Microsoft has a detailed document that covers every aspect of deploying the Host
Guardian Service and configuring guarded hosts. This document is available at
https://gallery.technet .microsoft.com/shielded-vms-and-guarded-98d2b045, and this
is the document I recommend for anyone looking to deploy. Rather than reiterating
the nearly 100-page document, I instead cover at a high level the various configuration
steps and what to expect, to help explain further what is going on behind the scenes.
Although I am using PowerShell, the preferred approach is to use SCVMM or
Windows Azure Pack. By showing PowerShell, I can explain what each step is actually
doing, which is not so obvious when using the management interfaces.
HOST GUARDIAN SERVICE CONFIGURATION
The first deployment is the Host Guardian Service itself, which must be a Windows
Server 2016 instance and can be the Standard or Datacenter edition. It should run on
the Server Core configuration level, and at the time of this writing, it is not supported
on Nano Server (but Nano Server can run shielded VMs). As previously mentioned,
the HGS should run on a separate physical cluster of three nodes, which completely
isolates it from the influence of the regular virtualization and other fabric
administrators. The HGS cluster can be physically secured in the datacenter in its own
locked cage. Remember that shielded VMs will be unable to start without the HGS
being contactable, so it must be a highly resilient deployment having redundancy even
during routine maintenance. This is why a three-node cluster is recommended,
ensuring that two nodes are available even when a node is down for maintenance.
In addition to isolation from the virtualization and general fabric administrators, the
HGS should be isolated from the Active Directory administrators. To facilitate this
isolation, the default and recommended approach is that during the HGS provisioning,
an automatically generated HGS-specific AD forest and domain is created. If the AD
administrators are completely trusted, it is possible to provision HGS in an existing
domain, although this is not recommended.
The first step is to install the Host Guardian Service role. PowerShell is used for all
management of HGS unless you leverage SCVMM 2016 or Windows Azure Pack:
Install-WindowsFeature -Name HostGuardianServiceRole -Restart
Once the HGS node has rebooted, you must specify a safe-mode password for the new
AD instance that will be created, in addition to the name for the new domain and
forest that will be provisioned in which HGS will run. The HGS server will be the DC
for the new domain and provide the DNS service. In this example, the new domain
created will have the name savtechhgs.net:
$adminPassword = ConvertTo-SecureString -AsPlainText 'Pa55word!' –Force
Install-HgsServer -HgsDomainName 'savtechhgs.net' `
-SafeModeAdministratorPassword $adminPassword –Restart
The HGS node will restart again, and the next step is to acquire the certificates to use
for the signing and encryption actions. In this example, I use a self-signed certificate,