Deployment

Working in the Datacenter–Enable Virtual TPM in Hyper-V gives you the ability to test bitlocker in a VM

By on ( 6 Comments )

Last night a friend contaced me and said “-Did you ever post the vTPM thing?”, i did say yes, but i was wrong, so here it is…

Simple, without testing and verfication, a deployment solution will fail. One of the tasks that takes a lot of time to test and verify is BitLocker and that also includes TPM. Windows 10 and Windows Server 2016 gives you the ability to create Virtuial Machines with a Virtual TPM Chip 2.0.

image
A VM running Windows Server 2012 R2 with a vTPM chip, The VM is running on Windows Server 2016.

The How-To Part

You need to run Windows Server 2016 TP4 or Windows 10.

On the host, add Isolated UserMode, Hyper-V and Hostguardian Services, by running the following powershell command(elevated):

Add-WindowsFeature -Name “Isolated-UserMode”,”Hyper-V”,”HostGuardian” -IncludeAllSubFeature –IncludeManagementTools

If needed, restart the host.

Before you can enable the vTPM you need to have a Guardian Service guardian object and with that you can crerate a Key Protector.

New-HgsGuardian -Name ‘Guardian’ -GenerateCertificates
$Owner = Get-HgsGuardian -Name ‘Guardian’
$KeyProtector = New-HgsKeyProtector -Guardian $Owner -Owner $Owner –AllowUntrustedRoot

Great, the last piece is to enable the vTPM

Set-VMKeyProtector -VMName ‘WSUS01’ -KeyProtector $KeyProtector.RawData
Enable-VMTPM -VMName ‘WSUS01’

/Mike

Categories: Deployment, Hyper-V, OSD, Windows 10, Windows Server 2016, Windows Server vNext

Tagged as: , , , , ,

6 replies »

  1. Hi Mikael,

    if i have an Windows 10 Hyper Host:
    How i install Isolated-UserMode and HostGuardian Feature?
    As i can see they don’t even exist on a Windows 10 Client…

    Michael

    Reply

  2. Windows 10 Enterprise… By the way i found the Isolated User Mode but not the Host Guardian Feature…

    Reply

  3. This is great! Just notice that when using Windows 10 Anniversary Isolated User Mode is now included with Hyper-V so you don’t have to install it separately anymore. Running above PowerShell command will just fail.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.