Deploying Highly Available Host Guardian Service using VMM Service Templates Windows Server and VMM Tech Preview 5

~ Maha Ibrahim | Senior Software Engineer

This post captures the steps needed to deploy Highly Available Host Guardian Service (HGS) using Microsoft System Center Virtual Machine Manager Technical Preview 5 to use for test or demo environments.

For more details outside the scope of this article, please refer to Windows Server TechNet articles about Guarded Fabric and Shielded VMs, or https://aka.ms/shieldedvms.

Requirements

  1. Microsoft System Center Virtual Machine Manager – Technical Preview 5 – Download link
  2. Windows Server 2016 Technical Preview 5 – Download link
  3. Windows Server 2016 Technical Preview 5 Virtual Hard Disk Image using GPT partition (for generation 2 VMs) which can be created using Wim2VHD – Download link

Install Steps

1. Download the compressed file from this Download link

2. Extract the custom resource folder ‘HostGuardianServiceScripts.cr’ and copy it to your VMM library, then refresh the library share.

3. Create a Run As Account to be used for the Local Administrator of the HGS machine.

4. Verify the Windows Server Technical Preview 5 VHDX (GPT partition image) is imported in VMM library.

5. Import the XML file as a VMM service template and map the resources according to resources included in the library.

clip_image002

6. If needed, open the computer tier properties and update the product key in the operating system configuration.

7. Save and configure deployment.

8. Specify the VM Network to be used.

clip_image004

9. Specify the service settings per the configuration of the desired deployment.

Example settings to deploy AD mode HGS server:

clip_image005

Example settings to deploy TPM mode HGS server:

clip_image006

10. For TPM Mode, if adding Code Integrity Policies, TPM Hosts and TPM policies is desired, then include the necessary files to your library, prior to the deployment of the service configuration, and per the folder structure below, if this step is skipped, then extra configurations are needed before the HGS instance can be used. Refer to https://aka.ms/shieldedvms for more details on how to create these files.

clip_image007

11. Click Deploy Service and wait for the job to complete.

12. Additional steps:

a. For Both TPM and AD setup: Configure name resolution between the existing fabric domain and the new HGS domain.

b. For AD Setup: verify that the hosts where guarding is desired are added to the AD group whose SID is added to the HGS.

13. Use the following URLs per the examples used in this document to configure guarded hosts, which in turn enables deploying shielded VMs:

  • AttestationServerUrl: http://MyHgsService.ReleCloud.com/Attestation
  • KeyProtectionServerURl: http://MyHgsService.ReleCloud.com/KeyProtection

Happy host guarding and virtual machine shielding!

Maha Ibrahim | Senior Software Engineer | Microsoft