Q. I am trying to attest with a Host Guardian Server and it is failing because hypervisor code integrity is not enabled, what can I do?
A. You can perform a test of your Hyper-V host and its readiness to attestation to enable the use of Shielded VMs using the following commands:
#Verify on the guarded host
Get-HgsTrace -RunDiagnostics
#Attempt attestation on the guarded host
Get-HgsClientConfiguration
Below is an example execution of a healthy environment (except I only have one HGS box and therefore no redundancy):
PS C:\> Get-HgsTrace -RunDiagnostics
Overall Result: Warning
savdalhv07: Warning
Best Practices: Warning
Resolves Service Hostname to Multiple Addresses: Warning
>>> DNS server at 10.7.173.10 cannot resolve "hgs.savtechhgs.net" to multiple IP
>>> addresses. The recommended configuration is to have multiple HGS servers
>>> available at "hgs.savtechhgs.net" for high availability.
>>> DNS server at 10.7.173.11 cannot resolve "hgs.savtechhgs.net" to multiple IP
>>> addresses. The recommended configuration is to have multiple HGS servers
>>> available at "hgs.savtechhgs.net" for high availability.
Traces have been stored at "C:\Users\administrator.SAVILLTECH\AppData\Local\Temp\2\HgsDiagnostics-
20160820-093352".
PS C:\> Get-HgsClientConfiguration
IsHostGuarded : True
Mode : HostGuardianService
KeyProtectionServerUrl : http://hgs.savtechhgs.net/KeyProtection
AttestationServerUrl : http://hgs.savtechhgs.net/Attestation
AttestationOperationMode : Tpm
AttestationStatus : Passed
AttestationSubstatus : NoInformation
However if you receive errors related to Hyper-V Code Integrity not being enabled ensure Virtualization Based Security is enabled which can be viewed as follows and check the EnableVirtualizationBasedSecurity value which should be 1:
PS C:\> Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\
RequireMicrosoftSignedBootChain : 1
EnableVirtualizationBasedSecurity : 1
Locked : 0
RequirePlatformSecurityFeatures : 3
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\DeviceGuard\
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control
PSChildName : DeviceGuard
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
If it is not 1 you may have a local policy that is disabling hypervisor code integrity (by default no policy should be set and is not required however if a policy is set disabling the feature it will cause the problem).
- Open gpedit.msc
- Navigate to Computer Configuration - Administrative Templates - System - Device Guard
- Double click Turn on Virtualization Based Security
- Ensure the Virtualization Based Protection of Code Integrity is set to Enabled without lock (the Credential Guard Configuration is optional but recommended) and click OK
- This should ensure the Hypervisor code integrity is enabled