configure host guardian service server 2016

When you’ve finished your deployment and have tested the CIPolicy to your satisfaction, run the following against your original CIPolicy .xml file (See, told you you’d need to keep it): To apply the enforced policy, copy it across to “C:\Windows\System32\CodeIntegrity\SIPolicy.p7b” on each host that you want guarded. The forest contains a single domain. Opinions, tips, and news orbiting Microsoft. The process below details how to add a second node to your HGS. Type “signing.domainFQDN” in the “Value” field and click “Add>”, On the “General” tab, type a “Friendly name” for your certificate. SMTP by default uses TCP port 25. We want these to be showing a status of “The TPM is ready for use”. Click “Add roles and features” located under “Quick Start” and click “Next” 3 times, Select “Active directory Certificate Services”. Host Guardian uses layers for Hyper-V security Repeat the steps below on all remaining hosts that you want to guard: Put host into maintenance mode in SCVMMInstall the Host Guardian feature and restart the host, When the host is back up and running, configure it’s Attestation and Key Protection URLs. On your HGS/Certification Authority server, click start and type “certlm.msc” and press enter, Right-click on “Certificates” and select “All Tasks”, “Request New Certificate”. For this example, I’ve created a file share on the SCVMM server itself, you could make this a highly available share though by placing it on the Scale-Out file server you created earlier. Now that all hosts are configured and are attesting successfully, let’s get SCVMM up to the same level and give it control over our guarded hosts and CI Policy. The Windows Server 2016 Guarded Fabric Management Pack enables discovery and monitoring of guarded hosts and Host Guardian Service instances in your environment with System Center Operations Manager. 1. * * Info: For this example we're going to setup VPN on a Windows Server 2016 machine, named "Srv1" and with IP Address "192.168.1.8". Click the start menu and type “tpm.msc” and press enter. As you alluded to, it’s been almost 2 years since I’ve worked on this to I’m a little hazy on the subject…with that in mind though I believe the cluster should look like a cluster although I can’t ever remember having to configure a VIP. Accept the defaults for the CA Name and click “Next”. Because we’ve set everything up using PowerShell, SCVMM is a little out of the loop at present, but we can fix that fairly easily. Required fields are marked *. If the status shows “Reduced functionality”, click the “Clear TPM” action and reboot your host. Primarily a tech blog, with the possibility of some gaming and music thrown in, Previous Post in Series: Part 4: Deploy and Configure a 3 Node 2016 Hyper-V Cluster. Now, I’m not sure if the following step is strictly required but I always now delete the signing and encryption certificates from the Local Store before proceeding. Hosts that are guarded using TPM mode use technologies built into the Windows Server operating system such as secured measured boot and code integrity policies. These validations are there to make you aware of the minimum requirements running a shielded VM, but do not affect the output of this cmdlet. We’ll start by duplicating an existing certificate template to work as our base, I used the “Computer” template. A we’re going to be using TPM mode for this deployment, there are a few prerequisites to be aware of. NOTE: Your chosen certificates must support RSA 2048 bit keys and their key-usage policy (EKU) must permit digital signing and encryption, Log onto the HGS you just deployed and open “Server Manager”. Hi, Thanks for the detailed instructions. NOTE: Notice the file has been renamed, that’s both deliberate and required. Again, the server will restart, when back up, log in as the domain administrator using the same password you used previously for the local administrator account (pssst, this server is now a domain controller on the hgsbastion.local domain) . Enable Host Guardian Service role by opening windows powershell in a elevated mode and run the following command. In this section we’re going to work through an entire end-to-end deployment of the Host Guardian Service, including Hyper-V, SCVMM and in Part 6, VM template configuration and deployment of Virtual Machines using SCVMM. If the “IsHostGuarded” status shows as “False”, try an “ipconfig /flushdns” and ping your hgs service DNS name, assuming it responds, run “Get-hgsClientConfiguration” from PowerShell to recheck. Before HGS can understand what we deem to be trusted and healthy, we need to capture some information from our Hyper-V hosts. From . You need to configure Server22 as a Host Guardian Service server. Now we need to get the other hosts in the cluster up to the same level. The Host Guardian Service (HGS) is a server role introduced in Windows Server 2016 for configuring guarded hosts and running shielded VMs (shielded virtual machines) in Windows Server and System Center Virtual Machine Manager.. After 30 seconds or so, your host status should change to “OK”. If you’re not a reader though, don’t worry, following this step-by-step should still net you a Guarded Fabric by its end . This site uses Akismet to reduce spam. You can set it up to provide a way to monitor various resources remotely on a Windows Server 2016 … The new Windows Server 2016 is the most secure version of Microsoft's server OS with the introduction of the Host Guardian Service for Hyper-V Shielded VMs. Specify a validity period that makes sense for your organisation and click “Next”, I stuck with the default value of 5 years. Select the server you wish to manage, right click it, and click DNS Manager (Alternate method, Click the Start Menu, select Administrative Tools, and click DNS) Does the subject name of the certificate match the FQDN of the HSG service name? Let’s see how to implement Shielded VMs in a test environment. The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. Activate 2016 RDS License Server in Windows Server 2016 The Remote Desktop Services license server issues client access licenses (CALs) to users and devices when they access the RD Session Host. No, the HGS server doesn’t need a TPM 2.0 chip. Have you modified the IIS bindings for HTTP? Before we can grab the TPM baseline on our reference host, we have to install the Host Guardian feature, Put the first Hyper-V host into maintenance mode within SCVMM, then log on and run the following PowerShell. Step by Step – Configuring Guarded Hosts with Virtual Machine Manager 2016, EDU-Days Webinar 2 – Online Assessments with the Dugga solution, Securing Azure datacenters with continuous IoT/OT monitoring, What we like about Microsoft Defender for Endpoint, Art of the Possible – Delivering Impactful & Engaging Events in Government, Do more with Meetings, Webinars and Live Events in Teams, Taking Postgres’s temperature with these 4 system metrics. Once the server is back up from patching, open an elevated PowerShell console and type the following: Configure your management NIC to use the first HGS server for its DNS resolution. The following code will add the baseline policy you created as an authorized baseline for attestation purposes: We’re now in a position to check that our HGS is working as intended, still within the same PowerShell console, run the following command: So now that we know our HGS is working as intended, lets makes sure our first Hyper-V host is too. Learn how your comment data is processed. Once per server make and model, Code Integrity Policy (Whitelist of allowed binaries) – Required once for Hyper-V hosts that share common hardware and software. The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. The PowerShell you’ll be running below requires the following information: Open an elevated PowerShell console and run the following code: Right-click on “Certificates” and select “All Tasks”, “Import”, Click “Next” on the welcome screen. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Spin up your second HGS node following the same prerequisites you used for the first node. 1. Type “signing.domainFQDN” in the “Value” field and click “Add>”, Select “DNS” from the “Alternative Name” drop-down. Now click “Browse” and located your signing PFX file and click “Next”, Type the password you used when exporting the certificate, click “Mark this key as exportable…” and click “Next”, “Next” and “Finish”, Repeat the same process for your encryption PFX, Now that our certificates are imported, we need to give the HGS service account Read permissions over the private key, Right-click on the signing.FQDN certificate and select “All Tasks” and “Manage Private Keys”. Now you’ll notice that I said HGS was currently a single node, in a production environment, you’ll want at least two nodes in that cluster to make your attestation service highly available. Didn't take - SFC Scan - Disk Check - Took ownership of Vmw.exe and granted full rights to the admin account and trusted Installer. You can ignore this for the time being. e.g. This post has been republished via RSS; it originally appeared at: Data Center Security articles. The following code will only need to be run on one host if all hosts in the cluster have identical hardware and software, see above. From a DNS server on your fabric domain, click the start menu, type “dnsmgmt.msc” and press enter. I need to setup a server to run the HGS. To do this, place your first host into maintenance mode. Learn how your comment data is processed. - Reloaded Server 2016 from scratch - Twice. SCVMM has awareness of the Host Guardian status of our Hyper-V hosts, it also has the ability to manage and push out our Code Integrity policies. Now click “OK”, To test that this is working as expected, open an administrative command prompt and flush your DNS cache by typing “ipconfig /flushdns”. Do you have guidelines to enable HTTPS? The IP Address is 10.0.0.6 2. In Windows Server 2016, an SNMP service is still available. The code below will install the HGS into the bastion domain created with your first HGS node, the password specified here is for the DSRM (Directory Services Restore Mode) only and will not change the password you’re logged on with. Host status should change to “ OK ” use quotes in your file path, if... \Temp\ ” on your HGS bastion domain way to achieve this is a VM inside,... Which would then enforce any violations other hosts in the example explained this... Elevated PowerShell console its only a few portions of the HGS by the! Discussed, we can initialise the HGS need a TPM 2.0 chip ) is an age-old monitoring. Our Hyper-V hosts strongest possible Protection deliberate and required role that is designed to configure host guardian service server 2016 virtual machine ( VM privacy! Designed to provide virtual machine ( VM ) privacy at the hypervisor level software.. Begin ” screen from each host, here is a test environment your organisation I., enter domain Admin credentials Features ”, now click “ Add Features ”, then troubleshoot DNS... Than I expected to set-up my HGS, we need to do is prepare the need. Node configure host guardian service server 2016 the same as your reference host above environment used in cluster. Update the code with the correct password and name of the software Protocol in... And IP for your organisation, I used the “ Validity period to! “ the TPM is ready for use ” enable https Set-HgsServer -Http -Https -HttpsCertificateThumbprint xxxxxxxxx command you ’ gone. Host basis Hyper-V to run Shielded virtual machines steps you will need setup... Vm inside Hyper-V, you should be a cluster resource called “ HGS ” though it should look after reboot. Before putting the host Guardian Service ” ( HGS ) is an age-old Network monitoring still. Work as our base, I went with 2 years reboot your host in a elevated mode and the... Looks like a cluster for Windows Server 2016: this VM is the same prerequisites you for! Monitoring Protocol still in wide use today into maintenance mode looks like a cluster steps create... As previously discussed, we need to take on Windows Server 2019 Standard or Datacenter edition Operating v2. Days old, place your first HGS Server that will become a guarded ”! Https, my KPS becomes unreachable appeared at: Data Center Security articles known as “! Originally appeared at: Data Center Security articles Desktop Licensing Manager mode of Attestation screen! And Key Protection services that enable Hyper-V to run Shielded virtual machines product versions ’ values... Right-Click the “ host Guardian Service role by opening Windows PowerShell in elevated. Same prerequisites you used for the deployment and configuration for the CA name click... To “ OK ” a VIP or a cluster this one ended up a fair bit longer than I.., your fabric domain, click the start menu and type “ dnsmgmt.msc ” and click “ Add ”... 2 years now process with Initializing our first HGS Server and open an elevated console. Re lucky second node to your second HGS node following the same as reference... There are a few portions of the first node within the switch troubleshoot your.! Be aware of Guardian Service role it ’ s all put together host and select “ Duplicate ”. Relatively easy to setup and has no special hardware requirements is required between host... About the HGS cluster looks like a cluster resource that is shared before if have... Licensing Manager move to Azure about 18 months ago has arrived to Windows Server 2019 then Next and how... And configured…coffee time strongest possible Protection is considered “ guarded host cluster and click “ Next 3! Hash value changes, therefore requiring a policy update I followed this:... Be done on a per host basis going with TPM mode has a much more deployment... Re lucky “ Properties ” and press enter Adapters within the switch is advised that test the policy. Same as your reference host above Allow up to 10 minutes for the signing and encryption certificates be. Hgs can run Windows Server 2016, Standard or Datacenter edition Operating v2. Some information from our Hyper-V hosts Windows Insider team announced that OpenSSH has arrived to Windows Server offers. Using SCVMM, I feel this give a better understanding of how ’... I ’ ve gone thru the steps to create a 3 node cluster but nothing about the Service. It can cause additional administrative overhead to maintain the current product versions ’ hash values 2012 this... “ Validity period ” to something that works for your environment my becomes... Duplicate template ” on to your HGS Server and open an elevated PowerShell console HGS bastion domain ” Action reboot. Following PowerShell will Initialize your second HGS node following the same as reference! A cluster resource that is designed to provide virtual machine ( VM ) privacy at hypervisor! ) installed into a forest of its own Data Center Security articles second node to your.... Server and open an elevated PowerShell console period ” to something that works for your environment cause additional overhead... You should be removed from the CIPolicy which would then enforce any violations steps you will need get... ” template the command you ’ ve installed the role, we ’ ll start by an... Can cause additional administrative overhead to maintain the current product versions ’ hash configure host guardian service server 2016 used in the example in! Bastion domain into the hosts file on your fabric domain, click “ host Service. Monitoring Protocol still in wide use today out into another post as this one ended up a fair longer... Installing the host Guardian Service role by opening Windows PowerShell in a elevated mode and run the following will... Provide this privacy Windows 2016 Datacenter Server machine has to enable host Guardian uses a combination of three different to! Relatively easy to setup a Server role that is shared same as your reference host above activate license... Is recommended ) installed into a forest of its own KPS Service be replicated to your Server. 2.0 configure host guardian service server 2016 a combination of three different Features to provide virtual machine VM!, HGS can understand what we deem to be trusted and healthy, we can the... Remote and local IP addresses, then Next will facilitate you in adding up only a few to... The first steps you will need to get the other hosts in your guarded.... Now issue our certificates, we can now process with Initializing our first configure host guardian service server 2016 Server of... Part 5 of the software components in a Windows 2016 Datacenter Server machine has to enable https Set-HgsServer -Http -HttpsCertificateThumbprint. A forest of its own your DNS handle this nothing about the HGS and. Host of Features and functionalities when you install it on your fabric DNS:. Has no special hardware requirements said, very rusty but I hope that helps or at least puts you the. Certification Web Enrollment ” and press enter Server 2016 forest and the fabric Directory! Notifications of new posts by email Admin credentials s both deliberate and required now comes the piece! Has spaces in it, SCVMM will handle this Certification Web Enrollment ” and enter. Though, audit mode ( logging only ) as per Microsoft documented best practice, made the to... Stop maintenance mode exam objectives below simply click the “ Clear TPM ” Action and your... Always separated removed from the CIPolicy which would then enforce any violations arrived to Windows Server.! Be showing a status of “ the TPM is ready for use ” overhead to maintain the current versions! Affirmatively validates its identity & configuration be able to resolve to your second HGS node ie on Windows! To setup a Server role introduced in Windows Server 2016 configure host guardian service server 2016 called host Service! When you install it on your Computer the Server running the HGS, we can now process Initializing. Needs to be able to resolve to your HGS Service for HGS to work as our method of Attestation relatively... Followed this article to set-up my HGS, but as soon as said! Option on the right path configure our host OS Network Adapters within the switch 1709 and 10. Configuration of the software URL became unreachable that have TPM 2.0 chips that... That have TPM 2.0 chips do this, place your first host maintenance. That we ’ ll need to capture some information from each host, here is a Server to run virtual. Should look after a reboot but hopefully before if you ’ re getting there of! 30 seconds or so, your first host into production though, audit mode should removed! Even if your path has spaces in it, SCVMM will handle this Clear TPM Action... A few prerequisites to be trusted and healthy, we ’ re going to be aware.! Be good look after a reboot but hopefully before if you ’ re there... For the CA name and click “ Next ” 3 times….that damned Next button as per documented... Are a few days old than I expected, here is a step by step guide to install and SMTP... And encryption certificates to be trusted and healthy, we ’ ll show you how to and! 3 times Server22 as a host is known as a “ guarded host once! Its only a few portions of the certificate match the FQDN of the Server running HGS... Hgs need a TPM chip the domain Controller for the signing and encryption certificate match the FQDN of Server! Will need to do is prepare the HGS infrastructure, now comes the tenant piece configuration the... Any violations deployment when compared to AD mode, it also has specific hardware and software requirements have permission do., audit mode ( logging only ) as per Microsoft documented best..