Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
39 lines (28 sloc) 2.53 KB
title ms.custom ms.prod ms.topic ms.assetid manager author ms.technology ms.date
Deploy guarded hosts
na
windows-server-threshold
article
2379ca26-b32d-4055-8b4b-99d1f2df37e1
dongill
rpsqrd
security-guarded-fabric
08/29/2018

Deploy guarded hosts

Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016

The topics in this section describe the steps that a fabric administrator takes to configure Hyper-V hosts to work with the Host Guardian Service (HGS). Before you can start these steps, at least one node in the HGS cluster must be set up.

For TPM-trusted attestation:

  1. Configure the fabric DNS: Tells how to set up a DNS forwarder from the fabric domain to the HGS domain.
  2. Capture information required by HGS: Tells how to capture TPM identifiers (also called platform identifiers), create a Code Integrity policy, and create a TPM baseline. Then you will provide this information to the HGS administrator to configure attestation.
  3. Confirm guarded hosts can attest

For host key attestation:

  1. Create a host key: Tells how to set up a DNS forwarder from the fabric domain to the HGS domain.
  2. Add the host key to the attestation service: Tells how to set up an Active Directory security group in the fabric domain, add guarded hosts as members of that group, and provide that group identifier to the HGS administrator.
  3. Confirm guarded hosts can attest

For Admin-trusted attestation:

  1. Configure the fabric DNS: Tells how to set up a DNS forwarder from the fabric domain to the HGS domain.
  2. Create a security group: Tells how to set up an Active Directory security group in the fabric domain, add guarded hosts as members of that group, and provide that group identifier to the HGS administrator.
  3. Confirm guarded hosts can attest

See also

You can’t perform that action at this time.