Add-HgsAttestationHostGroup -Name "GuardedHosts" -Identifier "SID"
Get-HgsAttestationHostGroup
For both AD and TPM attestation, the corporate DNS has to be able to resolve names
in the HGS domain for the attestation and key services. This is added through DNS
Manager or PowerShell and by adding a conditional forwarder for the HGS domain
and the HGS server IP address, as shown in Figure 5.23.
Figure 5.23 Conditional forwarder for HGS DNS zone
If using TPM attestation, the TPM must be activated on each host, its identifier
exported, and imported to the HGS server:
#On a guarded host
#Initialize the TPM
Initialize-Tpm
(Get-PlatformIdentifier –Name 'savdalhv07').InnerXml |
Out-file c:\savdalhv07.xml
#Copy the generated file to the HGS then run below on the HGS server
Add-HgsAttestationTpmHost –Path c:\savdalhv07.xml –Name 'savdalhv07' `
-Force
For both AD and TPM attestation, a code integrity policy is required that controls the
processes allowed to run on a host. When this is combined with Secure Boot and a
TPM, it ensures that no meddling has occurred with the binaries on the Hyper-V host
that could risk the integrity. Various rule levels are available. A common choice is