Add virtual TPM in Windows 10 Hyper-V guest with PowerShell

Posted by

You may have noticed or heard that in the new release of Windows 10 build 10586 you have an option to add virtual TPM in your Hyper-V guests.


This is really interesting and gives you a whole new level when it comes to testing things depended on the TPM chip.

I will not in this post go into details for any testing or what you can use the TPM chip for, just give you the PowerShell commands to enable it for a Hyper-V guest.

First I will startup my Windows Server 2012 R2 and show you a screenshot of the Device Manager. The TPM chip is categorized under Security devices but as you can see it is not shown


First of all you have to upgrade your Hyper-V configuration of the guest to version 7.0, and that is done with the PowerShell command

Update-VMVersion -VMName “Customermdt”


Just hit Y or add -Force to upgrade the guest to the latest version.

Use Get-VM command to verify the version

Get-VM “Customermdt”

Now you would think that you can use the Enable-VMTPM command to enable the vTPM, but it will end up with the error:” Cannot modify the selected security settings of a virtual machine without a valid key protector configured. The operation failed. Cannot modify the selected security settings of virtual machine ‘XXXXX’ without a valid key protector configured. Configure a valid key protector and try again.”



Sooo, how do I configure a valid key protector?

First you need to generate a HGS, Host Guarded Service, Key with these commands. Note! These command should only be used in lab and test environment!

$owner = Get-HgsGuardian UntrustedGuardian

$kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot


Follow the command to set the key protector on the virtual guest with the command Set-VMKeyProtector

Set-VMKeyProtector -VMName “customermdt” -KeyProtector $kp.RawData

Now you can use the Enable-VMTPM command to enable the virtual TPM chip



Fire up the virtual machine again and check out the device manager, voila there the vTPM version 2 is!


You can also verify it with PowerShell Get-TPM command, like you would on a physical machine!



Some resource that could be interesting, note that any example code you will find on these pages will not work!

Create a new shielded VM on the tenant Hyper-V host and run it on the guarded host


Let me know if there is anything missing or if it’s not working for you!


  1. I am trying to install windows 11 in a hyper-v vm on windows 10 , I have created a vm with tpm enabled,
    But when I try to boot the install-iso I get the following:

    ‘Windows-11’ failed to start.

    ‘Windows-11’ could not initialize.

    The key protector could not be unwrapped. Details are included in the HostGuardianService-Client event log.

    [Expanded Information]
    ‘Windows-11’ failed to start. (Virtual machine ID A3F1FC6C-3D8D-4603-94E0-821EC9508E1B)

    ‘Windows-11’ failed to start worker process: The system cannot find the file specified. (0x80070002). (Virtual machine ID A3F1FC6C-3D8D-4603-94E0-821EC9508E1B)

    ‘Windows-11’ could not initialize. (Virtual machine ID A3F1FC6C-3D8D-4603-94E0-821EC9508E1B)

    The key protector for the virtual machine ‘Windows-11’ could not be unwrapped. . Details are included in the HostGuardianService-Client event log. The system cannot find the file specified. (0x80070002). (Virtual machine ID A3F1FC6C-3D8D-4603-94E0-821EC9508E1B)

    I do not have isolation mode enabled, because I want to use wsl2 and android in the new vm

    I have been searching the web in vain to try to figure this out!!

    Get-HgsGuardian UntrustedGuardian

    Name HasPrivateSigningKey Signing Certificate Subject
    —- ——————– —————————
    UntrustedGuardian True CN=Shielded VM Signing Certificate (UntrustedGuardian) (LAPTOP-SJB)

    If anyone has an answer please email me, thanks 🙂


  2. I have tried this several times but no luck , tpm is not showing on windows server 2012 r2 guest. The host os is windows 10 pro build 19043.


  3. I’m having a problem booting with my virtual machine after activating the TPM, I’m getting the error: 0xc000A002


  4. Yes sir, I enabled it as part of the process. I actually found out from my IT department that the version of windows I am running does not support Virtual Smart Cards nor Direct access (so bummed). Also, the TPM chip eventually activated itself and now it is working. I can’t seem to win this battle!

    Thank you for your help tho! Really appreciated the follow up.


  5. hyper-v is already upgraded to the latest version. To double check, I still run the upgrade-vm command which confirmed it.

    before I tried using powershell to add TPM, I found the following article

    and used those steps to add the TPM chip. My current state is the following:
    I see TPM in the VM device manager drop down window, just like in your picture above.
    The TPM is not ready for use
    Preparing TPM for use in this machine fails – VM registers the failure as hardware related

    I tried then running your powershell commands – none of them failed
    I try running the VM – VM no longer starts.


  6. If I run the code above, my VM no longer boots. I restored it to a previous checkpoint and then it worked again. Tried twice, same result.

    I do see the TPM 2.0 device under device manager within the virtual VM, however it is not enabled for the selected Virtual Machine.

    If I click on prepare Virtual Machine, the preparation fails. it says that I need to enable TPM hardware.

    Would you be able to help?



Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.