Stéphane Thirion
  • Home
  • Consulting – Raidho
  • homelab
3K
0
0
0
Stéphane Thirion
Stéphane Thirion
  • Home
  • Consulting – Raidho
  • homelab
  • Microsoft
  • PowerShell
  • Uncategorized
  • Windows 2016

Hyper-V 2016 – Add-VMTPM issue

  • October 28, 2017
  • Rodolphe Herpeux
Total
0
Shares
0
0
0
0
0
0
0

Hello folks,

This week I worked with a client to implement BitLocker on guest machines from a Hyper-V host Server 2016. As you certainly know, Microsoft has added a great feature that allows you to add a TPM virtual chip to the guest machines without the host server having a physical TPM installed.

Microsoft has also taken advantage of a new role that can be used to restrict access to protected virtual machines (shielded VMs) by Hyper-V administrators. This new role is called: Host Guardian Service (HGS).

For reminder, the client context is a Hyper-V 2016 Standalone server that hosts at least one virtual machine. When implementing VTPM on hosted virtual machines, we validated the addition of the VTPM chip by the GUI. BitLocker’s disk activation and encryption took place without any problems. However, as soon as we want to script the actions, enabling the TPM virtual chip is not possible by PowerShell command line.

The following error appears:

“Unable to change the selected security settings for a virtual machine without a valid key protector configured.” ☹

Below is the code in PowerShell that allows you to initialize the Guardian and the key :

  • (Old technique) Creation of HGS Gardian certificate :
Source code   
$ExportedGuardianPath = ".DestinationGuardian.xml"
$UntrustedGuardian = New-HgsGuardian -Name UntrustedGuardian –GenerateCertificates
Get-hgsguardian| Export-HgsGuardian -Path $ExportedGuardianPath
Import-HgsGuardian -Path .DestinationGuardian.xml -Name "UntrustedGuardian" -AllowExpired -AllowUntrustedRoot

  • (Old technique) Creation of a protection key for the integration of the VTPM on the VM :
Source code   
$DestGardian = Get-HgsGuardian -Name UntrustedGuardian -ErrorAction SilentlyContinue
$keyprotector = New-HgsKeyProtector -owner $DestGardian -AllowExpired -AllowUntrustedRoot
Set-vmkeyprotector -vmname VM -keyprotector $keyprotector.rawdata
  • Add vTPM to VM :
Source code   
Enable-VMTPM -VMName VM

After setting up the HGS and the protection key, activating the TPM on the VM is operational :

  • (New technique) Creation of a protection key for the integration of the vTPM on the VM :

In fact, i found in cmdlet “Set-VMKeyProtector” the good setting to activate the vTPM chips with a simple PowerShell command:

Source code   
Set-VMKeyProtector -VMName W10 -NewLocalKeyProtector
Enable-VMTPM -VMName W10

The result is the same, but you need to execute only two commands lines 😉

When you check the HGS gardian is created :

This solution allowed us to industrialize the deployment of a vTPM chip on all existing virtual machines in my client world infrastructure.

Enjoy 😉

Total
0
Shares
Tweet 0
Share 0
Share 0
Share 0
Share 0
Share 0
Share 0
Related Topics
  • BitLocker
  • Hyper-v
  • PowerShell
  • Security
  • TPM
  • vTPM
  • Windows 2016
Rodolphe Herpeux

Previous Article
  • Microsoft
  • PowerShell
  • Windows 2012R2
  • Windows 2016

Active Directory Certificate Services [Part2]

  • October 5, 2017
  • Rodolphe Herpeux
View Post
Next Article
  • Citrix
  • CTP
  • Events
  • Geek Speak

FCUGC – 4eme edition !

  • November 7, 2017
  • Stephane Thirion
View Post
You May Also Like
View Post
  • Citrix
  • CTP
  • Uncategorized

This is the end of an era

  • Stephane Thirion
  • February 16, 2022
View Post
  • VMware
  • vSphere
  • Windows 2022

Migrating FSMO roles Windows 2022 Server

  • Stephane Thirion
  • January 3, 2022
View Post
  • Azure
  • Azure
  • PowerShell
  • Scripting
  • Security

Export all Admin Roles and members from Azure AD

  • Rodolphe Herpeux
  • March 25, 2021
View Post
  • RDS
  • Security
  • Windows 2016

RDS access to applications with second authentication factor by smartcard

  • Rodolphe Herpeux
  • January 7, 2021
View Post
  • Windows 2016
  • Windows 2019

Migration farm ADFS operating system Windows server 2016 to Windows server 2019

  • Rodolphe Herpeux
  • January 6, 2021
View Post
  • Windows 2016

Migrate ADFS configuration Database from WID to MS-SQL

  • Rodolphe Herpeux
  • January 5, 2021
View Post
  • ArchY.net Site
  • Azure
  • Citrix
  • Cloud
  • Experience
  • Microsoft
  • News
  • Office365
  • Raidho
  • VMware

Mettre en place une solution de travail à distance (RemoteOffice / Remoteworking) 2/2

  • Stephane Thirion
  • March 24, 2020
View Post
  • Amazon
  • Citrix
  • Cloud
  • Experience
  • Microsoft
  • News
  • Office365
  • Raidho
  • Security
  • VMware

Mettre en place une solution de travail à distance (RemoteOffice / Remoteworking) 1/2

  • Stephane Thirion
  • March 22, 2020
vmware
Coinbase – Affiliated link
Blog Stats
  • 1,237,011 hits
Categories
  • Amazon (1)
  • Apple (20)
    • iOS (5)
    • Mac OSx (11)
  • ArchY.net Site (30)
  • Azure (8)
  • Certifications (3)
  • Citrix (207)
    • ADC (1)
    • Citrix Virtual Apps and Desktops (3)
    • NetScaler (12)
    • Password Manager (3)
    • Personal vDisk (5)
    • Power and Capacity Management (3)
    • Provisioning Services (22)
    • Receiver (29)
    • ShareFile (8)
    • Single Sign On (3)
    • SmartAuditor (2)
    • Storefront (12)
    • Synergy (25)
    • User Profile Management (2)
    • VDI (7)
    • WebInterface (21)
    • XenApp (84)
    • XenApp Plugin (3)
    • XenClient (10)
    • XenDesktop (55)
    • XenServer (42)
  • Cloud (12)
  • Crystal Ball (2)
  • CTP (13)
  • Docker (2)
  • Events (35)
    • E2E – PubForum (9)
    • Geek Speak (3)
  • Experience (53)
  • Kubernetes (2)
  • Licensing (3)
  • Linux (12)
  • Microsoft (145)
    • Azure (8)
    • Office365 (4)
    • PowerShell (18)
    • RDS (5)
    • Windows 10 (6)
    • Windows 2003 (21)
    • Windows 2008 (20)
    • Windows 2008 R2 (54)
    • Windows 2012 (13)
    • Windows 2012R2 (13)
    • Windows 2016 (18)
    • Windows 2019 (4)
    • Windows 2022 (1)
    • Windows 7 (27)
    • Windows 8 (19)
    • Windows Virtual Desktop (1)
    • Windows XP (11)
  • News (5)
  • Raidho (2)
  • Raspberry (3)
  • Scripting (13)
  • Security (4)
  • Slide Deck (1)
  • Thin Clients (3)
  • Twitter (1)
  • Ubiquiti (1)
  • Uncategorized (12)
  • VMware (27)
    • VMWare WorkStation (2)
    • vSphere (15)
Stéphane Thirion
Don't Follow the Trend

Input your search keywords and press Enter.

 

Loading Comments...