DeployWindows

Add virtual TPM in Windows 10 Hyper-V guest with PowerShell

You may have noticed or heard that in the new release of Windows 10 build 10586 you have an option to add virtual TPM in your Hyper-V guests.

image

This is really interesting and gives you a whole new level when it comes to testing things depended on the TPM chip.

I will not in this post go into details for any testing or what you can use the TPM chip for, just give you the PowerShell commands to enable it for a Hyper-V guest.

First I will startup my Windows Server 2012 R2 and show you a screenshot of the Device Manager. The TPM chip is categorized under Security devices but as you can see it is not shown

image

First of all you have to upgrade your Hyper-V configuration of the guest to version 7.0, and that is done with the PowerShell command

Update-VMVersion -VMName “Customermdt”

image

Just hit Y or add -Force to upgrade the guest to the latest version.

Use Get-VM command to verify the version

Get-VM “Customermdt”

Now you would think that you can use the Enable-VMTPM command to enable the vTPM, but it will end up with the error:” Cannot modify the selected security settings of a virtual machine without a valid key protector configured. The operation failed. Cannot modify the selected security settings of virtual machine ‘XXXXX’ without a valid key protector configured. Configure a valid key protector and try again.”

image

 

Sooo, how do I configure a valid key protector?

First you need to generate a HGS, Host Guarded Service, Key with these commands. Note! These command should only be used in lab and test environment!

$owner = Get-HgsGuardian UntrustedGuardian

$kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot

image

Follow the command to set the key protector on the virtual guest with the command Set-VMKeyProtector

Set-VMKeyProtector -VMName “customermdt” -KeyProtector $kp.RawData

Now you can use the Enable-VMTPM command to enable the virtual TPM chip

image

 

Fire up the virtual machine again and check out the device manager, voila there the vTPM version 2 is!

image

You can also verify it with PowerShell Get-TPM command, like you would on a physical machine!

image

 

Some resource that could be interesting, note that any example code you will find on these pages will not work!

Create a new shielded VM on the tenant Hyper-V host and run it on the guarded host

 

Let me know if there is anything missing or if it’s not working for you!

Posted

in

, ,

by

Mattias

Tags:

, ,

Comments

10 responses to “Add virtual TPM in Windows 10 Hyper-V guest with PowerShell”

  1. Stephen Bovy

    I am trying to install windows 11 in a hyper-v vm on windows 10 , I have created a vm with tpm enabled,
    But when I try to boot the install-iso I get the following:

    ‘Windows-11’ failed to start.

    ‘Windows-11’ could not initialize.

    The key protector could not be unwrapped. Details are included in the HostGuardianService-Client event log.

    [Expanded Information]
    ‘Windows-11’ failed to start. (Virtual machine ID A3F1FC6C-3D8D-4603-94E0-821EC9508E1B)

    ‘Windows-11’ failed to start worker process: The system cannot find the file specified. (0x80070002). (Virtual machine ID A3F1FC6C-3D8D-4603-94E0-821EC9508E1B)

    ‘Windows-11’ could not initialize. (Virtual machine ID A3F1FC6C-3D8D-4603-94E0-821EC9508E1B)

    The key protector for the virtual machine ‘Windows-11’ could not be unwrapped. . Details are included in the HostGuardianService-Client event log. The system cannot find the file specified. (0x80070002). (Virtual machine ID A3F1FC6C-3D8D-4603-94E0-821EC9508E1B)

    I do not have isolation mode enabled, because I want to use wsl2 and android in the new vm

    I have been searching the web in vain to try to figure this out!!

    Get-HgsGuardian UntrustedGuardian

    Name HasPrivateSigningKey Signing Certificate Subject
    —- ——————– —————————
    UntrustedGuardian True CN=Shielded VM Signing Certificate (UntrustedGuardian) (LAPTOP-SJB)

    If anyone has an answer please email me, thanks 🙂

    Like

    Reply
  2. deepakjohn

    I have tried this several times but no luck , tpm is not showing on windows server 2012 r2 guest. The host os is windows 10 pro build 19043.

    Like

    Reply
  3. fabio

    I’m having a problem booting with my virtual machine after activating the TPM, I’m getting the error: 0xc000A002

    Like

    Reply
  4. Creating Virtual TPM on Server 2016 via PowerShell | stevenwatson.uk

    […] Add virtual TPM in Windows 10 Hyper-V guest with PowerShell […]

    Liked by 1 person

    Reply
  5. Pelle Zandler

    In my Windows 10 1511 (10586.164) environment I didn’t have any Hgs Guardians installed. “Ran New-HgsGuardian UntrustedGuardian -GenerateCertificates” and then went on with the steps supplied here.

    Also found some helpful info in this technet article: https://technet.microsoft.com/en-us/library/mt483740(v=vs.85).aspx

    Like

    Reply
  6. fabianipit

    Yes sir, I enabled it as part of the process. I actually found out from my IT department that the version of windows I am running does not support Virtual Smart Cards nor Direct access (so bummed). Also, the TPM chip eventually activated itself and now it is working. I can’t seem to win this battle!

    Thank you for your help tho! Really appreciated the follow up.

    Like

    Reply
  7. fabianipit

    hyper-v is already upgraded to the latest version. To double check, I still run the upgrade-vm command which confirmed it.

    before I tried using powershell to add TPM, I found the following article
    https://4sysops.com/archives/windows-10-hyper-v-fall-update-adds-virtual-tpm-and-nested-virtualization/

    and used those steps to add the TPM chip. My current state is the following:
    I see TPM in the VM device manager drop down window, just like in your picture above.
    The TPM is not ready for use
    Preparing TPM for use in this machine fails – VM registers the failure as hardware related

    I tried then running your powershell commands – none of them failed
    I try running the VM – VM no longer starts.

    Like

    Reply
    1. Mattias Fors

      hi again! on your host system do you have credential guard, user mode isolation enabled?

      Like

  8. fabianipit

    If I run the code above, my VM no longer boots. I restored it to a previous checkpoint and then it worked again. Tried twice, same result.

    I do see the TPM 2.0 device under device manager within the virtual VM, however it is not enabled for the selected Virtual Machine.

    If I click on prepare Virtual Machine, the preparation fails. it says that I need to enable TPM hardware.

    Would you be able to help?

    Pietro

    Like

    Reply
    1. Mattias Fors

      can you verify what step that fail? is it the upgrade-vm or add TPM? try to each step and boot the VM in between.
      What OS are you running in the VM?

      Like

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.