Authorize Hyper-V hosts using Admin-trusted attestation
Important
Admin-trusted attestation (AD mode) is deprecated beginning with Windows Server 2019. For environments where TPM attestation is not possible, configure host key attestation. Host key attestation provides similar assurance to AD mode and is simpler to set up.
To authorize a guarded host in AD mode:
- In the fabric domain, add the Hyper-V hosts to a security group.
- In the HGS domain, register the SID of the security group with HGS.
Add the Hyper-V host to a security group and reboot the host
Create a GLOBAL security group in the fabric domain and add Hyper-V hosts that will run shielded VMs. Restart the hosts to update their group membership.
Use Get-ADGroup to obtain the security identifier (SID) of the security group and provide it to the HGS administrator.
Get-ADGroup "Guarded Hosts"
Register the SID of the security group with HGS
Obtain the SID of the security group for guarded hosts from the fabric administrator and run the following command to register the security group with HGS. Re-run the command if necessary for additional groups. Provide a friendly name for the group. It does not need to match the Active Directory security group name.
Add-HgsAttestationHostGroup -Name "<GuardedHostGroup>" -Identifier "<SID>"
To verify the group was added, run Get-HgsAttestationHostGroup.