Deploying Highly Available Host Guardian Service using VMM Service Templates in Microsoft System Center Tech Preview 4

~ Maha Ibrahim | Senior Software Engineer

HOW

UPDATED: A newer version of this article can be found here.

=====

In an earlier post we discussed how to deploy HGS using VMM service templates in Technical Preview 3 release, however now with Technical Preview 4, a few changes are required. The Host Guardian Service supports high availability so changes were made to the service template and the associated application scripts to support installing and configuring an additional HGS node. Also in this release, VMM supports generation 2 service templates so we will deploy generation 2 virtual machines using GPT partition disk image.

In this post, I’ll cover the relevant updates applicable to the Technical Preview 4 release for deploying the highly available Host Guardian Service using generation 2 virtual machines which can be used for test or demo environments.

For more details about HGS setup outside the scope of this article, you can refer to Windows Server TechNet articles about Guarded Fabric and Shielded VMs, or https://aka.ms/shieldedvms.

Requirements

1. Microsoft System Center Virtual Machine Manager – Technical Preview 4 – Download link

2. Windows Server 2016 Technical Preview 4 – Download link

3. Windows Server 2016 Technical Preview 4 Virtual Hard Disk Image using GPT partition (for generation 2 VMs) which can be created using Wim2VHD – Download link

Installation Steps

1. Download the compressed file from this download link.

2. Extract the custom resource folder named HostGuardianServiceScripts.cr and copy it to your VMM library, then refresh the library share.

3. Create a Run As Account to be used for the Local Administrator of the HGS machine.

4. Verify the Windows Server Technical Preview 4 VHDX (GPT partition image) is imported in the VMM library.

5. Import the XML file as a VMM service template and map the resources according to resources included in the library:

clip_image002

6. If needed, open the computer tier properties and update the product key in the operating system configuration.

7. Save and configure deployment.

8. Specify the VM Network to be used:

clip_image004

9. Specify the service settings per the configuration of the desired deployment. Below are example settings to deploy an AD mode HGS server:

clip_image005

Here are example settings to deploy a TPM Mode HGS server:

clip_image006

10. For TPM Mode, if adding Code Integrity Policies, TPM Hosts and TPM policies is desired, then include the necessary files to your library prior to the deployment of the service configuration and per the folder structure below. If this step is skipped then extra configuration is needed before the HGS instance can be used. Refer to this link for more details on how to create these files: https://aka.ms/shieldedvms.

clip_image007

Now the service configuration is ready to be deployed. Click Deploy Service and wait for the job to complete. Once completed you’ll have a highly available Host Guardian Service instance up and running!

Notes

After the service deployment completes, and before you can use the resulting instance for host guarding, extra configurations may be needed:

  • For Both TPM and AD setup: Configure name resolution between the existing fabric domain and the new HGS domain.
  • For AD Setup: verify that the hosts where guarding is desired are added to the AD group whose SID is added to the HGS.

Here’s an example for the Attestation and Key Protection server URLs per the service setting example values used here:

  • AttestationServerUrl: http://MyHgsService.ReleCloud.com/Attestation
  • KeyProtectionServerURl: http://MyHgsService.ReleCloud.com/KeyProtection

Happy host guarding and virtual machine shielding!

Maha Ibrahim | Senior Software Engineer | Microsoft

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

VMM 2012 R2