Initialize-HgsServer
Initializes the Host Guardian Service server.
Syntax
Initialize-HgsServer
[-HgsServiceName] <String>
[-UseHgsDomain]
[-LogDirectory <String>]
[-Http]
[-Https]
[-HttpPort <UInt16>]
[-HttpsPort <UInt16>]
[-HttpsCertificatePath <String>]
[-HttpsCertificatePassword <SecureString>]
[-HttpsCertificateThumbprint <String>]
[-TrustActiveDirectory]
[-TrustTpm]
[-EncryptionCertificateThumbprint <String>]
[-EncryptionCertificatePath <String>]
[-EncryptionCertificatePassword <SecureString>]
[-SigningCertificateThumbprint <String>]
[-SigningCertificatePath <String>]
[-SigningCertificatePassword <SecureString>]
[-HgsVersion <HgsVersion>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Initialize-HgsServer
[-HgsServiceName] <String>
[-UseExistingDomain]
[-LogDirectory <String>]
-JeaAdministratorsGroup <ADGroup>
-JeaReviewersGroup <ADGroup>
-ServiceAccount <ADServiceAccount>
[-ClusterName <String>]
[-Http]
[-Https]
[-HttpPort <UInt16>]
[-HttpsPort <UInt16>]
[-HttpsCertificatePath <String>]
[-HttpsCertificatePassword <SecureString>]
[-HttpsCertificateThumbprint <String>]
[-TrustActiveDirectory]
[-TrustTpm]
[-EncryptionCertificateThumbprint <String>]
[-EncryptionCertificatePath <String>]
[-EncryptionCertificatePassword <SecureString>]
[-SigningCertificateThumbprint <String>]
[-SigningCertificatePath <String>]
[-SigningCertificatePassword <SecureString>]
[-HgsVersion <HgsVersion>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Initialize-HgsServer
[-HgsServerIPAddress] <String>
[-LogDirectory <String>]
[-Http]
[-Https]
[-HttpPort <UInt16>]
[-HttpsPort <UInt16>]
[-HttpsCertificatePath <String>]
[-HttpsCertificatePassword <SecureString>]
[-HttpsCertificateThumbprint <String>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
The Initialize-HgsServer cmdlet configures the necessary infrastructure components for Host Guardian Service (HGS) after it is rebooted.
This cmdlet performs the following configuration actions on infrastructure components of the first HGS node:
- Creates one-node failover cluster.
- Configures a failover cluster with a distributed network name resource corresponding to the fully qualified domain name of the HGS name: <HgsServerName>.<LocalDomain>.
- Registers and configures the Attestation service web application with the IIS service.
- Registers and configures the Key Protection service web application with the IIS service.
- Configures the Attestation service signer certificate with the Key Protection service.
- Enables Just Enough Administration on the local node.
This cmdlet makes the following configuration changes to components on an additional HGS node:
Adds the local node to the existing failover cluster on a node specified by the HgsServerIPAddress parameter using the credential specified in the HgsDomainCredential parameter.
Registers and configures the Attestation service web application with the IIS service.
Registers and configures the Key Protection service web application with the IIS service.
Configures the Attestation service signer certificate with the Key Protection service.
Enables Just Enough Administration on the local node.
For more information about the scenario terms, see Security and Assurance.
Examples
Example 1: Initialize the HGS on the primary node in TPM mode
PS C:\> Initialize-HgsServer -HgsServiceName "SecureFabricHgs" -EncryptionCertificateThumbprint $EncryptionCert.Thumbprint -SigningCertificateThumbprint $SigningCert.ThumbprintThis command initializes the HGS server on the primary node. By default, the server is accessible on HTTP port 80 and the Attestation service is set to TPM mode. The specified certificates are used by the Key Protection service.
Example 2: Initialize the HGS on a secondary node in TPM mode
PS C:\> $Cred = Get-Credential
PS C:\> Initialize-HgsServer -HgsServerIPAddress "100.100.100.1" -HgsDomainCredential $CredThis command initializes the HGS server on a secondary node. By default, the server is accessible on HTTP port 80 and the Attestation service is set to TPM mode. The Key Protection service uses the encryption and signing certificates set by the primary server.
Example 3: Initialize the HGS on the primary node in Active Directory mode
PS C:\> Initialize-HgsServer -TrustActiveDirectory -HgsServiceName "SecureFabricHgs" -EncryptionCertificateThumbprint $EncryptionCert.Thumbprint -SigningCertificateThumbprint $SigningCert.ThumbprintThis command initializes the HGS server on the primary node and sets the Attestation service to Active Directory (AD) mode. By default, the server is accessible on HTTP port 80. The specified certificates are used by the Key Protection service.
Example 4: Initialize the HGS on the primary node in TPM mode and enable HTTPS
PS C:\> Initialize-HgsServer -HgsServiceName "SecureFabricHgs" -EncryptionCertificateThumbprint $EncryptionCert.Thumbprint -SigningCertificateThumbprint $SigningCert.Thumbprint -http -https -HttpsCertificatePath $PathToPfx -HttpsCertificatePassword $PfxSecureStringThis command initializes the HGS server on the primary node. The server is set to be accessible by HTTP and HTTPS on the default ports, and with the specified certificate for HTTPS. By default, the server is accessible on HTTP port 80 and the Attestation service is set to TPM mode. The specified certificates are used by the Key Protection service.
Parameters
-ClusterName
Specifies a cluster name.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EncryptionCertificatePassword
Specifies the password for the certificate file specified in EncryptionCertificatePath.
| Type: | SecureString |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EncryptionCertificatePath
Specifies the path to the encryption certificate used by the Key Protection service.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EncryptionCertificateThumbprint
Specifies the thumbprint of the encryption certificate used by the Key Protection service.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Force
Forces the command to run without asking for user confirmation.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HgsServerIPAddress
Specifies the IP address of the HGS server that is a domain controller for the specified HGS domain.
| Type: | String |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HgsServiceName
Specifies the HGS name.
| Type: | String |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HgsVersion
Reserved for future use.
| Type: | HgsVersion |
| Accepted values: | HgsVersion1503, HgsVersion1704 |
| Position: | Named |
| Default value: | $script:HgsSupportedLevels[0] |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Http
Indicates that the HGS server is accessible over HTTP.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HttpPort
Specifies the HTTP port of the HGS server.
| Type: | UInt16 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Https
Indicates that the HGS server is accessible over HTTPS.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HttpsCertificatePassword
Specifies the password to the certificate file identified by HttpsCertificatePath.
| Type: | SecureString |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HttpsCertificatePath
Specifies the path to the HTTPS certificate file (.pfx).
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HttpsCertificateThumbprint
Indicates the thumbprint of the HTTPS certificate.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HttpsPort
Specifies the HTTPS port of the HGS server.
| Type: | UInt16 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-JeaAdministratorsGroup
Identifies the Active Directory group of users who can administer HGS through Just Enough Administration.
| Type: | ADGroup |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-JeaReviewersGroup
Identifies the Active Directory group of users who can view, but not change, HGS settings through Just Enough Administration.
| Type: | ADGroup |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-LogDirectory
Specifies the directory for the output log.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ServiceAccount
Identifies the Group Managed Service Account that will be used for the Key Protection Service. The specified account must already be installed and configured for use on this machine.
| Type: | ADServiceAccount |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SigningCertificatePassword
Specifies the password for the certificate file identified by SigningCertificatePath.
| Type: | SecureString |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SigningCertificatePath
Specifies the path to the signing certificate for use by the Key Protection service.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SigningCertificateThumbprint
Specifies the thumbprint of the signing certificate for use by the Key Protection service.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TrustActiveDirectory
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TrustTpm
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-UseExistingDomain
Indicates that HGS was joined to an existing domain and did not establish its own domain (with Install-HgsServer). HGS must already be joined to the existing domain to continue.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-UseHgsDomain
Indicates that HGS was set up with its own dedicated Active Directory forest using the Install-HgsServer cmdlet.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |