Configure HSG with Hyper-V using certificate

Overview

Host Guardian Service (HGS) is a server role that helps you run shielded VMs on trusted Hyper-V hosts.
When you use certificate-based attestation, the trust is established through certificates issued to the hosts, not through TPM.

Prerequisites

Two environments or servers:
- HGS Server (can be a 2-node cluster for production)
- Hyper-V Host (the guarded host)
Windows Server 2019/2022/2025 for both HGS and Hyper-V.
Certificates:
- Issued from an internal or external CA.
- You need at least:
  - Attestation certificate for the Hyper-V host.
  - Key protection certificate for HGS to protect shielded VM keys.
Networking:
- The Hyper-V host must reach the HGS endpoint (HTTPS, default port 443).
- DNS records for attestation.<domain> and keyprotection.<domain> pointing to HGS.

Step-by-Step Configuration

Step 1. Install HGS role

On the HGS server:

Install-WindowsFeature -Name HostGuardianServiceRole -IncludeManagementTools

Then initialize it:

Initialize-HgsServer -HgsDomainName "hgs.local" -SafeModeAdministratorPassword (Read-Host -AsSecureString "Enter DSRM Password")

This sets up HGS as a standalone forest root domain (recommended for security).

Step 2. Install and configure certificate-based attestation

On the HGS server:

Initialize-HgsAttestation -CertificateBased

This creates a new attestation service that trusts certificates.

Step 3. Create the HGS signing and encryption certificates

If you don’t have them yet:

New-SelfSignedCertificate -DnsName "sign.hgs.local" -CertStoreLocation "cert:\LocalMachine\My"
New-SelfSignedCertificate -DnsName "encrypt.hgs.local" -CertStoreLocation "cert:\LocalMachine\My"

Export the public keys:

Export-Certificate -Cert (Get-Item cert:\LocalMachine\My\<ThumbprintOfSignCert>) -FilePath C:\sign.cer
Export-Certificate -Cert (Get-Item cert:\LocalMachine\My\<ThumbprintOfEncryptCert>) -FilePath C:\encrypt.cer

Add-HgsKeyProtectionServer -SigningCertificatePath "C:\sign.cer" -EncryptionCertificatePath "C:\encrypt.cer"

Step 4. Create and install attestation certificate on Hyper-V host

On the CA, issue a certificate to the Hyper-V host with:

Client Authentication EKU
The host’s FQDN as the Subject or SAN

Export it with private key (PFX) and install it on the Hyper-V host:

Import-PfxCertificate -FilePath "C:\host.pfx" -CertStoreLocation Cert:\LocalMachine\My

Step 5. Configure guarded host to use HGS

On the Hyper-V host:

Set-HgsClientConfiguration -AttestationServerUrl "https://attestation.hgs.local/Attestation" `
                           -KeyProtectionServerUrl "https://keyprotection.hgs.local/KeyProtection" `
                           -SecondKeyProtectionServerUrl "https://keyprotection2.hgs.local/KeyProtection"

Then register the host’s certificate with HGS:

On the HGS server:

Add-HgsAttestationHost -Name "HyperV01" -CertificatePath "C:\host.cer"

Export the host certificate’s public part first:
Export-Certificate -Cert (Get-ChildItem Cert:\LocalMachine\My\<Thumbprint>) -FilePath C:\host.cer

Step 6. Verify configuration

On the Hyper-V host:

Get-HgsClientConfiguration

Then test attestation:

Test-HgsAttestation -Name "HyperV01"

You should see:

IsHostGuarded: True
AttestationStatus: Passed

Step 7. Create Shielded VM

Once attestation passes:

New-ShieldedVM -Name "SecureVM1" -Path "D:\VMs\SecureVM1" -ShieldingDataFilePath "C:\ShieldingData.pdk"

Or convert an existing one:

Protect-VM -VMName "TestVM"

Note: Best Practices

Keep the HGS domain isolated from your production AD.
Use TLS certificates from an internal CA with short validity (1 year or less).
Back up the HGS configuration and certificates securely.
Regularly renew the attestation certificates for Hyper-V hosts.
For multi-host setups, use PowerShell DSC or Group Policy to deploy HGS client configuration.