This week I worked with a client to implement BitLocker on guest machines from a Hyper-V host Server 2016. As you certainly know, Microsoft has added a great feature that allows you to add a TPM virtual chip to the guest machines without the host server having a physical TPM installed.
Microsoft has also taken advantage of a new role that can be used to restrict access to protected virtual machines (shielded VMs) by Hyper-V administrators. This new role is called: Host Guardian Service (HGS).
For reminder, the client context is a Hyper-V 2016 Standalone server that hosts at least one virtual machine. When implementing VTPM on hosted virtual machines, we validated the addition of the VTPM chip by the GUI. BitLocker’s disk activation and encryption took place without any problems. However, as soon as we want to script the actions, enabling the TPM virtual chip is not possible by PowerShell command line.
The following error appears:
“Unable to change the selected security settings for a virtual machine without a valid key protector configured.” ☹
Below is the code in PowerShell that allows you to initialize the Guardian and the key :
- (Old technique) Creation of HGS Gardian certificate :
$ExportedGuardianPath = ".DestinationGuardian.xml"
$UntrustedGuardian = New-HgsGuardian -Name UntrustedGuardian –GenerateCertificates
Get-hgsguardian| Export-HgsGuardian -Path $ExportedGuardianPath
Import-HgsGuardian -Path .DestinationGuardian.xml -Name "UntrustedGuardian" -AllowExpired -AllowUntrustedRoot
- (Old technique) Creation of a protection key for the integration of the VTPM on the VM :
$DestGardian = Get-HgsGuardian -Name UntrustedGuardian -ErrorAction SilentlyContinue
$keyprotector = New-HgsKeyProtector -owner $DestGardian -AllowExpired -AllowUntrustedRoot
Set-vmkeyprotector -vmname VM -keyprotector $keyprotector.rawdata
- Add vTPM to VM :
Enable-VMTPM -VMName VM
After setting up the HGS and the protection key, activating the TPM on the VM is operational :
- (New technique) Creation of a protection key for the integration of the vTPM on the VM :
In fact, i found in cmdlet “Set-VMKeyProtector” the good setting to activate the vTPM chips with a simple PowerShell command:
Set-VMKeyProtector -VMName W10 -NewLocalKeyProtector
Enable-VMTPM -VMName W10
The result is the same, but you need to execute only two commands lines 😉
When you check the HGS gardian is created :
This solution allowed us to industrialize the deployment of a vTPM chip on all existing virtual machines in my client world infrastructure.