AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam

Implement Host Guardian Service and Attestation

The Host Guardian Service (HGS) is central to protecting virtual machines by providing attestation of Hyper-V hosts. This service ensures hosts are trusted before activating shielded VMs and checks that each host meets strict security requirements. Attestation confirms that only approved hardware and software configurations are used. By validating hosts, HGS prevents unauthorized or compromised servers from running sensitive workloads. Shielded VMs rely on this process to maintain integrity and confidentiality.

Creating a guarded fabric involves deploying HGS clusters in either TPM-baseline or TPM-attestation modes. TPM-baseline verifies basic hardware presence, while TPM-attestation uses additional secure measurements to strengthen host validation. Key configuration steps include:

• Deploying HGS clusters in the chosen attestation mode
• Configuring key protection policies to secure encryption keys
• Integrating Hyper-V hosts into the guarded fabric for shielded VM operations
  These steps establish a trusted environment where shielded VMs can operate securely.

Azure enhances security with advanced VM placement algorithms that prevent co-residency attacks by keeping untrusted and sensitive VMs on separate hosts. The Azure Fabric Controller enforces isolation by managing infrastructure resources and ensuring unidirectional communication from hosts to VMs. Network traffic is segmented with VLANs to keep trusted and untrusted systems apart. Memory and process separation further protect each VM from side-channel attacks. These measures work together to create a layered defense against various threats.

Shielded VMs rely on continuous attestation policies to confirm host integrity before and during operation. Administrators can deploy shielded VMs using PowerShell, Azure CLI, or ARM templates for consistency and automation. Built-in features like secure boot and vTPM ensure that the VM’s boot process is validated and tamper-proof. Integration with Microsoft Defender for Cloud provides real-time monitoring, alerts, and ongoing compliance checks. Together, these protections keep sensitive workloads safe in hybrid environments.

Conclusion

This section covered how to set up a guarded fabric using the Host Guardian Service and apply attestation to verify Hyper-V hosts. You learned the differences between TPM-baseline and TPM-attestation modes and how to configure key protection and host integration. We also explored advanced security techniques like VM placement algorithms, VLAN isolation, and unidirectional communication enforced by the Azure Fabric Controller. Finally, you saw how shielded VMs leverage attestation policies, secure boot, and monitoring tools to maintain a strong security posture in Azure.