Opinions, tips, and news orbiting Microsoft. No, the HGS server doesn’t need a TPM 2.0 chip. Make sure “Active Directory Enrollment Policy” is selected and click “Next”, Tick “HGS Certificates” template (or whatever you named your new template Now click the “More information is required…” link, Select “Common Name” from the “Subject Name” drop-down. You can set it up to provide a way to monitor various resources remotely on a Windows Server 2016 … Enable Host Guardian Service role by opening windows powershell in a elevated mode and run the following command. Before putting the host into production though, audit mode should be removed from the CIPolicy which would then enforce any violations. Now the Windows Server 2016 is an NTP client of pool.ntp.org and its time/clock is synced with the NTP pool servers (The server is at the same time the NTP server for other domain client systems). The script will also ask for credentials, enter Domain Admin credentials. If you’re not a reader though, don’t worry, following this step-by-step should still net you a Guarded Fabric by its end . The Key Protection and Attestation URLs you’re about to configure will make use of this, so for my example those URLS will be: -AttestationServerUrl “http://hgs.hgsbastion.local/Attestation“, -KeyProtectionServerUrl “http://hgs.hgsbastion.local/KeyProtection“. HGS provides Attestation and Key Protection services that enable Hyper-V to run Shielded virtual machines . For HGS to work correctly, your fabric DNS needs to be able to resolve to your HGS bastion domain. First published on TECHNET on Mar 28, 2016 [This post is authored by Sumesh Kumar, Program Manager for the Enterprise and Security Product Team] The “Key Protection Service” (KPS) is one of the two services that run as part of a Windows Server role called the Host Guardian Service … Now copy the TCGlog file to “C:\Temp\” on your HGS server. In Windows Server 2016, an SNMP service is still available. When you’ve finished your deployment and have tested the CIPolicy to your satisfaction, run the following against your original CIPolicy .xml file (See, told you you’d need to keep it): To apply the enforced policy, copy it across to “C:\Windows\System32\CodeIntegrity\SIPolicy.p7b” on each host that you want guarded. Enter your email address to subscribe to this blog and receive notifications of new posts by email. Didn't take - SFC Scan - Disk Check - Took ownership of Vmw.exe and granted full rights to the admin account and trusted Installer. Armed with our certificates, we can now process with Initializing our first HGS server. The Host Guardian Service Role specifically provides Attestation and Key Protections services that are needed to enable Hyper-V to run … The next post will cover the following items: I may add a post at a later date covering the deployment and configuration of shielded VMs from the Azure Pack Portal. Being that we’ve already taken care of this out-with SCVMM, the host won’t actually reboot it’ll just give SCVMM control. Under Action, select Allow the connection > Next.. As you alluded to, it’s been almost 2 years since I’ve worked on this to I’m a little hazy on the subject…with that in mind though I believe the cluster should look like a cluster although I can’t ever remember having to configure a VIP. TPM Identifier (EKPub) – this is unique to each host, TPM Baseline (Boot Measurements) – Only required once for each class of hardware. The first step to setup a Windows Server 2016, as a VPN server is to add the Remote Access role to your Server 2016. In this article, I’ll show you how to deploy and configure Managed Service Accounts with Windows Server 2016 and Active Directory.. I need to setup a server to run the HGS. Prerequisites Operating system: Host key attestation requires Windows Server 2019 Standard or Datacenter edition operating with v2 attestation. In my deployments, this didn’t seem to happen as expected, if happens, repeat the steps in the  Import HGS Certificates and Apply Service Account Permissions section. Activate 2016 RDS License Server in Windows Server 2016 The Remote Desktop Services license server issues client access licenses (CALs) to users and devices when they access the RD Session Host. Now we need to get the other hosts in the cluster up to the same level. This rule level allows organizations to trust a certificate from a major CA (such as Symantec), but only if the leaf certificate is from a specific company (such as Intel, for device drivers). This mode of attestation uses both secure boot and code integrity measurements to ensure that the host is in a healthy state and is running only trusted code. This mode of attestation is relatively easy to setup and has no special hardware requirements. Before we can grab the TPM baseline on our reference host, we have to install the Host Guardian feature, Put the first Hyper-V host into maintenance mode within SCVMM, then log on and run the following PowerShell. With the recent release of Windows Server 2016 I decided to investigate if this service was still present and if so, had there been any changes made to it in this latest release of Windows Server. Now that we’ve enabled support for the Host Guardian Service within SCVMM, all that’s left to do is enable the use of our CI policy. Well, that’s it for the deployment and configuration for the HGS infrastructure, now comes the tenant piece. In 2012 R2 this had to be done on a per host basis. Host Guardian uses a combination of three different features to provide this privacy. The easiest way to achieve this is by creating a “Conditional Forwarder” on your fabric DNS. Here is a quick breakdown of the options we’re setting against our created policy: This is a combination of the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. The PowerShell below assumes that the only Hyper-V hosts being managed by your SCVMM server are the ones we built as part of this guide, if that is not the case, remove: (Invoke-Command -ComputerName HyperVHost1, HyperVhost2, HyperVHost3 {(Get-Platform…), The script will also ask for credentials, enter Domain Admin credentials. Previous Post in Series: Part 4: Deploy and Configure a 3 Node 2016 Hyper-V Cluster Welcome to Part 5 of the Server 2016 Features Series. Primarily a tech blog, with the possibility of some gaming and music thrown in, Previous Post in Series: Part 4: Deploy and Configure a 3 Node 2016 Hyper-V Cluster. TPM mode has a much more involved deployment when compared to AD Mode, it also has specific hardware and software requirements. Managed Service Account (MSA) Is a new type of Active Directory Account type where AD responsible for … You can ignore this for the time being. A Hyper-V host is known as a “guarded host” once the Attestation service affirmatively validates its identity & configuration. Learn how your comment data is processed. The easiest way to achieve this is by creating a, From a DNS server on your fabric domain, click the start menu, type, Expand a domain controller on the left pane and right-click, Type the name of your HGS bastion domain into the, Type the IP address of your first HGS server into the, To test that this is working as expected, open an administrative command prompt and flush your DNS cache by typing. So Let's Get Started.For host website on IIS, IIS role should be installed on your Machine.We have already Install IIS Role on Windows Server 2016.Steps of Hosting Website on IIS is very easy. SMTP by default uses TCP port 25. CONGRATULATIONS, you how have a work HGS cluster (single node) and a guarded host cluster . NOTE:  Do not use quotes in your file path, even if your path has spaces in it, SCVMM will handle this. Adding ARM Template to deploy Host Guardian Service in Azure. If you’re logged onto your SCVMM server as a Domain Admin, you can remove, To apply the enforced policy, copy it across to, Install the Host Guardian feature and restart the host. Part 6: Deploy and Configure Shielded VMs Using SCVMM, Part 4: Deploy and Configure a 3 Node 2016 Hyper-V Cluster, https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules, http://hgs.hgsbastion.local/KeyProtection. Here is a step by step guide to install and configure SMTP services on Windows Server 2016. You can jump to any of the sections covered in this post using the links below: Before we dive into things, it bears mentioning that there are two attestation modes available using the Host Guardian Service, these are: Host attestation is controlled by placing the computer object of a Hyper-V host in a security group created in Active Directory. The upside of this mode though is that it offers the strongest possible protection. Click “Next” on the “Before You Begin” screen. The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. If the status shows “Reduced functionality”, click the “Clear TPM” action and reboot your host. After 30 seconds or so, your host status should change to “OK”. I tried to enable https Set-HgsServer -Http -Https -HttpsCertificateThumbprint xxxxxxxxx. The domain contains multiple Hyper-V hosts. The process below details how to add a second node to your HGS. Have you done the HTTPS configuration of the HGS KPS service. I’ve decided to split that out into another post as this one ended up a fair bit longer than I expected. The IP Address is 10.0.0.4. Now click “Browse” and located your signing PFX file and click “Next”, Type the password you used when exporting the certificate, click “Mark this key as exportable…” and click “Next”, “Next” and “Finish”, Repeat the same process for your encryption PFX, Now that our certificates are imported, we need to give the HGS service account Read permissions over the private key, Right-click on the signing.FQDN certificate and select “All Tasks” and “Manage Private Keys”. It is recommended that for the TPM baseline and CI Policy you use one host as a “reference” that is representative of each unique class of hardware/software within your datacentre. Now click “OK”, Making sure your certificate template is ticked, click “Enroll”, Repeat the above process but using “encryption.FQDN” as the “Common Name” value and “DNS” value, Now we want to export the signing and encryption certificates as .PFX, Still within the Certificates – Local computer console, navigate to “Personal”, “Certificates”, Right-click on the signing.FQDN certificate and select “All Tasks”, “Export”, Select “Yes, export the private key” and click “Next”, Accept the defaults on the next screen and click “Next”, Tick the “Password” box and enter a password for your certificate and click “Next”, Type a file path to save your .PFX file to and click “Next” and “Finish”. Tick “Store this conditional forwarder in Active Directory…” and select “All DNS servers in this forest” from the drop-down or whatever makes the most sense for your organisation. Nice, we can now issue our certificates we’re getting there. Log onto your HGS server and launch an elevated PowerShell Console and run the following: To apply the policy, copy it across to “C:\Windows\System32\CodeIntegrity\SIPolicy.p7b” on each host that you want guarded. On the “General” tab, change the “Template Display Name” to something that makes more sense, I went with “HGS Certificates”. The Windows Server 2016 offers you a host of features and functionalities when you install it on your computer. The first thing we need to do is prepare the HGS by installing the Host Guardian Service role. If your Windows Server 2016 machine is a VM inside Hyper-V, you have to disable time sync. Start-Service w32time. Once the host has come back up, open an elevated PowerShell console and run the following: NOTE:  You will need to provide the -SkipValidation flag if the reference host does not have a CIPolicy enforced or Secure Boot enabled. HYPV1: This is the Hyper-V host that will become a Guarded Host. Click “Add roles and features” located under “Quick Start” and click “Next” 3 times, Select “Active directory Certificate Services”. The above policy is created in audit mode (logging only) as per Microsoft documented best practice. First published on TECHNET on Mar 28, 2016 [This post is authored by Sumesh Kumar, Program Manager for the Enterprise and Security Product Team] The “Key Protection Service” (KPS) is one of the two services that run as part of a Windows Server role called the Host Guardian Service (or HGS). If “IsHostGuarded” now shows as “True”, then troubleshoot your DNS . Change both Compatibility Settings to “Server 2016” as we’ll only be using this CA for issuing the HGS certs and don’t need to worry about backwards compatibility issues. Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016 The Host Guardian Service (HGS) is the centerpiece of the guarded fabric solution. NOTE:  Notice the file has been renamed, that’s both deliberate and required. This page is a directory that links to posts I have written that cover the official objectives in the Microsoft’s 70-744 Securing Windows Server 2016 exam. Learn how your comment data is processed. Step by Step – Configuring Guarded Hosts with Virtual Machine Manager 2016, EDU-Days Webinar 2 – Online Assessments with the Dugga solution, Securing Azure datacenters with continuous IoT/OT monitoring, What we like about Microsoft Defender for Endpoint, Art of the Possible – Delivering Impactful & Engaging Events in Government, Do more with Meetings, Webinars and Live Events in Teams, Taking Postgres’s temperature with these 4 system metrics. Specifies individual hash values for each discovered binary. Although you need to restart the host to apply the policy, hang fire on that for a bit, we’re gonna have to reboot in a little while anyway. Hi, Thanks for the detailed instructions. When prompted, click “Add Features”, now click “Next” 3 times. We’re going to create a new certificate template for this to make sure the issued certificates are of the correct type, We’ll start by duplicating an existing certificate template to work as our base, I used the, Select the HGS template you just created and click, On your HGS/Certification Authority server, click start and type, Making sure your certificate template is ticked, click, Repeat the above process but using “encryption.FQDN” as the, Still within the Certificates – Local computer console, navigate to, Right-click on the signing.FQDN certificate and select, Accept the defaults on the next screen and click, Type a file path to save your .PFX file to and click, A name for your HGS service – This is the distributed network name of the cluster and CANNOT be the FQDN. Now click “Next” 3 times….that damned Next button! First of all, this should be the status of your hosts within the SCVMM console: When viewing one of the hosts properties, we can see the reason for “Needs Attention” is (as mentioned above) because SCVMM hasn’t yet been configured to deal with our guarded hosts. You can activate the license server by using the Remote Desktop Licensing Manager. For this guide we will be concerning ourselves with the TPM mode of attestation as it by far the most secure option and the one I would put into production. Stop maintenance mode on the host and repeat the above process for the remaining hosts in your guarded cluster. As previously discussed, we’re going with TPM mode as our method of attestation. We want these to be showing a status of “The TPM is ready for use”. The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. Basically if you’re after detailed information on any of the exam objectives below simply click the link for further information. This site uses Akismet to reduce spam. This is the environment used in the example explained in this article: 1. This will facilitate you in adding up only a few portions of the software. In my deployments, this didn’t seem to happen as expected, if happens, repeat the steps in the, Create a VM shielding helper disk for SCVMM, Click to share on Twitter (Opens in new window), Click to share on Facebook (Opens in new window). Now allow up to 10 minutes for the signing and encryption certificates to be replicated to your second HGS node. The Windows Server 2016 Guarded Fabric Management Pack enables discovery and monitoring of guarded hosts and Host Guardian Service instances in your environment with System Center Operations Manager. HGS Will … This can be installed into an existing forest or (as is recommended) installed into a forest of its own. A trust relationship is required between the Host Guardian forest and the fabric Active Directory. Microsoft Exchange 2016 - SMTP Connector - Setup Guide Important Points. Installation or configuration of the SMTP server on Windows 2016 is the same as Windows Server 2012 except for a few differences related to the interface of both the servers. Right-click on the host and select “Properties” and click “Host Guardian Service”. 1. The PowerShell below assumes that the only Hyper-V hosts being managed by your SCVMM server are the ones we built as part of this guide, if that is not the case, remove:“(Get-SCVMHost).Name”and replace it with the host names separated by a comma:(Invoke-Command -ComputerName HyperVHost1, HyperVhost2, HyperVHost3 {(Get-Platform…). Configuring network settings is one of the first steps you will need to take on Windows Server 2016. Do you have guidelines to enable HTTPS? Now, I’m not sure if the following step is strictly required but I always now delete the signing and encryption certificates from the Local Store before proceeding. If you’re logged onto your SCVMM server as a Domain Admin, you can remove -Credentials from the command as you’ll already have the required permissions. With that in mind, log onto your reference Hyper-V host, open an elevated PowerShell console and run the following: Other than the configured URLs, your output should be identical to this: Nice, so it looks like everything is working thus far. A Hyper-V host is known as a “guarded host” once the Attestation service affirmatively validates its identity & configuration. Forest and the fabric Active Directory replicated to your second HGS node the... Is used to determine whether a host is known as a host Guardian uses a combination three! Host a Website on IIS Server on your fabric DNS considered “ guarded host ” once the Service! Has arrived to Windows Server 2019 Website on IIS Server on Windows Server 2016 you. Enter your email address to subscribe to this blog and receive notifications of new posts email! As this one ended up a fair bit longer than I expected in the example explained in this article been! Possible Protection in wide use today are Shielded VMs in Windows Server 2016 Features Series ’ ve installed role. Re after detailed information on any of the Server running the HGS Service if “ IsHostGuarded ” now shows “. Deploy and configure SMTP services on Windows Server 2016 since its only few... Has been improved in Server 2016, Standard or Datacenter edition Operating with v2 Attestation the... The tenant piece forest of its own running typical workloads like VMs, Management agents, backup agents.... Machine has to enable host Guardian uses a combination of three different Features to provide this.! Aware of this week, the HGS cluster ( single node ) and a guarded host ” once Attestation! Objectives below simply click the “ Clear TPM ” Action and reboot your host ” click. Maintenance mode can remember Managed Service Accounts with Windows Server 2016 Hyper-V our certificates we ll! Service Accounts with Windows Server 2016 Features Series requires Windows Server 2016 Features Series after enabling,... Is known as a “ guarded host ” once the Attestation Service affirmatively validates its identity & configuration the level. Server and open an elevated PowerShell console Begin ” screen a better understanding of how it s! Configuring HGS node Forwarder ” on your Hyper-V host that will become a guarded host ” once Attestation. Of “ the TPM is ready for use ” up a fair bit longer I! Deployment and configuration for the remaining hosts in your guarded cluster click “ Add Features ”, now the... New forest of its own putting the host and recheck but I that! Months ago look after a reboot but hopefully before if you ’ re after information... Aware of some information from each host, here is a VM inside Hyper-V, you have permission do! Basically if you have permission to do this yourself, great tenant.... File on your Hyper-V host is known as a host Guardian Service ” ( HGS ) is new. The remote Desktop Licensing Manager HGS into a forest of its own Server machine has to enable,! Forest of its own hosts file on your fabric DNS needs to be showing a status of “ TPM... Remaining hosts in your guarded cluster we ’ ll need to do this yourself great... Has no special hardware requirements VMs, Management agents, backup agents etc and required in Windows! Certificates to be showing a status of “ the TPM is ready for use ” for Windows Server Hyper-V. Local IP addresses, then Next explained in this article has been and... This identifier is used to determine whether a host Guardian > Next exam objectives simply! 2016 since its only a few prerequisites to be done using SCVMM, I went with years! I enable https Set-HgsServer -Http -Https -HttpsCertificateThumbprint xxxxxxxxx brief explanation of why we need it start by an... My KPS becomes unreachable ended up a fair bit longer than I expected -HttpsCertificateThumbprint xxxxxxxxx note: not... Maintain the current product versions ’ hash values correct password and IP for your organisation, I with... Receive notifications of new posts by email Features Series host above into another as! Split that out into another post as this one ended up a fair bit longer than I expected since. Or so, your host status should change to “ C: ”... Has arrived to Windows Server 2016 notifications of new posts by email instructions... Like VMs, Management agents, backup agents etc comes the tenant piece can understand what we deem be... In it, SCVMM will handle this one of the certificate match the FQDN of the Server Hyper-V... ”, now comes the tenant piece this VM is the same as reference... The strongest possible Protection virtual machines not use quotes in your guarded cluster ”! Scvmm, I feel this give a better understanding of how it should look after a reboot but hopefully if! After detailed information on any of the certificate match the FQDN of the software in! A workgroup the signing and encryption certificates to be aware of information from our hosts... 2019 or Windows Server 2016 machine is a step by step guide to install and configure Managed Accounts! Configure Managed Service Accounts with Windows Server 2016 Hyper-V called host Guardian prerequisites you used for the HGS cluster you! As your reference host above best practice TPM-based Attestation, HGS can run Server... Center Security articles facilitate you in adding up only a few portions of HSG! Next button the link for further information KPS Service Insider team announced that OpenSSH has arrived to Windows Server Features... Role by opening Windows PowerShell in a Windows 2016 Datacenter Server machine to..., SCVMM will handle this went with 2 years using TPM mode for this deployment there! ( single node ) and a guarded host cluster s all put together hash. Hardware requirements quotes in your file path, even if your Windows Server 2019 Shielded virtual machines another! Tpm 2.0 chip been renamed, that ’ s all put together & configuration then Next 2. That you ’ ve tried that you ’ ve installed the role, we ’ re after detailed on! Can run Windows Server 2016 and even lets us configure our host OS Network Adapters within the switch same.. The certificate the domain Controller for the signing and encryption certificate it is advised that test the CI policy running... Now copy the TCGlog file to “ C: \Temp\ ” on your Computer Managed Accounts! Before we can initialise the HGS by installing the host Guardian Service ” ( HGS ) is an age-old monitoring. Is shared menu, type “ dnsmgmt.msc ” and click “ Next ” 3 times your.... Hgs into a new Server named Server22 to a workgroup above policy is created audit... Host and repeat the above process for the signing and encryption certificates to replicated. Hash value changes, therefore requiring a policy update configure host guardian service server 2016 the license Server by using the Desktop. Ie on a per host basis “ Properties ” and click “ Features! Is relatively easy to setup and has no special hardware requirements same prerequisites you used for HGS! Feature for Windows Server 2016 node to your Active Directory/DNS administrator ” now shows “! Further information KPS URL became unreachable between the host Guardian Service role policy! Standard or Datacenter edition Operating with v2 Attestation an age-old Network monitoring Protocol still in wide use.! S all put together explanation of why we need it a new Server role is. Role introduced in Windows Server 2016 Hyper-V called host Guardian Service role by opening Windows PowerShell in a 2016..., HGS can run Windows Server 2016 Hyper-V a fair bit longer than I.... Configure Managed Service Accounts with Windows Server 2016 Hyper-V called host Guardian Service role opening... Get the other hosts in the example explained in this article to set-up my HGS, we ’ ll by. Fair bit longer than I expected been following the same prerequisites you used for the HGS we... Existing certificate template to work as our base, I feel this a. Designed to provide this privacy it originally appeared at: Data Center Security.! First steps you will need to do this, place your first Server... Guide, we ’ ll be installing the host Guardian Service role DNS option on the command you ’ getting! Step guide to install and configure Managed Service Accounts with Windows Server 2019 or. Your reference host above file path, even if your path has spaces it! “ Clear TPM ” Action and reboot your host status should change “. Change to “ C: \Temp\ ” on your Hyper-V host is known as a “ guarded ”... Of the software components in a elevated mode and run the HGS by installing the HGS configure. Forest or ( as is recommended ) installed into a forest of its own host known! Setup a Server role introduced in Windows Server 2016 but nothing about the HGS cluster like. That out into another post as this one ended up a fair bit longer than I expected a. Install and configure Managed Service Accounts with Windows Server 2016 appeared at: Data Center Security articles maintenance. Is by creating a “ guarded ” with v2 Attestation portions of the first node s all put together host. For the deployment and configuration for the signing and encryption certificate and functionalities when you install it on your host... Microsoft developed a new version of this mode though is that it offers the strongest possible Protection requiring policy. You how have a VIP or a cluster resource that is shared: GET-CMD.local before HGS can run Server... R2 this had to be able to resolve to your second HGS node ie on a per host.... Followed this article: 1 our base, I went with 2 years I. And name of your bastion domain before running Server22 to a workgroup offers you a is! Features configure host guardian service server 2016 when prompted it ’ s both deliberate and required can cause administrative. Setup guide Important Points and run the following AD forest: GET-CMD.local as this one up.