Add virtual TPM in Windows 10 Hyper-V guest with PowerShell

Posted by

You may have noticed or heard that in the new release of Windows 10 build 10586 you have an option to add virtual TPM in your Hyper-V guests.

image

This is really interesting and gives you a whole new level when it comes to testing things depended on the TPM chip.

I will not in this post go into details for any testing or what you can use the TPM chip for, just give you the PowerShell commands to enable it for a Hyper-V guest.

First I will startup my Windows Server 2012 R2 and show you a screenshot of the Device Manager. The TPM chip is categorized under Security devices but as you can see it is not shown

image

First of all you have to upgrade your Hyper-V configuration of the guest to version 7.0, and that is done with the PowerShell command

Update-VMVersion -VMName “Customermdt”

image

Just hit Y or add -Force to upgrade the guest to the latest version.

Use Get-VM command to verify the version

Get-VM “Customermdt”

Now you would think that you can use the Enable-VMTPM command to enable the vTPM, but it will end up with the error:” Cannot modify the selected security settings of a virtual machine without a valid key protector configured. The operation failed. Cannot modify the selected security settings of virtual machine ‘XXXXX’ without a valid key protector configured. Configure a valid key protector and try again.”

image

 

Sooo, how do I configure a valid key protector?

First you need to generate a HGS, Host Guarded Service, Key with these commands. Note! These command should only be used in lab and test environment!

$owner = Get-HgsGuardian UntrustedGuardian

$kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot

image

Follow the command to set the key protector on the virtual guest with the command Set-VMKeyProtector

Set-VMKeyProtector -VMName “customermdt” -KeyProtector $kp.RawData

Now you can use the Enable-VMTPM command to enable the virtual TPM chip

image

 

Fire up the virtual machine again and check out the device manager, voila there the vTPM version 2 is!

image

You can also verify it with PowerShell Get-TPM command, like you would on a physical machine!

image

 

Some resource that could be interesting, note that any example code you will find on these pages will not work!

Create a new shielded VM on the tenant Hyper-V host and run it on the guarded host

 

Let me know if there is anything missing or if it’s not working for you!

Advertisements

7 comments

  1. Yes sir, I enabled it as part of the process. I actually found out from my IT department that the version of windows I am running does not support Virtual Smart Cards nor Direct access (so bummed). Also, the TPM chip eventually activated itself and now it is working. I can’t seem to win this battle!

    Thank you for your help tho! Really appreciated the follow up.

    Like

  2. hyper-v is already upgraded to the latest version. To double check, I still run the upgrade-vm command which confirmed it.

    before I tried using powershell to add TPM, I found the following article
    https://4sysops.com/archives/windows-10-hyper-v-fall-update-adds-virtual-tpm-and-nested-virtualization/

    and used those steps to add the TPM chip. My current state is the following:
    I see TPM in the VM device manager drop down window, just like in your picture above.
    The TPM is not ready for use
    Preparing TPM for use in this machine fails – VM registers the failure as hardware related

    I tried then running your powershell commands – none of them failed
    I try running the VM – VM no longer starts.

    Like

  3. If I run the code above, my VM no longer boots. I restored it to a previous checkpoint and then it worked again. Tried twice, same result.

    I do see the TPM 2.0 device under device manager within the virtual VM, however it is not enabled for the selected Virtual Machine.

    If I click on prepare Virtual Machine, the preparation fails. it says that I need to enable TPM hardware.

    Would you be able to help?

    Pietro

    Like

Leave a Reply to Pelle Zandler Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.