The configuration can be tested by performing a diagnostics test and attempting the
attestation via PowerShell:
#Verify on the guarded host
Get-HgsTrace -RunDiagnostics
#Attempt attestation on the guarded host
Get-HgsClientConfiguration
The following is an example execution of the preceding commands. Note that this
example runs in my lab with only a single HGS instance and is therefore a single point
of failure, which is highlighted in the output.
PS C:> Get‐HgsTrace ‐RunDiagnostics
Overall Result: Warning
savdalhv07: Warning
Best Practices: Warning
Resolves Service Hostname to Multiple Addresses: Warning
DNS server at 10.7.173.10 cannot resolve
"hgs.savtechhgs.net" to multiple IP addresses. The recommended
configuration is
>>> to have multiple HGS servers available at"hgs.savtechhgs.net" for high availability.
>>> DNS server at 10.7.173.11 cannot resolve"hgs.savtechhgs.net" to multiple IP addresses. The recommended
configuration is
>>> to have multiple HGS servers available at"hgs.savtechhgs.net" for high availability.
Traces have been stored at
"C:\Users\administrator.SAVILLTECH\AppData\Local\Temp\HgsDiagnostics-
20160628-181852".
PS C:> Get‐HgsClientConfiguration
IsHostGuarded : True
Mode : HostGuardianService
KeyProtectionServerUrl : http://hgs.savtechhgs.net/KeyProtection
AttestationServerUrl : http://hgs.savtechhgs.net/Attestation
AttestationOperationMode : ActiveDirectory
AttestationStatus : Passed
AttestationSubstatus : NoInformation
To switch a host back to using local mode, the PowerShell that follows can be used. If
this is done, no shielded VMs or encryption-supported VMs will be able to start unless
the owner key used initially to protect the VM is present on the machine. This is
explained in the next section.