but in production, you would use a trusted certificate authority, which the Microsoft
paper walks through:
$certificatePassword = ConvertTo-SecureString -AsPlainText 'Pa55word!' –Force $signingCert = New-SelfSignedCertificate -DnsName "signing.savtechhgs.net" Export-PfxCertificate -Cert $signingCert -Password $certificatePassword
-FilePath 'C:\signingCert.pfx'
$encryptionCert = New-SelfSignedCertificate -DnsName "encryption.savtechhgs.net" Export-PfxCertificate -Cert $encryptionCert
-Password $certificatePassword -FilePath 'C:\encryptionCert.pfx'
The next step is to initialize the HGS, which will use the generated certificates in
addition to selecting the attestation method. Only one attestation method can be
supported by an HGS instance: AD or TPM. When provisioning the HGS, you need to
pick a service name for HGS that is not fully qualified and will be the service name
used to access HGS. This is not a hostname, as you will have multiple HGS nodes
providing the resilient service. Requests to the service name will be distributed to the
HGS instance nodes. In this example, I name my service hgs and use TPM attestation:
Initialize-HGSServer -HgsServiceName 'hgs' -SigningCertificatePath 'C:\signingCert.pfx'
-SigningCertificatePassword $certificatePassword -EncryptionCertificatePath 'C:\encryptionCert.pfx'
-EncryptionCertificatePassword $certificatePassword `
-TrustTPM
Although an HGS instance can support only one type of attestation, as previously
mentioned, it is possible to change the attestation type. In the code that follows, I
switch the attestation from TPM to AD:
Set-HGSServer -TrustActiveDirectory
If using AD attestation, the HGS domain must be able to resolve the primary AD DNS
in the organization and trust the domain; in this example, my corporate domain is
savilltech.net:
Add-DnsServerConditionalForwarderZone -Name "savilltech.net" `
-ReplicationScope "Forest" -MasterServers 10.7.173.10, 10.7.173.11
netdom trust savtechhgs.net /domain:savilltech.net
/userD:savilltech.net\Administrator /passwordD:Pa55word /add
AD attestation is based on Hyper-V hosts being part of a global security group in the
organization’s AD. The SID of the group is required, which can be found running the
following PowerShell in the source domain. In this example, my group is called
GuardedHosts:
Get-ADGroup "GuardedHosts" | Select-Object SID
The group is added as an attestation group on the HGS server and then viewed: