You may have noticed or heard that in the new release of Windows 10 build 10586 you have an option to add virtual TPM in your Hyper-V guests.

image

This is really interesting and gives you a whole new level when it comes to testing things depended on the TPM chip.

I will not in this post go into details for any testing or what you can use the TPM chip for, just give you the PowerShell commands to enable it for a Hyper-V guest.

First I will startup my Windows Server 2012 R2 and show you a screenshot of the Device Manager. The TPM chip is categorized under Security devices but as you can see it is not shown

image

First of all you have to upgrade your Hyper-V configuration of the guest to version 7.0, and that is done with the PowerShell command

Update-VMVersion -VMName “Customermdt”

image

Just hit Y or add -Force to upgrade the guest to the latest version.

Use Get-VM command to verify the version

Get-VM “Customermdt”

Now you would think that you can use the Enable-VMTPM command to enable the vTPM, but it will end up with the error:” Cannot modify the selected security settings of a virtual machine without a valid key protector configured. The operation failed. Cannot modify the selected security settings of virtual machine ‘XXXXX’ without a valid key protector configured. Configure a valid key protector and try again.”

image

 

Sooo, how do I configure a valid key protector?

First you need to generate a HGS, Host Guarded Service, Key with these commands. Note! These command should only be used in lab and test environment!

$owner = Get-HgsGuardian UntrustedGuardian

$kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot

image

Follow the command to set the key protector on the virtual guest with the command Set-VMKeyProtector

Set-VMKeyProtector -VMName “customermdt” -KeyProtector $kp.RawData

Now you can use the Enable-VMTPM command to enable the virtual TPM chip

image

 

Fire up the virtual machine again and check out the device manager, voila there the vTPM version 2 is!

image

You can also verify it with PowerShell Get-TPM command, like you would on a physical machine!

image

 

Some resource that could be interesting, note that any example code you will find on these pages will not work!

Create a new shielded VM on the tenant Hyper-V host and run it on the guarded host

 

Let me know if there is anything missing or if it’s not working for you!

Advertisements