Skip to content

Latest commit

 

History

History
43 lines (29 loc) · 2.39 KB

guarded-fabric-initialize-hgs-tpm-mode-bastion.md

File metadata and controls

43 lines (29 loc) · 2.39 KB
Raw
description title ms.topic manager author ms.author ms.date
Learn more about: Initialize the HGS cluster using TPM mode in an existing bastion forest
Initialize the HGS cluster using TPM mode in a bastion forest
article
dongill
IngridAtMicrosoft
inhenkel
08/29/2018

Initialize the HGS cluster using TPM mode in an existing bastion forest

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

To initialize the HGS cluster using TPM mode in an existing bastion forest, follow the steps below. Active Directory Domain Services will be installed on the machine, but should remain unconfigured.

[!INCLUDE Obtain certificates for HGS]

Before you continue, ensure that you have prestaged your cluster objects for the Host Guardian Service and granted the logged in user Full Control over the VCO and CNO objects in Active Directory. The virtual computer object name needs to be passed to the -HgsServiceName parameter, and the cluster name to the -ClusterName parameter.

Tip

Double check your AD Domain Controllers to ensure your cluster objects have replicated to all DCs before continuing.

If you are using PFX-based certificates, run the following commands on the HGS server:

$signingCertPass = Read-Host -AsSecureString -Prompt "Signing certificate password"
$encryptionCertPass = Read-Host -AsSecureString -Prompt "Encryption certificate password"

Install-ADServiceAccount -Identity 'HGSgMSA'

Initialize-HgsServer -UseExistingDomain -ServiceAccount 'HGSgMSA' -JeaReviewersGroup 'HgsJeaReviewers' -JeaAdministratorsGroup 'HgsJeaAdmins' -HgsServiceName 'HgsService' -SigningCertificatePath '.\signCert.pfx' -SigningCertificatePassword $signPass -EncryptionCertificatePath '.\encCert.pfx' -EncryptionCertificatePassword $encryptionCertPass -TrustTpm

If you are using certificates installed on the local machine (such as HSM-backed certificates and non-exportable certificates), use the -SigningCertificateThumbprint and -EncryptionCertificateThumbprint parameters instead.

In a production environment, you should continue to add additional HGS nodes to your cluster.

Next step

[!div class="nextstepaction"] Install TPM root certs