Q
Manage Learn to apply best practices and optimize your operations.

Enable and disable vTPM on Hyper-V VMs with PowerShell cmdlets

If you don't have Guarded Fabric or Shielded VMs, which have the Trusted Platform Module feature built-in, you need to manually enable virtual TPM for your Hyper-V VMs using PowerShell.

To enable or disable vTPM for Hyper-V VMs, admins can use the Enable-VMTPM and Disable-VMTPM PowerShell cmdlet...

s.

Trusted Platform Module (TPM) is a security feature in which data is encrypted through Windows BitLocker. BitLocker also makes sure that if you run the encrypted VM in someone else's Hyper-V environment, only you can access the data.

Starting with Windows Server 2016, you have the ability to enable virtual TPM (vTPM) for Hyper-V VMs. You can use the vTPM feature for VMs even if the underlying hardware doesn't have a TPM chip. However, vTPM requires a Generation 2 VM running Windows Server 2012 R2, Windows Server 2016 or a Linux OS that can understand BitLocker drive encryption mechanisms.

Check vTPM status

To see if a Hyper-V VM has vTPM enabled, run the Get-VMSecurity <VMName> PowerShell command. If the VM has vTPM enabled, the output will show TPMEnabled:True. Otherwise, you'll see False after the TPMEnabled line in the output.

Enable vTPM

To enable vTPM for Hyper-V VMs, open a PowerShell window on the Hyper-V host and run Enable-VMTPM -VMName SQLVM. This command enables TPM support for SQLVM.

Improve host security with Shielded VMs

Windows Server 2016 Hyper-V comes with a new security feature: VM shielding. Learn about the advantages of VM shielding and how it works.

Once you have enabled vTPM support for the VM, you'll be required to install the BitLocker feature and start encrypting the VM drives.

Verify vTPM was enabled

If you want to verify that vTPM was enabled, you can either run the Get-VMSecurity PowerShell command to see if the TPMEnabled property shows True, or start the VM, open the Device Manager on the VM OS, expand the Security Devices node and look for the Trusted Platform Module 2.0 device entry. If Trusted Platform Module 2.0 is present, that means the VM is configured with vTPM support.

Disable vTPM

Disabling vTPM for a VM is easy; you just need to use the Disable-VMTPM PowerShell command followed by the VM name. For example, to disable vTPM support for a VM named SQLVM, use the Disable-VMTPM -VMName SQLVM PowerShell command.

Note that Windows Server 2016 Hyper-V provides new security features, including Guarded Fabric and Shielded VMs that have the TPM feature built-in. If you aren't using Guarded Fabric and Shielded VMs in your environment, you have to manually enable vTPM for VMs to ensure your data is secure.

This was last published in March 2018

Dig Deeper on Microsoft Hyper-V management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What other features do you use to secure your Hyper-V VMs?
Cancel

-ADS BY GOOGLE

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...

Close