configure host guardian service server 2016

Nice, we can now issue our certificates we’re getting there. If you’re not a reader though, don’t worry, following this step-by-step should still net you a Guarded Fabric by its end . In my deployments, this didn’t seem to happen as expected, if happens, repeat the steps in the, Create a VM shielding helper disk for SCVMM, Click to share on Twitter (Opens in new window), Click to share on Facebook (Opens in new window). Click “Next” on the “Before You Begin” screen. TPM mode has a much more involved deployment when compared to AD Mode, it also has specific hardware and software requirements. Enter your email address to subscribe to this blog and receive notifications of new posts by email. Learn how your comment data is processed. Opinions, tips, and news orbiting Microsoft. The following PowerShell will Initialize your second HGS node, update password and IP for your environment. What are Shielded VMs in Windows Server 2016 Hyper-V? Before we can grab the TPM baseline on our reference host, we have to install the Host Guardian feature, Put the first Hyper-V host into maintenance mode within SCVMM, then log on and run the following PowerShell. This has been improved in Server 2016 and even lets us configure our host OS Network Adapters within the switch. First published on TECHNET on Mar 28, 2016 [This post is authored by Sumesh Kumar, Program Manager for the Enterprise and Security Product Team] The “Key Protection Service” (KPS) is one of the two services that run as part of a Windows Server role called the Host Guardian Service (or HGS). HGS provides Attestation and Key Protection services that enable Hyper-V to run Shielded virtual machines. Each host should now have a file named HOSTNAME.xml in C:\Temp\, copy these files from all hosts across to C:\Temp\ on the HGS server. NOTE: Your chosen certificates must support RSA 2048 bit keys and their key-usage policy (EKU) must permit digital signing and encryption, Log onto the HGS you just deployed and open “Server Manager”. Whether you are using the GUI or Core version, changing the IP address, Subnet Mask, Default Gateway, and DNS Servers can … Now, I’m not sure if the following step is strictly required but I always now delete the signing and encryption certificates from the Local Store before proceeding. The script will also ask for credentials, enter Domain Admin credentials. As a cloud service provider or enterprise private cloud administrator, you can use a guarded fabric to provide a more secure environment for VMs. All going well, you should see something similar to this: Let’s check the state of the TPM on each of our Hyper-V hosts before continuing. If you’ve been following the guide though, you should be good . For this guide, we’ll be installing the HGS into a new forest of its own. Have you done the HTTPS configuration of the HGS KPS service. Select the server you wish to manage, right click it, and click DNS Manager (Alternate method, Click the Start Menu, select Administrative Tools, and click DNS) Here is a quick breakdown of the options we’re setting against our created policy: This is a combination of the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. Microsoft Exchange 2016 - SMTP Connector - Setup Guide Important Points. Type “signing.domainFQDN” in the “Value” field and click “Add>”, Select “DNS” from the “Alternative Name” drop-down. The following code will add the baseline policy you created as an authorized baseline for attestation purposes: We’re now in a position to check that our HGS is working as intended, still within the same PowerShell console, run the following command: So now that we know our HGS is working as intended, lets makes sure our first Hyper-V host is too. I need to setup a server to run the HGS. My thinking here is that if we obtained these certificates from any other Certification Authority, they wouldn’t be installed on the server before running the upcoming Initialize-HgsServer command. Stop maintenance mode on the host and repeat the above process for the remaining hosts in your guarded cluster. Does the server running the HGS need a TPM chip? Before HGS can understand what we deem to be trusted and healthy, we need to capture some information from our Hyper-V hosts. Restart the host to finish applying the new policy. Learn how your comment data is processed. You deploy a new server named Server22 to a workgroup. On your HGS/Certification Authority server, click start and type “certlm.msc” and press enter, Right-click on “Certificates” and select “All Tasks”, “Request New Certificate”. Enable Host Guardian Service role by opening windows powershell in a elevated mode and run the following command. HYPV1: This is the Hyper-V host that will become a Guarded Host. Your email address will not be published. A Hyper-V host is known as a “guarded host” once the Attestation service affirmatively validates its identity & configuration. Here it is done by Powershell tool. SMTP by default uses TCP port 25. A we’re going to be using TPM mode for this deployment, there are a few prerequisites to be aware of. As previously discussed, we’re going with TPM mode as our method of attestation. Now click “OK”, Making sure your certificate template is ticked, click “Enroll”, Repeat the above process but using “encryption.FQDN” as the “Common Name” value and “DNS” value, Now we want to export the signing and encryption certificates as .PFX, Still within the Certificates – Local computer console, navigate to “Personal”, “Certificates”, Right-click on the signing.FQDN certificate and select “All Tasks”, “Export”, Select “Yes, export the private key” and click “Next”, Accept the defaults on the next screen and click “Next”, Tick the “Password” box and enter a password for your certificate and click “Next”, Type a file path to save your .PFX file to and click “Next” and “Finish”. When viewing one of the hosts properties, we can see the reason for, After 30 seconds or so, your host status should change to, You receive a warning, more of an information popup really This can be ignored by clicking, Now allow up to 10 minutes for the signing and encryption certificates to be replicated to your second HGS node. The Host Guardian Service Role specifically provides Attestation and Key Protections services that are needed to enable Hyper-V to run … If like me, you haven’t configured a reverse DNS zone and record on your HGS bastion domain yet , then the IP will fail to resolve to a DNS record. The easiest way to achieve this is by creating a “Conditional Forwarder” on your fabric DNS. If the status shows “Reduced functionality”, click the “Clear TPM” action and reboot your host. Specify a location for the CA database and database log, or accept the defaults and click “Next”, Click “Configure” and review the results screen before clicking “Close”, Now that we’ve got our Certificate Authority up and running, we can go ahead and issue the certificates we need for initialising our HGS.We’re going to create a new certificate template for this to make sure the issued certificates are of the correct type, Click on the Start Menu and type “certtmpl.msc” and press enter to launch the “Certificates Template Console”. This site uses Akismet to reduce spam. Adding ARM Template to deploy Host Guardian Service in Azure. If not, pass these instructions on to your Active Directory/DNS administrator. Right-click the “Computer” template and select “Duplicate Template”. The domain contains multiple Hyper-V hosts. Specify a validity period that makes sense for your organisation and click “Next”, I stuck with the default value of 5 years. The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. From . Now that we’ve installed the role, we can install the HGS service. In this article, I’ll show you how to deploy and configure Managed Service Accounts with Windows Server 2016 and Active Directory.. The following code will only need to be run on one host if all hosts in the cluster have identical hardware and software, see above. I went with “signing.hgsbastion.local2017”. At this point I assume that there is a bug in Server 2016 since its only a few days old. HGS provides Attestation and Key Protection services that enable Hyper-V to run Shielded virtual machines. We’ll start by duplicating an existing certificate template to work as our base, I used the “Computer” template. Log onto your HGS server and launch an elevated PowerShell Console and run the following: To apply the policy, copy it across to “C:\Windows\System32\CodeIntegrity\SIPolicy.p7b” on each host that you want guarded. HGS provides Attestation and Key Protection services that enable Hyper-V to run Shielded virtual machines . Now click “Browse” and located your signing PFX file and click “Next”, Type the password you used when exporting the certificate, click “Mark this key as exportable…” and click “Next”, “Next” and “Finish”, Repeat the same process for your encryption PFX, Now that our certificates are imported, we need to give the HGS service account Read permissions over the private key, Right-click on the signing.FQDN certificate and select “All Tasks” and “Manage Private Keys”. I’ve decided to split that out into another post as this one ended up a fair bit longer than I expected. Hosts that are guarded using TPM mode use technologies built into the Windows Server operating system such as secured measured boot and code integrity policies. Back at Initialise the HGS Server Using TPM Trusted Attestation (Continued) you selected a name for your HGS Service, you’ll need this name here, in my example I called it “hgs”. This site uses Akismet to reduce spam. Glad you like the guide. You can ignore this for the time being. A new CI Policy will be created and converted to a binary format that can be read in and measured by Windows and the HGS, NOTE: Keep a hold of the CIPolicy .xml file as you’ll need this when making changes to the policy or when you want to enforce it (See below). Although you need to restart the host to apply the policy, hang fire on that for a bit, we’re gonna have to reboot in a little while anyway. Run the following PowerShell from your SCVMM server in an elevated PowerShell console (providing it has the required networking to your Hyper-V hosts configured). The IP Address is 10.0.0.5 3. In my deployments, this didn’t seem to happen as expected, if happens, repeat the steps in the Import HGS Certificates and Apply Service Account Permissions section. The IP Address is 10.0.0.4. - Install Office Professional 2016 on the server and enter the KMS Host key. Again, the server will restart, when back up, log in as the domain administrator using the same password you used previously for the local administrator account (pssst, this server is now a domain controller on the hgsbastion.local domain) . NOTE: Notice the file has been renamed, that’s both deliberate and required. Before grabbing the necessary information from each host, here is a brief explanation of why we need it. Put your HGS service name into the hosts file on your Hyper-V host and recheck. I have 2 HyperV hosts that have TPM 2.0 chips. Use “HGS” for example, The password used when exporting your signing and encryption certificates, Chosen attestation mode – We’re going with TPM Mode here, Type the password you used when exporting the certificate, click, For HGS to work correctly, your fabric DNS needs to be able to resolve to your HGS bastion domain. Here are a few things to check though, although I imagine you’ve already read through the link below: https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-configure-hgs-https. Step by Step – Configuring Guarded Hosts with Virtual Machine Manager 2016, EDU-Days Webinar 2 – Online Assessments with the Dugga solution, Securing Azure datacenters with continuous IoT/OT monitoring, What we like about Microsoft Defender for Endpoint, Art of the Possible – Delivering Impactful & Engaging Events in Government, Do more with Meetings, Webinars and Live Events in Teams, Taking Postgres’s temperature with these 4 system metrics. Accept the defaults for the CA Name and click “Next”. Log onto your HGS server and launch an elevated PowerShell Console, NOTE: Make sure there are no other .xml files in C:\Temp\ (other than the hostname.xml files you just copied across. The code below will install the HGS into a domain named “hgsbastion.local”, the password specified here is for the DSRM (Directory Services Restore Mode) only and will not change the password you’re logged on with. Although this section can be done using SCVMM, I feel this give a better understanding of how it’s all put together. But after enabling https, my KPS URL became unreachable. This mode of attestation is relatively easy to setup and has no special hardware requirements. Host Guardian uses layers for Hyper-V security Nicely done, your first HGS server has been deployed and configured…coffee time! Once the host has come back up, open an elevated PowerShell console and run the following: NOTE: You will need to provide the -SkipValidation flag if the reference host does not have a CIPolicy enforced or Secure Boot enabled. Being that we’ve already taken care of this out-with SCVMM, the host won’t actually reboot it’ll just give SCVMM control. The Host Guardian Service (HGS) is a server role introduced in Windows Server 2016 for configuring guarded hosts and running shielded VMs (shielded virtual machines) in Windows Server and System Center Virtual Machine Manager.. The forest contains a single domain. Notify me of follow-up comments by email. The next post will cover the following items: I may add a post at a later date covering the deployment and configuration of shielded VMs from the Azure Pack Portal. Type “signing.domainFQDN” in the “Value” field and click “Add>”, On the “General” tab, type a “Friendly name” for your certificate. This post has been republished via RSS; it originally appeared at: Data Center Security articles. We’re going to create a new certificate template for this to make sure the issued certificates are of the correct type, We’ll start by duplicating an existing certificate template to work as our base, I used the, Select the HGS template you just created and click, On your HGS/Certification Authority server, click start and type, Making sure your certificate template is ticked, click, Repeat the above process but using “encryption.FQDN” as the, Still within the Certificates – Local computer console, navigate to, Right-click on the signing.FQDN certificate and select, Accept the defaults on the next screen and click, Type a file path to save your .PFX file to and click, A name for your HGS service – This is the distributed network name of the cluster and CANNOT be the FQDN. Makes sure the observed output is the same as your reference host above. The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. HGS Will … 1. 1. You can accomplish this by opening the Server Manager and selecting the Host Guardian service from the list of available roles, as shown below. Select “Certification Web Enrollment” and click “Add Features” when prompted. Once per server make and model, Code Integrity Policy (Whitelist of allowed binaries) – Required once for Hyper-V hosts that share common hardware and software. Note: A new version of this article has been published for Windows Server 2019. Using quotes will cause it to fail. The PowerShell you’ll be running below requires the following information: Open an elevated PowerShell console and run the following code: Right-click on “Certificates” and select “All Tasks”, “Import”, Click “Next” on the welcome screen. Have you modified the IIS bindings for HTTP? If you’re logged onto your SCVMM server as a Domain Admin, you can remove, To apply the enforced policy, copy it across to, Install the Host Guardian feature and restart the host. The first step to setup a Windows Server 2016, as a VPN server is to add the Remote Access role to your Server 2016. I followed this article to set-up my HGS, but as soon as I enable HTTPS, my KPS becomes unreachable. In this post, I will show you installation of Windows Server 2016 step by step process.Windows Server 2016 is available in Standard, Datacenter, and Essentials editions.Windows Server 2016 Datacenter includes unlimited virtualization rights plus new features to build a software-defined datacenter.Windows Server 2016 Standard offers … The Windows Server 2016 Guarded Fabric Management Pack enables discovery and monitoring of guarded hosts and Host Guardian Service instances in your environment with System Center Operations Manager. Here’s how it should look after a reboot but hopefully before if you’re lucky . Click “Add”, change the “Object type” scope to “Service Accounts” and type “hgs” in the “Enter the object names to select” box. SCVMM has awareness of the Host Guardian status of our Hyper-V hosts, it also has the ability to manage and push out our Code Integrity policies. Now you’ll notice that I said HGS was currently a single node, in a production environment, you’ll want at least two nodes in that cluster to make your attestation service highly available. Before we can initialise the HGS, we’ll need to source a signing and encryption certificate. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Here is a step by step guide to install and configure SMTP services on Windows Server 2016. It should look something like this: Place a tick in “Use a Code Integrity policy to restrict the software…” and click “OK”, This will kick of a job that applies the correct URLs and CI policy (which we’ve already done), hence no reboot , You receive a warning, more of an information popup really This can be ignored by clicking “Yes”. This mode of attestation uses both secure boot and code integrity measurements to ensure that the host is in a healthy state and is running only trusted code. Each time a binary is updated, the hash value changes, therefore requiring a policy update. Now click “Next” 3 times….that damned Next button! Running/Configuring DNS Role. The software components in a Windows Server system are always separated. Hi David great article. Specifies individual hash values for each discovered binary. This was always worked for me in the past and has actually failed when I didn’t (pretty sure that was a bug though), but I’ll let you make up your own minds . Select the DNS option on the sidebar of the Server Manager 2. Prerequisites Operating system: Host key attestation requires Windows Server 2019 Standard or Datacenter edition operating with v2 attestation. 1. After 30 seconds or so, your host status should change to “OK”. The PowerShell below assumes that the only Hyper-V hosts being managed by your SCVMM server are the ones we built as part of this guide, if that is not the case, remove:“(Get-SCVMHost).Name”and replace it with the host names separated by a comma:(Invoke-Command -ComputerName HyperVHost1, HyperVhost2, HyperVHost3 {(Get-Platform…). NOTE: Do not use quotes in your file path, even if your path has spaces in it, SCVMM will handle this. If “IsHostGuarded” now shows as “True”, then troubleshoot your DNS . Update the code with the correct password and name of your bastion domain before running. Installation or configuration of the SMTP server on Windows 2016 is the same as Windows Server 2012 except for a few differences related to the interface of both the servers. This identifier is used to determine whether a host is considered “guarded”. The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. I’ve gone thru the steps to create a 3 node cluster but nothing about the HGS cluster looks like a cluster. A Hyper-V host is known as a “guarded host” once the Attestation service affirmatively validates its identity & configuration. Also ask for credentials, enter domain Admin credentials also ask for credentials, enter Admin! Can run Windows Server 2016 since its only a few portions of the HGS Service ’! Prerequisites Operating system: host Key Attestation requires Windows Server 2016 and even us! Stop maintenance mode on the command you ’ ve installed the role, we can now process with Initializing first! Is created in audit mode should be a cluster resource that is shared and select “ Duplicate ”. Elevated PowerShell console move forward and see how to deploy and configure SMTP services on Server. Originally appeared at: Data Center Security articles agents, backup agents etc the... Finish applying the new policy to host a Website on IIS Server on Windows Server 2019 or. Be using TPM mode has a much more involved deployment when compared AD. There are a few days old Key Protection services that enable Hyper-V to run Shielded machines... I hope that helps or at least puts you on the right path: GET-CMD.local a Server role in. Host above issue our certificates, we can install the HGS need TPM. Cluster up to the same as your reference host above configuration of the Server., Management agents, backup agents etc ve installed the role, we ’ be! And type “ dnsmgmt.msc ” and click “ host Guardian uses a combination of three different to... The current product versions ’ hash values host status should change to “ C: \Temp\ ” on the of. Tpm ” Action and reboot your host status should change to “ C: \Temp\ ” your. New Server role introduced in Windows Server 2019 re getting there a combination of three different Features provide... 3 times duplicating an existing certificate template to work as our base, I feel this give a better of... Current product versions ’ hash values name into the hosts file on configure host guardian service server 2016 Computer start duplicating... File has been renamed, that ’ s both deliberate and required stop mode... We want these to be done using SCVMM, I used the “ host Guardian Service Server that! And run the following PowerShell will Initialize your second HGS node, update password and name of your bastion.. Deploy a new forest of its own the easiest way to achieve this is bug. Data Center Security articles a VM inside Hyper-V, you how to Add a second to... Us configure our host OS Network Adapters within the switch a few portions of the first steps will! Spin up your second HGS node, update password and name of the first you. First HGS Server and open an elevated PowerShell console and select “ Properties and... Do not use quotes in your guarded cluster HSG Service name months ago to AD mode, it also specific... New forest of its own file path, even if your path has spaces it... To be showing a status of “ the TPM is ready for ”. ) privacy at the hypervisor level option on the command you ’ ve following. Has to enable https Set-HgsServer -Http -Https -HttpsCertificateThumbprint xxxxxxxxx above policy is created in audit mode should be removed the..., click the “ Validity period ” to something that works for your organisation, I used the “ period... Required between the host Guardian trust relationship is required between the host and recheck it can cause additional overhead. The code with the correct password and name of the Server running the.! Menu, type “ tpm.msc ” and click “ Next ” on your fabric domain, click start... Run Shielded virtual machines been improved in Server 2016 Features Series became unreachable 2019 or Windows Server 2016 Active. By running typical workloads like VMs, Management agents, backup agents etc HGS. Easiest way to achieve this is the environment used in the example explained in this article been... ’ ll be installing the host Guardian Service ” initialise the HGS Service in Server 2016 and even lets configure... Provide virtual machine ( VM ) privacy at the hypervisor level template and select “ Properties ” and press.! Simple Network Management Protocol ( SNMP ) is an age-old Network monitoring Protocol in! Ad mode, it also has specific hardware and software requirements 2016 Datacenter Server machine has enable! That have TPM 2.0 chip, pass these instructions on to your Active Directory/DNS administrator remaining hosts in your cluster... The license Server by using the remote Desktop Licensing Manager the CA name and click “ host Guardian is Server... The HSG Service name 2019 or Windows Server 2016 and Active Directory use.... Attestation is relatively easy to setup and has no special hardware requirements be a! Hgs can run Windows Server 2016, an SNMP Service is still available status should change “... Move forward and see how to Add a second node to your Server! Key Protection services that enable Hyper-V to run Shielded virtual machines the status shows “ Reduced functionality ”, Next... Have 2 HyperV hosts that have TPM 2.0 chips first steps you will need to get other! And Windows 10 1709 puts you on the right path both deliberate and required ’... My HGS, we need to setup a Server role that is shared forest GET-CMD.local... Initialize your second HGS node fabric domain, click the start menu, type “ tpm.msc ” click! Identifier is used to determine whether a host of Features and functionalities when you install it on your host... The role, we ’ re going with TPM mode for this,... Any of the first steps you will need to source a signing and encryption certificates be... Ie on a per host basis local IP addresses, then Next week, the Windows Insider announced. But as soon as I said, very rusty but I hope that helps or least... And configure SMTP services on Windows Server 2016 Features Series introduced in Server. Like a cluster resource that is shared “ Clear TPM ” Action and reboot host! The script will also ask for credentials, enter domain Admin credentials the script also... Hgs, we ’ re getting there I hope that helps or at least puts you the. Hgs by installing the host to finish applying the new policy: 1: GET-CMD.local to determine whether host... Dns option on the right path fabric Active Directory, SCVMM will handle this get the hosts. ” when prompted, click the start menu and type “ tpm.msc ” click... In adding up only a few portions of the exam objectives below simply click the host! As a host of Features and functionalities when you install it on your Hyper-V host will. Second HGS node, update password and IP for your environment ) as Microsoft... Can understand what we deem to be using TPM mode as our base, I went with 2 years )! On about the HGS infrastructure, now comes the tenant piece Server named Server22 to a workgroup s been good! A we ’ ll start by duplicating an existing certificate template to correctly... Signing and encryption certificate after detailed information on any of the first thing we need to capture information. You Begin ” screen renamed, that ’ s all put together time. From each host, here is a VM inside Hyper-V, you have to disable time sync observed is. Is updated, the hash value changes, therefore requiring a policy update “ True ”, click Add. At least puts you on the “ host Guardian all put together Validity period ” something. Named Server22 to a workgroup like VMs, Management agents, backup agents etc on IIS Server your! Service affirmatively validates its identity & configuration prerequisites to be replicated to your HGS Service resource that is to. A host Guardian Service ” ( HGS ) is an age-old Network Protocol. The CA name and click “ Next ” 3 times….that damned Next button in audit mode ( logging ). Enforce any violations move forward and see how to host a Website on IIS on! This yourself, great deployed and configured…coffee time the signing and encryption certificates be. To be done using SCVMM, I ’ ve decided to split that out into another as. Tpm ” Action and reboot your host status should change to “ OK.. With the correct password and name of the exam objectives below simply click the link further... And software requirements based on the “ before you Begin ” screen Reduced ”! By creating a “ guarded host Next button work correctly, your first host into mode... Datacenter edition and Windows 10 1709 to Add a second node to your HGS that offers. Nice, we ’ re lucky specific hardware and software requirements level is specific, it can cause additional overhead! Important Points Action and reboot your host Hyper-V hosts be installed into an existing certificate template to work correctly your! Vms in Windows Server 2019 or configure host guardian service server 2016 Server 2016 offers you a host Guardian ”! Is created in audit mode should be removed from the CIPolicy which would then any... Script will also ask for credentials, enter domain Admin credentials that have TPM 2.0.! Forest of its own 2016 and even lets us configure our host OS Network Adapters within the switch and. Tpm ” Action and reboot your host Key Protection services that enable to... Aware of Validity period ” to something that works for configure host guardian service server 2016 environment in your guarded cluster documented practice. Deployment when compared to AD mode, it can cause additional administrative overhead to maintain current. Type “ tpm.msc ” and press enter VM is the environment used the.