How to configure Host Guardian Service on Windows Server

As a security feature, the Host Guardian Service checks whether the host is trusted to run very secure virtual machines. It manages the startup keys for shielded VMs that provide additional security. Get all the information you need to implement Host Guardian Service on Windows Server with this comprehensive guide.

Host Guardian Service - What Is It?

Host Guardian Service is a feature used on virtual environments to enhance security on Windows Server 2016 and later. It allows the running of protected virtual machines only on trusted Hyper-V hosts. Shielded VMs protect sensitive data and workloads from being manipulated or accessed by unauthorized users.

Install Host Guardian Service of Windows Server

Below is a step-by-step guide to setting up Host Guardian Service on Windows Server.

Initiate the Host Guardian Role Program

Prepare the environment for HGS using Active Directory.

Create a Certificate You Think Of

Bring online the HGS and choose what attestation type to use.

Now, let's explain these in detail.

1. Configure the Host Guardian Role

A brief history-a few lines from the past are in order before we begin the installation of the Host Guardian Service Role-A new server role added with Windows Server 2016, namely HGS, acts as a guardian fabric that makes the operating system's VMs a lot more secure.

The following steps will guide you through installing the Host Guardian Service role.

Launch the Server Manager at the very beginning.

Click to select Manage > Add Roles and Features.

Once the wizard to add roles and features appears, click Next.

After you confirm that you want to install based on roles or features, click Next.

You will then select a server-the default is usually already filled in.

To turn on Host Guardian Service, click on Server Roles, then put a check in the box.

On the pop-up that comes in, select Add Features.

Click Next.

The Features tab will be bypassed since we have already selected the features, so just click Next.

Click Next to skip the AD DS tab; once done, click Next again to skip the Host Guardian Service tab.

Once you have reached the Confirmation tab, check the box to automatically restart the target server if needed and then click Install.

Once the installation is complete you will be allowed to complete the installation wizard. Simply monitor the installation status meter.

2. Prepare the HGS Active Directory forest

The Install-HgsServer cmdlet will run once the HGS server role has been added. This will make the Active Directory forest ready for HGS and prepare the service along with all its dependencies.

For this last technical preview before last month's release, it is critical to check that the HGS system is not domain-joined before starting the process. When executed on the first HGS node, this cmdlet will promote it to the role of primary domain controller in the specified domain. We must initialize HGS after this. Follow these instructions to accomplish the task at hand.

This, in English, means "$adminPassword = ConvertTo-SecureString -AsPlainText 'yourPass' -ForceInstall-HgsServer -HgsDomainName "myDomain.com" -SafeModeAdministratorPassword." $administratorPassword -Reboot

Replace "myDomain.com" with the actual name of your domain and "yourPass" with your actual password.

3. Create Your Certificate

The Host Guardian Service requires certificates to be configured to encrypt and sign. There are three ways to get certificates: by generating self-signed certificates, by getting certificates backed by Hardware Security Modules, or by using your own Public Key Infrastructure (PKI) certificate and PFX file. While self-signed certificates have limitations, they are perfect for evaluation and proof-of-concept scenarios; however, we will use them in this tutorial due to their simplicity.

Just start PowerShell as an administrator and run the following command to achieve the same.

''

$certificatePassword = ConvertTo-SecureString -AsPlainText '' -Force

<Import-PFXCertificate -Cert $signingCert = New-SelfSignedCertificate -DnsName "certName.com" -Password $signingCert $2 credentialSecure File -FilePath 'C:signingCert.pfx'

Set the $encryptionCert variable to the domain name "EncryptionCert.com" for the New-SelfSignedCertificate parameter.

Password-protected PfxCertificate $encryptionCert $2 credentialCode -FilePath 'C:encryptionCert.pfx'

With this tool, create and export the signing and encryption certificates.

To know how to configure File Server on a Windows Server, refer to this article.

4] Set the parameters of HGS and select the type of attestation.

Now, let's configure the HGS and select the type of attestation. If you are accustomed to Windows Server 2016, then you will know Host key attestation as similar to Admin-trusted attestation. We will use it for this purpose. Running the following commands in elevated mode of PowerShell should resolve the issue.

Here is the command to create a new signing certificate: $certificatePassword = ConvertTo-SecureString -AsPlainText 'Yusuf@2411' -ForceInitialize-HGSServer -LogDirectory c: emp -HgsServiceName HGSService -HTTP -TrustHostKey -SigningCertificatePath C:signingCert.pfx -SigningCertificatePassword -Password for the Certificate -Certificate for Encryption -Path for the Certificate to C:encryptionCert.pfx The password for the certificate

Be sure to replace all of the query variables.

With this information on how HGSServer is started, you can now protect your Hyper-V virtual machine from malware attacks against your company.