Once HGS nodes are configured, you are ready to deploy Hyper-V hosts that will be attested by HGS to run the safeguarded VMs. This recipe will guide you through the steps required to implement guarded hosts in your production fabric. Before beginning, check that your Hyper-V hosts meet the following requirements:
- Unlike HGS, your Hyper-V hosts must be running on Windows Server 2016 Datacenter, as host guardian Hyper-V support is only available in this edition.
- If TPM attestation mode is used, Hyper-V hosts must meet the TPM requirements mentioned previously (such as TPM 2.0, UEFI 2.3.1). Refer to the introduction section in this chapter for more information about attestation modes.
- At least one host is required to test shielded VMs. In this recipe, I will use two up-to-date Hyper-V hosts (
GH-01
andGH-02
) in my fabric domain, in order to verify that live migration of shielded VMs works as well. - If AD-based attestation mode is used, add your Hyper-V hosts to the trusted...