Windows 10: Enabling vTPM (Virtual TPM)

Article
1/17/2024

To enable vTPM we do not need UEFI firmware or Secure Boot Enabled. The below-mentioned setting works on both BIOS and UEFI firmware.

Steps

Creating HGS Guardian

New-HgsGuardian -Name "Guardian11" -GenerateCertificates

Checking with Guardian

PS C:\WINDOWS\system32> get-hgsguardian

`Name`	`HasPrivateSigningKey`	`Signing Certificate Subject`
`----`	`--------------------`	`---------------------------`
`Guardian11`	`True`	`CN=Shielded VM Signing Certificate (Guardian11) (Win10)`

Assigning variable $owner to Guardian

PS C:\WINDOWS\system32> $owner = get-hgsguardian guardian11

Generating key protector for TPM to enable it

PS C:\WINDOWS\system32> $kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot

Setting key protector for TPM to enable it

PS C:\WINDOWS\system32> Set-VMKeyProtector -VMName "TPM" -KeyProtector $kp.RawData

Enabling virtual TPM on VMName TPM

PS C:\WINDOWS\system32>  Enable-VMTPM -VMNAME "TPM"   --// Here TPM is virtual machine name

Some more mandatory settings to enable TPM

Enable-WindowsOptionalFeature -Feature IsolatedUserMode -Online
 
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Force
 
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard   -Name EnableVirtualizationBasedSecurity -Value 1 -PropertyType DWord –Force

Share via

Windows 10: Enabling vTPM (Virtual TPM)

Steps

Creating HGS Guardian

Checking with Guardian

Assigning variable $owner to Guardian

Generating key protector for TPM to enable it

Setting key protector for TPM to enable it

Enabling virtual TPM on VMName TPM

Some more mandatory settings to enable TPM

Reboot

See Also

Additional resources