Windows Server 2016 bolstered security with a guarded fabric infrastructure that includes the Host Guardian Service...
and shielded VMs, but common issues can afflict your deployment if you don't know how to use the built-in diagnostic tool.
Guarded fabric consists of one Host Guardian Service, at least one guarded host and a set of shielded VMs. Shielded VMs are encrypted Generation 2 VMs with a virtual Trusted Platform Module. Shielded VMs must originate from trusted templates and can only run on hosts that meet strict hardware and firmware standards set by the Host Guardian Service. Guarded fabric promises better security and can significantly limit the consequences of a successful attack.
Before you deploy a guarded fabric infrastructure and start operating shielded VMs with the Host Guardian Service, you should know the most common deployment mistakes and the best troubleshooting strategies to address them. Windows Server introduced guarded fabric and Host Guardian Service in 2016, so some of these techniques aren't yet well-known.
Microsoft provides a guarded fabric diagnostic tool to identify and fix failures that happen during a guarded fabric infrastructure and Host Guardian Service deployment. As is the case with other roles and services, Microsoft provides the necessary PowerShell cmdlets to aid the guarded fabric troubleshooting process.
You can use the Get-HgsTrace, Hgs-Diagnostics and Get-HgsFileData cmdlets to collect details from a guarded fabric host, but the examples below focus on Get-HgsTrace, which provides the necessary diagnosis data for troubleshooting.
If you encounter any deployment issues after installing guarded fabric and the Host Guardian Service, execute the Get-HgsTrace -RunDiagnostics PowerShell command on the Hyper-V host. The command runs a thorough check of the Hyper-V host, finds any known failures and reports them.
In this example, the Get-HgsTrace command reported the common failure that a pending restart was necessary to activate the new policy. This is a known failure that the PowerShell cmdlet can identify and report.
One of the other common failures you might see is if the current Hyper-V host isn't part of an authorized host group.
The Get-HgsTrace -RunDiagnostics -Detailed PowerShell command provides a detailed report of all the common failures it detects. The command identifies the role of the current host and reports any failures on the screen.
By default, Get-HgsTrace diagnoses local hosts. You can diagnose a remote server by executing the PowerShell commands below:
As you can see in the commands above, you must create a connection to the target Hyper-V host by using the New-HgsTraceTarget PowerShell cmdlet. The next command connects to the target specified in the $ThisHost variable and retrieves the diagnostics data. Note that it prompts you to enter the credentials on the target host before it collects the data.
You can also diagnose multiple targets by separating additional targets with commas.
The New-HgsTraceTarget PowerShell command -- in its own PowerShell variable -- creates the connection to each target, and then the Get-HgsTrace command uses these variables to report the diagnosis data.
After deploying a guarded fabric infrastructure and the Host Guardian Service, you must be ready to troubleshoot any common failures. The Get-HgsTrace PowerShell cmdlet is able to identify common failures and report on them from local and target hosts. The diagnosis data Get-HgsTrace provides is easily readable, and you can use it to fix issues quickly.