Q. I am trying to attest with a Host Guardian Server and it is failing because hypervisor code integrity is not enabled, what can I do?
A. You can perform a test of your Hyper-V host and its readiness to attestation to enable the use of Shielded VMs using the following commands:
#Verify on the guarded host Get-HgsTrace -RunDiagnostics #Attempt attestation on the guarded host Get-HgsClientConfiguration
Below is an example execution of a healthy environment (except I only have one HGS box and therefore no redundancy):
PS C:\> Get-HgsTrace -RunDiagnostics Overall Result: Warning savdalhv07: Warning Best Practices: Warning Resolves Service Hostname to Multiple Addresses: Warning >>> DNS server at 10.7.173.10 cannot resolve "hgs.savtechhgs.net" to multiple IP >>> addresses. The recommended configuration is to have multiple HGS servers >>> available at "hgs.savtechhgs.net" for high availability. >>> DNS server at 10.7.173.11 cannot resolve "hgs.savtechhgs.net" to multiple IP >>> addresses. The recommended configuration is to have multiple HGS servers >>> available at "hgs.savtechhgs.net" for high availability. Traces have been stored at "C:\Users\administrator.SAVILLTECH\AppData\Local\Temp\2\HgsDiagnostics- 20160820-093352". PS C:\> Get-HgsClientConfiguration IsHostGuarded : True Mode : HostGuardianService KeyProtectionServerUrl : http://hgs.savtechhgs.net/KeyProtection AttestationServerUrl : http://hgs.savtechhgs.net/Attestation AttestationOperationMode : Tpm AttestationStatus : Passed AttestationSubstatus : NoInformation
However if you receive errors related to Hyper-V Code Integrity not being enabled ensure Virtualization Based Security is enabled which can be viewed as follows and check the EnableVirtualizationBasedSecurity value which should be 1:
PS C:\> Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\ RequireMicrosoftSignedBootChain : 1 EnableVirtualizationBasedSecurity : 1 Locked : 0 RequirePlatformSecurityFeatures : 3 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\DeviceGuard\ PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control PSChildName : DeviceGuard PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry
If it is not 1 you may have a local policy that is disabling hypervisor code integrity (by default no policy should be set and is not required however if a policy is set disabling the feature it will cause the problem).
- Open gpedit.msc
- Navigate to Computer Configuration - Administrative Templates - System - Device Guard
- Double click Turn on Virtualization Based Security
- Ensure the Virtualization Based Protection of Code Integrity is set to Enabled without lock (the Credential Guard Configuration is optional but recommended) and click OK
- This should ensure the Hypervisor code integrity is enabled