How should the Host Guardian Service (HGS) be hosted

Q. How should I host the Host Guardian Service (HGS) instance?

A. The Host Guardian Service (HGS) holds the keys to the security of your shielded VMs which means how you host it is very important. It needs to be highly available as without it no shielded VMs can start but also will ideally be isolated from the virtualization administrators to enable complete separation of duties.

It cannot itself be a shielded VM since it would not be able to start without the HGS being available which it would not be since it is the HGS (a similar chicken and egg situation that failover clustering used to have with AD).

The best practice is to therefore to host the HGS in a separate physical cluster. This has the benefit of being separate from the virtualization environment but also can be hardened by additional levels of physical security such as a locked cage guarded by a 7 foot MMA fighter named Olaf.