Deploying the Host Guardian Service

Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016

One of the most important goals of providing a hosted environment is to guarantee the security of the virtual machines running in the environment. As a cloud service provider or enterprise private cloud administrator, you can use a guarded fabric to provide a more secure environment for VMs. A guarded fabric consists of one Host Guardian Service (HGS) - typically, a cluster of three nodes - plus one or more guarded hosts, and a set of shielded virtual machines (VMs).

Video: Deploying a guarded fabric

Deployment tasks for guarded fabrics and shielded VMs

The following table breaks down the tasks to deploy a guarded fabric and create shielded VMs according to different administrator roles. Note that when the HGS admin configures HGS with authorized Hyper-V hosts, a fabric admin will collect and provide identifying information about the hosts at the same time.

Host Guardian Service administrator tasks Fabric administrator tasks Tenant administrator tasks
Step 1 Verify HGS prerequisites Step 1
Step 2 Configure first HGS node Step 2
Step 3 Configure additional HGS nodes Step 3
Step 4 Verify HGS configuration Step 4
  Step 5 Configure fabric DNS Step 5
  Step 6 Verify host prerequisites (Key)
Verify host prerequisites (TPM)Step 6
Step 8 Configure HGS with host information Step 8 Step 7 Create host key (Key)
Collect host information (TPM) Step 7
  Step 9 Confirm hosts can attest Step 9
  Step 10 Configure VMM (optional) Step 10
  Step 11 Create template disks Step 11
  Step 12 Create a VM shielding helper disk for VMM (optional) Step 12
  Step 13 Set up Windows Azure Pack (optional) Step 13
    Step 14 Create shielding data file Step 14
    Step 15 Create shielded VMs using Windows Azure Pack Step 15
Create shielded VMs using VMM Step 15

See also