Windows 2025 support

Host Guardian Service on Windows Server 2025 feature is deprecated and unsupported. If you need HGS, you must use Windows Server 2022 Datacenter or earlier.

When you attempt to Configure attestation on the Guarded Host by performing the following:

Set-HgsClientConfiguration -AttestationServerUrl URL -KeyProtectionServerUrl URL

The following error occurs:

Set-HgsClientConfiguration -AttestationServerUrl 'https://hgs.hgs.local/Attestation' -KeyProtectionServerUrl 'https://hgs.hgs.local/KeyProtection'

Invoke-CimMethod : Using this operation in SHS mode is unsupported for this version of Windows.

At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\HgsClient\HgsClient.psm1:449 char:18
+ ...            (Invoke-CimMethod -Namespace Root\Microsoft\Windows\Hgs -C ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : NotSpecified: (Root\Microsoft\...ntConfiguration:String) [Invoke-CimMethod], Cim
  Exception
   + FullyQualifiedErrorId : Windows System Error -2147467259,Microsoft.Management.Infrastructure.CimCmdlets.”

The error Invoke-CimMethod : Using this operation in SHS mode is unsupported for this version of Windows indicates that Windows Server 2025 has changed or removed support for classic Host Guardian Service (HGS) Shielded VM mode, also referred to internally as SHS (Shielded Host Support).

Windows Server 2025 introduces major security platform changes:

  • Host Guardian Service (HGS) is deprecated

  • Shielded VMs are being replaced by Secured-core / vTPM / VBS models

  • Several PowerShell cmdlets under HgsClient and HgsServer are retired or non-functional

This is why these commands work on Windows Server 2019 and Windows Server 2022 but they fail on Windows Server 2025 where Microsoft has removed or blocked SHS/HGS functionality. The command fails because internally uses CIM calls to Root\Microsoft\Windows\Hgs. This namespace still exists but several methods are stubbed or disabled. HGS client mode (-Mode HostGuardianService`) is no longer supported. Windows logs this internally as SHS mode is unsupported for this version of Windows.

This is a Windows OS behavior change not an nShield integration issue.

Microsoft is shifting away from HGS and shielded VMs and the HGS model is now obsolete. It is replaced by:

  • vTPM provisioning through Host Key Attestation

  • Secured-core server

  • VBS + HVCI

  • Azure-based attestation models

  • Key release through TPM-backed trust

For TPM-based attestation, Windows server 2025 supports:

  • TPM 2.0 attestation

  • vTPM provisioning via Hyper-V

  • Secure Launch

  • Key release policies integrated with VBS