Initialize the HGS cluster using AD mode in an existing bastion forest

Important

Admin-trusted attestation (AD mode) is deprecated beginning with Windows Server 2019. For environments where TPM attestation is not possible, configure host key attestation. Host key attestation provides similar assurance to AD mode and is simpler to set up.

Active Directory Domain Services will be installed on the machine, but should remain unconfigured.

Locate your HGS guardian certificates. You will need one signing certificate and one encryption certificate to initialize the HGS cluster. The easiest way to provide certificates to HGS is to create a password-protected PFX file for each certificate which contains both the public and private keys. If you are using HSM-backed keys or other non-exportable certificates, make sure the certificate is installed into the local machine's certificate store before continuing. For more information about which certificates to use, see Obtain certificates for HGS.

Before you continue, ensure that you have prestaged your cluster objects for the Host Guardian Service and granted the logged in user Full Control over the VCO and CNO objects in Active Directory. The virtual computer object name needs to be passed to the -HgsServiceName parameter, and the cluster name to the -ClusterName parameter.

Tip

Double check your AD Domain Controllers to ensure your cluster objects have replicated to all DCs before continuing.

If you are using PFX-based certificates, run the following commands on the HGS server:

$signingCertPass = Read-Host -AsSecureString -Prompt "Signing certificate password"
$encryptionCertPass = Read-Host -AsSecureString -Prompt "Encryption certificate password"

Install-ADServiceAccount -Identity 'HGSgMSA'

Initialize-HgsServer -UseExistingDomain -ServiceAccount 'HGSgMSA' -JeaReviewersGroup 'HgsJeaReviewers' -JeaAdministratorsGroup 'HgsJeaAdmins' -HgsServiceName 'HgsService' -ClusterName 'HgsCluster' -SigningCertificatePath '.\signCert.pfx' -SigningCertificatePassword $signPass -EncryptionCertificatePath '.\encCert.pfx' -EncryptionCertificatePassword $encryptionCertPass -TrustActiveDirectory

If you are using certificates installed on the local machine (such as HSM-backed certificates and non-exportable certificates), use the -SigningCertificateThumbprint and -EncryptionCertificateThumbprint parameters instead.

Next step