Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article describes how to deploy guarded Hyper-V hosts in a System Center Virtual Machine Manager (VMM) compute fabric. Learn more about guarded fabric.
There are a couple of ways to set up guarded Hyper-V hosts in a VMM fabric.
You set up guarded hosts in the VMM fabric as follows:
Configure global HGS settings: VMM connects all the guarded hosts to the same Host Guardian Service (HGS) server so that you can successfully migrate shielded VMs between the hosts. You specify the global HGS settings that apply to all the guarded hosts, and you can specify the host-specific settings that override the global settings. Settings include:
Configure the cloud: If the guarded host will be included in a VMM cloud, you need to enable the cloud to support shielded VMs.
Ensure that you've deployed and configured the Host Guardian Service before proceeding. Learn more about configuring HGS in the Windows Server documentation.
Additionally, ensure any hosts that will become guarded hosts meet the guarded host prerequisites:
Before you can add guarded hosts to your VMM compute fabric, you must configure VMM with information about the HGS for the fabric. The same HGS will be used for all guarded hosts managed by VMM.
Obtain the attestation and key protection URLs for your fabric from your HGS administrator.
In the VMM console, select Settings > Host Guardian Service Settings.
Enter the attestation and key protection URLs in the respective fields. You don't need to configure the code integrity policies and VM shielding helper VHD sections at this time.
Select Finish to save the configuration.
Note
You can deploy the host as guarded when you provision it (Add Resource Wizard > OS Settings > Configure as guarded host).
To configure an existing Hyper-V host managed by VMM to be a guarded host, complete the following steps:
Place the host in maintenance mode.
In All Hosts, right-click the host > Properties > Host Guardian Service.
Select to enable the Host Guardian Hyper-V Support feature and configure the host.
Note
If you're using VMM to manage code integrity policies, you can enable the second checkbox and select the appropriate policy for the system.
Select OK to update the host's configuration.
Take the host out of the maintenance mode.
VMM checks that the host passes attestation when you add it and every time the host status is refreshed. VMM only deploys and migrates shielded VMs on hosts that have passed attestation. You can check the attestation status of a host in Properties > Status > HGS Client Overall.
Enable a cloud to support guarded hosts:
In guarded fabrics configured to use TPM attestation, each host must be configured with a code integrity policy that is trusted by the Host Guardian Service. To ease the management of code integrity policies, you can optionally use VMM to deploy new or updated policies to your guarded hosts.
To deploy a code integrity policy to a guarded host managed by VMM, complete the following steps:
Now, for each guarded host, complete the following steps to apply a code integrity policy:
Place the host in maintenance mode.
In All Hosts, right-click the host > Properties > Host Guardian Service.
Select to enable the option to configure the host with a code integrity policy. Then select the appropriate policy for the system.
Select OK to apply the configuration change. The host can restart to apply the new policy.
Take the host out of maintenance mode.
Warning
Ensure that you select the correct code integrity policy for the host. If an incompatible policy is applied to the host, some applications, drivers, or operating system components may no longer work.
If you update the code integrity policy in the file share and wish to also update the guarded hosts, you can do so by completing the following steps:
Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up now