Author: Adrian Johnson (adrian207@gmail.com)
A comprehensive, modular, and portable PowerShell solution for implementing, configuring, and troubleshooting Host Guardian Service (HGS) in Windows Server environments. This solution covers all 25 enterprise scenarios for HGS deployment, from basic shielded VM protection to advanced hybrid cloud attestation models.
Host Guardian Service (HGS) is Microsoft's solution for protecting virtual machines from rogue administrators and compromised hosts. This PowerShell solution provides complete automation for HGS deployment, configuration, security, monitoring, and troubleshooting across all enterprise scenarios.
- 25 Enterprise Scenarios - Complete coverage of all HGS use cases
- Modular Design - Reusable PowerShell modules for different HGS functions
- Security-First - Built-in security baselines and Zero Trust integration
- Comprehensive Monitoring - Health checks, performance metrics, and alerting
- Troubleshooting Tools - Diagnostic tools and automated repair functions
- Production Ready - Tested and validated for enterprise deployment
- Quick Start
- Architecture
- Enterprise Scenarios
- Modules
- Scripts
- Configuration
- Security
- Monitoring
- Troubleshooting
- Examples
- Testing
- Documentation
- Windows Server 2016 or later
- PowerShell 5.1 or later
- Administrator privileges
- TPM 2.0 (recommended for TPM-Trusted attestation)
- Hyper-V role installed
# Clone the repository
git clone https://github.com/your-repo/HGS-Scripts.git
cd HGS-Scripts
# Run basic HGS deployment
.\Scripts\Deployment\Deploy-HGSServer.ps1 -ServerName "HGS01" -AttestationMode "TPM" -SecurityLevel "High"# Create configuration file
$config = @{
ServerName = "HGS01"
AttestationMode = "TPM"
SecurityLevel = "High"
AttestationService = $true
KeyProtectionService = $true
ZeroTrust = $true
MonitoringLevel = "Advanced"
Alerting = @{
Enabled = $true
Methods = @("Email", "Webhook")
Recipients = @("admin@contoso.com")
}
Hosts = @(
@{ Name = "HV01"; AttestationMode = "TPM" }
@{ Name = "HV02"; AttestationMode = "TPM" }
)
} | ConvertTo-Json -Depth 10 | Out-File "HGS-Config.json"
# Deploy with configuration
.\Scripts\Deployment\Deploy-HGSServer.ps1 -ConfigurationFile "HGS-Config.json" -ForceHGS-Scripts/
├── Modules/ # PowerShell modules
│ ├── HGS-Core.psm1 # Core HGS functions
│ ├── HGS-Security.psm1 # Security and attestation
│ ├── HGS-Monitoring.psm1 # Monitoring and alerting
│ └── HGS-Troubleshooting.psm1 # Diagnostics and repair
├── Scripts/ # Deployment and management scripts
│ ├── Deployment/ # HGS server deployment
│ ├── Configuration/ # Configuration management
│ ├── Security/ # Security implementation
│ ├── Monitoring/ # Monitoring setup
│ ├── Troubleshooting/ # Troubleshooting tools
│ └── Enterprise-Scenarios/ # All 25 enterprise scenarios
├── Examples/ # Usage examples
├── Tests/ # Test scripts
└── Documentation/ # Detailed documentation
- HGS-Core Module - Basic HGS operations and server management
- HGS-Security Module - Attestation policies, trust boundaries, and security baselines
- HGS-Monitoring Module - Health monitoring, performance metrics, and alerting
- HGS-Troubleshooting Module - Diagnostics, repair, and recovery operations
This solution implements all 25 enterprise scenarios for Host Guardian Service:
- Shielded Virtual Machines - Protect VMs from rogue administrators
- Fabric Assurance - Multi-tenant datacenter security
- Tier-0 Domain Controller Virtualization - Secure DC virtualization
- Guarded Fabric Design - Segregated Hyper-V infrastructure
- Attestation Modes - TPM-Trusted vs Admin-Trusted attestation
- Cluster-Aware Host Attestation - HA virtualization with trust integrity
- Disaster Recovery - Secondary site protection and replication
- Cloud and Hybrid Deployment - Azure Stack HCI integration
- Offline Shielded VM Deployment - Disconnected environment provisioning
- Rogue Host Detection - Dynamic trust management and revocation
- Forensic Integrity Verification - Security baseline comparison
- Privileged Access Workstation Hosting - PAW VM protection
- Cross-Forest Guardian Service - Multi-forest trust boundaries
- Secure Build Pipelines - CI/CD integrity for secure image generation
- Government/Regulated Infrastructure - CJIS, DoD, FedRAMP compliance
- Edge and Field Deployment - Remote host attestation
- TPM and BitLocker Integration - Unified hardware trust chain
- Nested Virtualization - Lab simulation and testing
- Credential Guard and VBS Synergy - Layered hardware-rooted security
- SIEM and Compliance Integration - Audit trail and compliance reporting
- Custom Policy Automation - Dynamic attestation rule updates
- Third-Party Management Integration - SCVMM and monitoring dashboards
- Research and Education Labs - Training and demonstration environments
- Air-Gapped Datacenter Operation - Isolated network security
- Lifecycle Management - Automated host retirement and integrity enforcement
Core functions for HGS operations:
# Install HGS server
Install-HGSServer -ServerName "HGS01" -AttestationService -KeyProtectionService
# Configure attestation mode
Set-HGSAttestationMode -Mode "TPM" -HgsServer "HGS01"
# Add hosts to attestation
Add-HGSHost -HostName "HV01" -AttestationMode "TPM"
# Get HGS status
Get-HGSStatus -HgsServer "HGS01"Security and attestation management:
# Create attestation policy
Set-HGSAttestationPolicy -PolicyName "HighSecurity" -PolicyType "TPM" -SecurityLevel "High"
# Configure trust boundary
Set-HGSTrustBoundary -BoundaryName "TenantA" -BoundaryType "Tenant" -IsolationLevel "High"
# Configure Zero Trust
Set-HGSZeroTrust -TrustModel "NeverTrust" -VerificationLevel "Continuous" -PolicyEnforcement "Strict"
# Configure multi-tenant security
Set-HGSMultiTenantSecurity -TenantName "TenantA" -IsolationLevel "High"Monitoring and alerting:
# Get health status
Get-HGSHealthStatus -HgsServer "HGS01" -IncludeDetails
# Get performance metrics
Get-HGSPerformanceMetrics -HgsServer "HGS01" -MetricType "All"
# Configure monitoring
Set-HGSMonitoring -MonitoringLevel "Advanced" -LogRetention 30
# Configure alerting
Set-HGSAlerting -AlertMethods @("Email", "Webhook") -Recipients @("admin@contoso.com")Diagnostics and repair:
# Run comprehensive diagnostics
Test-HGSDiagnostics -HgsServer "HGS01" -DiagnosticLevel "Comprehensive" -IncludePerformance
# Repair HGS services
Repair-HGSService -HgsServer "HGS01" -RepairType "All" -Force
# Analyze event logs
Get-HGSEventAnalysis -HgsServer "HGS01" -TimeRange 7 -AnalysisType "Comprehensive"
# Test configuration
Test-HGSConfiguration -HgsServer "HGS01" -TestType "All"- Deploy-HGSServer.ps1 - Main HGS server deployment script
- Deploy-HGSCluster.ps1 - Cluster-aware HGS deployment
- Deploy-HGSDisasterRecovery.ps1 - DR site HGS deployment
- Configure-HGS.ps1 - HGS configuration management
- Configure-HGSSecurity.ps1 - Security baseline configuration
- Configure-HGSMonitoring.ps1 - Monitoring and alerting setup
- Secure-HGS.ps1 - Security implementation
- Secure-HGSCertificates.ps1 - Certificate management
- Secure-HGSAttestation.ps1 - Attestation policy management
- Monitor-HGS.ps1 - Health monitoring and alerting
- Monitor-HGSPerformance.ps1 - Performance monitoring
- Monitor-HGSSecurity.ps1 - Security event monitoring
- Troubleshoot-HGS.ps1 - Comprehensive troubleshooting tools
- Troubleshoot-HGSAttestation.ps1 - Attestation-specific troubleshooting
- Troubleshoot-HGSPerformance.ps1 - Performance troubleshooting
- Deploy-HGSShieldedVMs.ps1 - Shielded VM deployment
- Deploy-HGSMultiTenant.ps1 - Multi-tenant HGS deployment
- Deploy-HGSHybridCloud.ps1 - Hybrid cloud HGS deployment
- Deploy-HGSAirGapped.ps1 - Air-gapped HGS deployment
- Deploy-HGSGovernment.ps1 - Government compliance HGS deployment
{
"ServerName": "HGS01",
"AttestationMode": "TPM",
"SecurityLevel": "High",
"AttestationService": true,
"KeyProtectionService": true,
"ZeroTrust": true,
"MultiTenant": false,
"AirGapped": false,
"MonitoringLevel": "Enhanced",
"LogRetention": 30,
"LogLevel": "Detailed",
"LogLocation": "C:\\Logs\\HGS",
"DashboardType": "PowerShell",
"DashboardRefreshInterval": 30,
"Alerting": {
"Enabled": true,
"Methods": ["Email", "Webhook"],
"Recipients": ["admin@contoso.com"]
},
"Hosts": [
{
"Name": "HV01",
"AttestationMode": "TPM"
},
{
"Name": "HV02",
"AttestationMode": "TPM"
}
],
"ClusterAttestation": {
"Enabled": true,
"ClusterName": "HVCluster",
"Nodes": ["HV01", "HV02", "HV03"]
},
"DisasterRecovery": {
"Enabled": true,
"SecondaryServer": "HGS02",
"ReplicationMode": "Active-Passive"
},
"HybridCloud": {
"Enabled": false,
"AzureStackEndpoint": "",
"TrustMode": "Federated"
}
}# Set environment variables for HGS deployment
$env:HGS_SERVER_NAME = "HGS01"
$env:HGS_ATTESTATION_MODE = "TPM"
$env:HGS_SECURITY_LEVEL = "High"
$env:HGS_LOG_LOCATION = "C:\Logs\HGS"
$env:HGS_CERTIFICATE_THUMBPRINT = "1234567890ABCDEF"The solution includes multiple security baselines:
- CIS Baseline - Center for Internet Security recommendations
- NIST Baseline - National Institute of Standards and Technology
- DoD Baseline - Department of Defense requirements
- FedRAMP Baseline - Federal Risk and Authorization Management Program
- Custom Baseline - Organization-specific requirements
# Configure Zero Trust model
Set-HGSZeroTrust -TrustModel "NeverTrust" -VerificationLevel "Continuous" -PolicyEnforcement "Strict"
# Configure continuous verification
Set-HGSZeroTrust -VerificationLevel "Continuous" -PolicyEnforcement "Strict"# Configure tenant isolation
Set-HGSMultiTenantSecurity -TenantName "TenantA" -IsolationLevel "High" -ResourceQuotas @{VMs=10; Storage="1TB"}
# Configure cross-tenant boundaries
Set-HGSTrustBoundary -BoundaryName "TenantA" -BoundaryType "Tenant" -IsolationLevel "Complete"# Configure air-gapped environment
Set-HGSAirGappedSecurity -NetworkIsolation "Complete" -OfflineMode -LocalAttestation
# Configure offline deployment
Set-HGSOfflineDeployment -TemplatePath "C:\Templates\ShieldedVM.vhdx" -AttestationPolicy "OfflinePolicy"# Get comprehensive health status
$healthStatus = Get-HGSHealthStatus -HgsServer "HGS01" -IncludeDetails
# Check specific health aspects
$healthStatus.Services
$healthStatus.AttestationService
$healthStatus.KeyProtectionService
$healthStatus.Performance
$healthStatus.Alerts# Get performance metrics
$perfMetrics = Get-HGSPerformanceMetrics -HgsServer "HGS01" -MetricType "All"
# Monitor specific metrics
$perfMetrics.CPU
$perfMetrics.Memory
$perfMetrics.Network
$perfMetrics.Disk
$perfMetrics.Attestation# Configure email alerts
Set-HGSAlerting -AlertMethods @("Email") -Recipients @("admin@contoso.com", "security@contoso.com")
# Configure webhook alerts
Set-HGSAlerting -AlertMethods @("Webhook") -Recipients @("https://webhook.contoso.com/hgs-alerts")
# Configure multiple alert methods
Set-HGSAlerting -AlertMethods @("Email", "Webhook", "Teams") -Recipients @("admin@contoso.com", "https://teams.contoso.com/webhook")# Get capacity planning information
$capacityInfo = Get-HGSCapacityPlanning -HgsServer "HGS01" -PlanningHorizon 12
# Review recommendations
$capacityInfo.Recommendations
$capacityInfo.CurrentCapacity
$capacityInfo.ProjectedCapacity# Run comprehensive diagnostics
$diagnostics = Test-HGSDiagnostics -HgsServer "HGS01" -DiagnosticLevel "Comprehensive" -IncludePerformance
# Check specific areas
$diagnostics.Results.Services
$diagnostics.Results.Configuration
$diagnostics.Results.Certificates
$diagnostics.Results.Network
$diagnostics.Results.Events
$diagnostics.Results.Attestation# Analyze HGS event logs
$eventAnalysis = Get-HGSEventAnalysis -HgsServer "HGS01" -TimeRange 7 -AnalysisType "Comprehensive"
# Review patterns and issues
$eventAnalysis.Patterns
$eventAnalysis.Issues
$eventAnalysis.Recommendations# Test HGS configuration
$configTest = Test-HGSConfiguration -HgsServer "HGS01" -TestType "All"
# Review test results
$configTest.Tests.BasicConfig
$configTest.Tests.Security
$configTest.Tests.Performance# Repair HGS services
$repairResult = Repair-HGSService -HgsServer "HGS01" -RepairType "All" -Force
# Review repair actions
$repairResult.Actions
$repairResult.Success# Get troubleshooting guidance
$guide = Get-HGSTroubleshootingGuide -IssueType "Attestation" -Severity "Critical"
# Review troubleshooting steps
$guide.Steps
$guide.Commands
$guide.Resources# Deploy basic HGS server
.\Scripts\Deployment\Deploy-HGSServer.ps1 -ServerName "HGS01" -AttestationMode "TPM" -SecurityLevel "High"
# Add hosts to attestation
Add-HGSHost -HostName "HV01" -AttestationMode "TPM"
Add-HGSHost -HostName "HV02" -AttestationMode "TPM"
# Verify deployment
Get-HGSStatus -HgsServer "HGS01"# Configure multi-tenant security
Set-HGSMultiTenantSecurity -TenantName "TenantA" -IsolationLevel "High" -ResourceQuotas @{VMs=10; Storage="1TB"}
Set-HGSMultiTenantSecurity -TenantName "TenantB" -IsolationLevel "High" -ResourceQuotas @{VMs=5; Storage="500GB"}
# Configure trust boundaries
Set-HGSTrustBoundary -BoundaryName "TenantA" -BoundaryType "Tenant" -IsolationLevel "Complete"
Set-HGSTrustBoundary -BoundaryName "TenantB" -BoundaryType "Tenant" -IsolationLevel "Complete"# Configure hybrid cloud
Set-HGSHybridCloud -AzureStackEndpoint "https://azurestack.local" -OnPremisesHgsServer "HGS01" -TrustMode "Federated"
# Configure cross-cloud attestation
Set-HgsAttestationPolicy -Policy "CrossCloudFederation" -Enabled $true# Configure DoD compliance
Set-HGSGovernmentCompliance -ComplianceStandard "DoD" -SecurityLevel "High" -AuditLogging
# Configure CJIS compliance
Set-HGSGovernmentCompliance -ComplianceStandard "CJIS" -SecurityLevel "High" -AuditLogging
# Configure FedRAMP compliance
Set-HGSGovernmentCompliance -ComplianceStandard "FedRAMP" -SecurityLevel "High" -AuditLogging# Configure air-gapped environment
Set-HGSAirGappedSecurity -NetworkIsolation "Complete" -OfflineMode -LocalAttestation
# Configure offline deployment
Set-HGSOfflineDeployment -TemplatePath "C:\Templates\ShieldedVM.vhdx" -AttestationPolicy "OfflinePolicy"# Configure comprehensive monitoring
Set-HGSMonitoring -MonitoringLevel "Advanced" -LogRetention 30
# Configure alerting
Set-HGSAlerting -AlertMethods @("Email", "Webhook", "Teams") -Recipients @("admin@contoso.com", "https://webhook.contoso.com", "https://teams.contoso.com/webhook")
# Configure logging
Set-HGSLogging -LogLevel "Detailed" -LogRetention 30 -LogLocation "C:\Logs\HGS"
# Configure dashboard
Set-HGSDashboard -DashboardType "Web" -RefreshInterval 30# Run comprehensive tests
.\Tests\Test-HGS.ps1 -TestType "All"
# Test specific components
.\Tests\Test-HGS.ps1 -TestType "Core"
.\Tests\Test-HGS.ps1 -TestType "Security"
.\Tests\Test-HGS.ps1 -TestType "Monitoring"
.\Tests\Test-HGS.ps1 -TestType "Troubleshooting"- Core Functionality Tests - Basic HGS operations
- Security Tests - Attestation and security policies
- Performance Tests - Performance and capacity testing
- Integration Tests - Third-party integration testing
- Disaster Recovery Tests - DR scenario testing
Test results are saved to C:\HGS-Tests\Results\ with detailed reports and recommendations.
Complete API reference for all modules and functions:
- HGS-Core Module - Core HGS functions and operations
- HGS-Security Module - Security and attestation functions
- HGS-Monitoring Module - Monitoring and alerting functions
- HGS-Troubleshooting Module - Troubleshooting and repair functions
- Basic Deployment Guide - Step-by-step basic HGS deployment
- Advanced Deployment Guide - Complex enterprise scenarios
- Security Configuration Guide - Security best practices
- Monitoring Setup Guide - Monitoring and alerting configuration
- Troubleshooting Guide - Common issues and solutions
- Security Best Practices - Security configuration recommendations
- Performance Optimization - Performance tuning guidelines
- Disaster Recovery - DR planning and implementation
- Compliance - Regulatory compliance guidance
- Follow PowerShell best practices
- Include comprehensive error handling
- Add detailed documentation
- Include unit tests for new functions
- Follow the existing code structure
- All new functions must include unit tests
- Integration tests for complex scenarios
- Performance tests for critical functions
- Security tests for security-related functions
This project is licensed under the MIT License - see the LICENSE file for details.
- Documentation - Check the comprehensive documentation
- Examples - Review the example scripts
- Issues - Report issues on GitHub
- Discussions - Join discussions for questions and ideas
- Prerequisites - Ensure all prerequisites are met
- Permissions - Run scripts with administrator privileges
- Network - Check network connectivity and firewall rules
- Certificates - Verify certificate validity and permissions
- v1.0.0 - Initial release with all 25 enterprise scenarios
- v1.1.0 - Enhanced monitoring and alerting capabilities
- v1.2.0 - Added Zero Trust integration and advanced security features
- v1.3.0 - Improved troubleshooting tools and diagnostic capabilities
- GUI Management Console - Web-based management interface
- Advanced Analytics - Machine learning-based threat detection
- Cloud Integration - Enhanced Azure and AWS integration
- Automated Remediation - Self-healing capabilities
- Compliance Automation - Automated compliance reporting
- Performance Optimization - Enhanced performance monitoring
- Security Hardening - Additional security controls
- Disaster Recovery - Enhanced DR capabilities
- Multi-Platform Support - Linux and macOS support
- API Integration - REST API for third-party integration
Author: Adrian Johnson (adrian207@gmail.com)
For questions, issues, or contributions, please contact the author or create an issue on GitHub.