You may have noticed or heard that in the new release of Windows 10 build 10586 you have an option to add virtual TPM in your Hyper-V guests.
This is really interesting and gives you a whole new level when it comes to testing things depended on the TPM chip.
I will not in this post go into details for any testing or what you can use the TPM chip for, just give you the PowerShell commands to enable it for a Hyper-V guest.
First I will startup my Windows Server 2012 R2 and show you a screenshot of the Device Manager. The TPM chip is categorized under Security devices but as you can see it is not shown
First of all you have to upgrade your Hyper-V configuration of the guest to version 7.0, and that is done with the PowerShell command
Update-VMVersion -VMName “Customermdt”
Just hit Y or add -Force to upgrade the guest to the latest version.
Use Get-VM command to verify the version
Get-VM “Customermdt”
Now you would think that you can use the Enable-VMTPM command to enable the vTPM, but it will end up with the error:” Cannot modify the selected security settings of a virtual machine without a valid key protector configured. The operation failed. Cannot modify the selected security settings of virtual machine ‘XXXXX’ without a valid key protector configured. Configure a valid key protector and try again.”
Sooo, how do I configure a valid key protector?
First you need to generate a HGS, Host Guarded Service, Key with these commands. Note! These command should only be used in lab and test environment!
$owner = Get-HgsGuardian UntrustedGuardian
$kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot
Follow the command to set the key protector on the virtual guest with the command Set-VMKeyProtector
Set-VMKeyProtector -VMName “customermdt” -KeyProtector $kp.RawData
Now you can use the Enable-VMTPM command to enable the virtual TPM chip
Fire up the virtual machine again and check out the device manager, voila there the vTPM version 2 is!
You can also verify it with PowerShell Get-TPM command, like you would on a physical machine!
Some resource that could be interesting, note that any example code you will find on these pages will not work!
Create a new shielded VM on the tenant Hyper-V host and run it on the guarded host
Let me know if there is anything missing or if it’s not working for you!
Leave a comment