Azure Confidential VM Attestation - Windows

1.0 Introduction

This article describes the procedure for completing the attestation workflow for an Azure Confidential Virtual Machine (CVM) using Fortanix Confidential Computing Manager (CCM) in Windows-based environments.

After configuring the application and image in Fortanix CCM and registering the required Platform Configuration Register (PCR) values, the Azure CVM must run the Fortanix Attestation Client for Windows to establish trust and register itself as an approved compute instance.

2.0 Prerequisites

Before proceeding, ensure the following:

• Ensure to download the Fortanix Azure CVM Attestation Client binary from here.

• The Azure CVM has been deployed and is accessible.

• A Fortanix CCM application and its associated image have been created and approved.

• PCR values collected from the Azure CVM environment have been mapped to the image in Fortanix CCM. For more information on Azure VM creation and PCR extraction, refer to Azure Confidential VM Setup - Windows.

• Network access exists between the Azure CVM and Fortanix CCM endpoint.

• You have access to the following configuration values:

  • Fortanix CCM tenant URL

  • Join token

NOTE

Attestation cannot proceed if the application image has not been approved in Fortanix CCM.

3.0 Configure Execution Permissions

The Fortanix Azure CVM Attestation Client for Windows must be executed from an elevated PowerShell session because it requires administrative privileges to access the TPM and write attestation artifacts.

Perform the following steps:

1. On the Azure Windows CVM, open PowerShell as an Administrator.

2. If you are using a Windows Server version with a graphical user interface (GUI), right-click Windows PowerShell and select Run as administrator.

   NOTE

   On Windows Server Core (no GUI), commands are typically run from an Administrator-elevated cmd.exe session. In this case, run powershell.exe to enter Windows PowerShell; the session is usually already running with Administrator privileges.

3. Run the following command to verify that the current session has administrative privileges:

   (New-Object Security.Principal.WindowsPrincipal( 
       [Security.Principal.WindowsIdentity]::GetCurrent() 
   )).IsInRole( 
       [Security.Principal.WindowsBuiltInRole]::Administrator 
   ) 

   Output:

   • If the command returns True, the PowerShell session has Administrator privileges.

   • If the command returns False, you are not running as an administrator. To gain administrator access, close this PowerShell window and reopen it using “Run as Administrator”.

4.0 Configure Environment Variables

The Fortanix Attestation Client uses the following environment variables to determine where to write output and how to connect to the Fortanix CCM service:

NOTE

The JOIN_TOKEN is mandatory. Without it, the node will not register with Fortanix CCM. The FORTANIX_CLIENT_OUTPUT_DIR is also required, as there is no default output location for the generated files.

In your PowerShell session, run the following commands to configure the environment variables:

$env:FORTANIX_CLIENT_OUTPUT_DIR="<Desired output directory for key and certificate>" 
$env:JOIN_TOKEN="<JOIN TOKEN VALUE>" 

Where,

• <JOIN TOKEN VALUE> : The join token you generated from Fortanix CCM.

• <Desired output directory for key and certificate> : The desired output directory path where the Fortanix Attestation Client will save the key and certificate file.

Optionally, configure logging and a custom Fortanix CCM endpoint:

$env:RUST_LOG="<log_level>" 
$env:MANAGER_ENDPOINT="<URL of CCM instance>" 

Where,

• <log_level> : Sets the logging verbosity, such as DEBUG, ERROR, WARN, INFO, TRACE, or OFF.

• <URL of CCM instance> : The Fortanix CCM endpoint. For example, https:/ccm.fortanix.com.

5.0 Generate Join Token from Fortanix CCM

Perform the following steps to generate a Join Token from Fortanix CCM and register the node.

1. Log in to https://ccm.fortanix.com.

2. Click the Infrastructure → Compute Nodes menu item and click + ADD NODE on the Compute Nodes page.

   

3. In the ENROLL COMPUTE NODE window, a Join Token will be generated in the text box for "Get a join token to register a compute node". This Join Token is used by the compute node to authenticate itself.

   

4. Click COPY to copy the Join Token.

6.0 Run the Attestation Client

After configuring the environment variables, run the Fortanix Attestation Client for Windows to perform attestation.

Perform the following steps in a PowerShell session:

1. Run the following command to install the CVM Attestation Client:

   .\CVMAttestationClientSetup.exe /quiet /norestart /log "C:\Users\<user>\install.log"

2. Navigate to the C:\Program Files\Fortanix\CVMAttestationClient directory.

3. Run the following command to execute the client:

   .\ccm_attestation_client_azurecvm.exe 

   If the client runs successfully:

   • No error messages are displayed in the console.

   • The directory specified in FORTANIX_CLIENT_OUTPUT_DIR contains two files:

     • key.pem - The private key generated during attestation.

     • cert.pem - The certificate generated during attestation.

   NOTE

   If error occurs during execution, verify the following:

   • The PowerShell session is running as Administrator.

   • The JOIN_TOKEN and FORTANIX_CLIENT_OUTPUT_DIR environment variables are set correctly.

   • The Azure Windows CVM can reach the Fortanix CCM endpoint configured in MANAGER_ENDPOINT.

   • To obtain additional error details, set the RUST_LOG environment variable to INFO.

The attestation process begins automatically. During this time, the client collects platform evidence, verifies signatures, and submits measurements to Fortanix CCM. The process may take several minutes, depending on the compute environment and network conditions.

7.0 Verify Attestation Status in Fortanix CCM

After the attestation client has completed execution, verify the attestation result in Fortanix CCM by confirming that the attestation certificate is available for download.

Perform the following steps to download the certificate:

1. Log in to Fortanix CCM.

2. Navigate to Applications → CVM Application → IMAGES tab.

3. Click the overflow menu next to the image entry and select VIEW CERTIFICATE.

   

4. Download the certificate and verify its validity.

   

Attestation is considered successful when the attestation certificate appears and is available for download. This confirms that the hardware measurements match the PCR values configured for the image in Fortanix CCM.