Windows 10: Enabling vTPM (Virtual TPM)
To enable vTPM we do not need UEFI firmware or Secure Boot Enabled. The below-mentioned setting works on both BIOS and UEFI firmware.
Steps
Creating HGS Guardian
New-HgsGuardian -Name "Guardian11" -GenerateCertificates
Checking with Guardian
PS C:\WINDOWS\system32> get-hgsguardian
Name |
HasPrivateSigningKey |
Signing Certificate Subject |
---- |
-------------------- |
--------------------------- |
Guardian11 |
True |
CN=Shielded VM Signing Certificate (Guardian11) (Win10) |
Assigning variable $owner to Guardian
PS C:\WINDOWS\system32> $owner = get-hgsguardian guardian11
Generating key protector for TPM to enable it
PS C:\WINDOWS\system32> $kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot
Setting key protector for TPM to enable it
PS C:\WINDOWS\system32> Set-VMKeyProtector -VMName "TPM" -KeyProtector $kp.RawData
Enabling virtual TPM on VMName TPM
PS C:\WINDOWS\system32> Enable-VMTPM -VMNAME "TPM" --// Here TPM is virtual machine name
Some more mandatory settings to enable TPM
Enable-WindowsOptionalFeature -Feature IsolatedUserMode -Online
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Force
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Name EnableVirtualizationBasedSecurity -Value 1 -PropertyType DWord –Force
Reboot