    [string] $FabricDnsIpAddress,
 
    [Parameter(Mandatory=$false)]
    [string] $FabricDomainName,
       
    [Parameter(Mandatory=$false)]
    [string] $FabricDomainUser,
       
    [Parameter(Mandatory=$false)]
    [string] $FabricDomainPassword
 
    )
 
Write-Host "Wait some time to give ADWS a chance to be ready before proceeding.`n"
Sleep 300
 
$communicationCert = New-SelfSignedCertificate -DnsName "$env:computername.$env:userdnsdomain" -CertStoreLocation cert:\LocalMachine\My -KeyExportPolicy Exportable
 
$signingCert = New-SelfSignedCertificate -DnsName "Signing-$env:computername.$env:userdnsdomain" -CertStoreLocation cert:\LocalMachine\My -KeyExportPolicy Exportable
 
$encryptionCert = New-SelfSignedCertificate -DnsName "Encryption-$env:computername.$env:userdnsdomain" -CertStoreLocation cert:\LocalMachine\My -KeyExportPolicy Exportable
 
Export-Certificate -Cert $communicationCert -FilePath 'c:\communication.cer'
 
Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath 'C:\communication.cer'
 
Write-Host "Initialize HGS Server.`n"
 
$params = @{
            HgsServiceName = $HgsServiceName
            EncryptionCertificateThumbprint = $encryptionCert.Thumbprint
            SigningCertificateThumbprint = $signingCert.Thumbprint
            CommunicationsCertificateThumbprint = $communicationCert.Thumbprint}
 
if ($AdMode -eq $true)
{
    $params.TrustActiveDirectory = $true
}
 
Initialize-HgsServer @params –force -confirm:$false
 
if($AdMode -eq $true)
{  
    Write-Host "Configure AD Based Attestation.`n"
 
    if($FabricDnsIpAddress)
    {
        Write-Host "Add DNS Server forwarder to fabric domain.`n"
        Add-DnsServerForwarder –IPAddress $FabricDnsIpAddress
    }
   
    if($FabricDomainName -and $FabricDomainUser -and $FabricDomainPassword)
    {
        Write-Host "Set domain trust"
        netdom trust $HgsDomainName /domain:$FabricDomainName /userd:$FabricDomainName\$FabricDomainUser /passwordd:$FabricDomainPassword /add
    }
 
    if($FabricAdGroupSid)
    {
        Write-Host "Add Host Group Policy to HGS Server.`n"
        $GroupPolicyName = "HostGroup_" + $FabricAdGroupSid
        Add-HgsAttestationHostGroup -Name $GroupPolicyName -Identifier $FabricAdGroupSid 
    }
}
 
else
{
    Write-Host "Configure TPM Based Attestation.`n"
    if(Test-Path .\TpmHosts)
    {
        Write-Host "Add TPM Hosts.`n"
        Get-ChildItem -Path .\TpmHosts | ForEach { Add-HgsAttestationTpmHost -Name $_.BaseName -Path $_.FullName }
    }
 
    if(Test-Path .\TpmPolicies)
    {
        Write-Host "Add TPM Policies.`n"
        Get-ChildItem -Path .\TpmPolicies | ForEach { Add-HgsAttestationTpmPolicy -Name $_.BaseName -Path $_.FullName }
    }
 
    if(Test-Path .\CIPolicies)
    {
        Write-Host "Add CI Policies.`n"
        Get-ChildItem -Path .\CIPolicies | ForEach { Add-HgsAttestationCIPolicy -Name $_.BaseName -Path $_.FullName -ConvertToHash }
    }
}

This script has a number of input parameters that enable customizations which in turn will result in the desired configuration for your HGS server, whether using AD or TPM based attestation.

For AD trust mode, the values for the parameters will control whether to configure the domain trust and DNS forwarder to the fabric domain, and whether to add the SID of the fabric AD group. Fabric hosts that are joined to this AD group are deemed guarded by HGS.

For Trusted Hardware TPM Mode, the content of HostGuardianServiceScripts.cr subfolders will determine whether and what TPM hosts and/or polices to add to the HGS server; if adding Code Integrity Policies, TPM Hosts and TPM policies is desired, then include the necessary files to your library in the respective subfolders prior to the deployment of the service configuration.

Below is the folder structure for the HostGuardianServiceScript.cr custom resource.

clip_image006

For details about how to create the files for TPM hosts, Code Integrity Policy or TPM policy, refer to the Windows Server TechNet articles about Guarded Fabric and Shielded VMs or https://aka.ms/shieldedvms

In the service template, the parameters will be passed to the script through VMM service settings:

clip_image008

The full parameters field is shown below for reference.

-file .\Configure-HostGuardianService.ps1 @HgsServiceName@ @HgsDomainName@ @AdMode@ @FabricAdGroupSid@ @FabricDnsIpAddress@ @FabricDomainName@ @FabricDomainUser@ @FabricDomainPassword@

Note that the order of the service settings must match the script parameters.

Now we should have a good understanding of the configuration required to orchestrate the deployment of the virtualized Host Guardian Service using VMM service template. The next section will cover how to download the service template, import it and deploy the Host Guardian Service.

Install Steps

1. Download compressed file from this download link.

2. Extract the custom resource folder HostGuardianServiceScripts.cr and copy it to your VMM library, then refresh the library share.

3. Create a Run As Account to be used for the Local Administrator of the HGS machine.

4. Verify that the Windows Server Technical Preview 3 VHD is imported in the VMM library.

5. Import the XML file as a VMM service template and map the resources according to resources included in the library.

clip_image010

6. If needed, open the computer tier properties and update the product key in the operating system configuration.

clip_image012

7. Save and configure deployment.

8. Specify the VM Network to be used.

clip_image014

9. Specify the service settings per the configuration of the desired deployment. This is an example for settings needed to deploy a full-fledged AD mode HGS server:

clip_image015

And here’s an example for settings needed to deploy a TPM Mode HGS server. Host, code integrity and CI policies will be added to the HGS server only if the respective files are included in the subfolders as referred to earlier. If the files do not exist at the time of deployment then extra configuration steps will be needed before the HGS server can be used for host guarding.

clip_image016

Now that the service configuration is ready to be deployed, click Deploy Service and wait for the job to complete. Once complete, you’ll have a Host Guardian Service instance up and running!

Troubleshooting Tips

– When specifying the values for the service settings, choose different names for the HgsServiceName and the ComputerName of the VM.

– If for any reason the service deployment failed, retrying the failed service deployment job may not work since the virtual machine would have joined a different domain than what VMM expects. Investigate the cause of the failure and remediate in a new service deployment job.

– For failure analysis, the script output and error logs will be located inside the guest operating system under the C:\ drive (e.g. C:\hgs_install.* & C:\hgs_configure.*).

After the service deployment completes, before you can use the resulting instance for host guarding, extra configurations may be needed:

– For Both TPM and AD setup: Configure name resolution between the existing fabric domain and the new HGS domain.

– For AD Setup: Verify that the hosts where guarding is desired are added to the AD group whose SID is added to the HGS.

Here’s an example for the Attestation and Key Protection servers URLs per the service setting example values used in this article:

AttestationServerUrl: http://MyHgsService.ReleCloud.com/Attestation

KeyProtectionServerURl: http://MyHgsService.ReleCloud.com/KeyProtection

Happy host guarding and virtual machine shielding!

Maha Ibrahim | Senior Software Engineer | Microsoft

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/