designsoliman - Fotolia
Enable and disable vTPM on Hyper-V VMs with PowerShell cmdlets
If you don't have Guarded Fabric or Shielded VMs, which have the Trusted Platform Module feature built-in, you need to manually enable virtual TPM for your Hyper-V VMs using PowerShell.
To enable or disable vTPM for Hyper-V VMs, admins can use the Enable-VMTPM and Disable-VMTPM PowerShell cmdlets.
Trusted Platform Module (TPM) is a security feature in which data is encrypted through Windows BitLocker. BitLocker also makes sure that if you run the encrypted VM in someone else's Hyper-V environment, only you can access the data.
Starting with Windows Server 2016, you have the ability to enable virtual TPM (vTPM) for Hyper-V VMs. You can use the vTPM feature for VMs even if the underlying hardware doesn't have a TPM chip. However, vTPM requires a Generation 2 VM running Windows Server 2012 R2, Windows Server 2016 or a Linux OS that can understand BitLocker drive encryption mechanisms.
Check vTPM status
To see if a Hyper-V VM has vTPM enabled, run the Get-VMSecurity <VMName> PowerShell command. If the VM has vTPM enabled, the output will show TPMEnabled:True. Otherwise, you'll see False after the TPMEnabled line in the output.
Enable vTPM
To enable vTPM for Hyper-V VMs, open a PowerShell window on the Hyper-V host and run Enable-VMTPM -VMName SQLVM. This command enables TPM support for SQLVM.
Improve host security with Shielded VMs
Windows Server 2016 Hyper-V comes with a new security feature: VM shielding. Learn about the advantages of VM shielding and how it works.
Once you have enabled vTPM support for the VM, you'll be required to install the BitLocker feature and start encrypting the VM drives.
Verify vTPM was enabled
If you want to verify that vTPM was enabled, you can either run the Get-VMSecurity PowerShell command to see if the TPMEnabled property shows True, or start the VM, open the Device Manager on the VM OS, expand the Security Devices node and look for the Trusted Platform Module 2.0 device entry. If Trusted Platform Module 2.0 is present, that means the VM is configured with vTPM support.
Disable vTPM
Disabling vTPM for a VM is easy; you just need to use the Disable-VMTPM PowerShell command followed by the VM name. For example, to disable vTPM support for a VM named SQLVM, use the Disable-VMTPM -VMName SQLVM PowerShell command.
Note that Windows Server 2016 Hyper-V provides new security features, including Guarded Fabric and Shielded VMs that have the TPM feature built-in. If you aren't using Guarded Fabric and Shielded VMs in your environment, you have to manually enable vTPM for VMs to ensure your data is secure.
