Windows 10: Enabling vTPM (Virtual TPM)

sunny2002

Steps
Creating HGS Guardian
New-HgsGuardian -Name "Guardian11" -GenerateCertificates

Checking with Guardian
PS C:\WINDOWS\system32> get-hgsguardian
Name              HasPrivateSigningKey         Signing Certificate Subject
----              --------------------        ---------------------------
Guardian11        True        CN=Shielded VM Signing Certificate (Guardian11) (Win10)

Assigning variable $owner to Guardian
PS C:\WINDOWS\system32> $owner = get-hgsguardian guardian11

Generating key protector for TPM to enable it
PS C:\WINDOWS\system32> $kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot

Setting key protector for TPM to enable it
PS C:\WINDOWS\system32> Set-VMKeyProtector -VMName "TPM" -KeyProtector $kp.RawData

Enabling virtual TPM on VMName TPM
PS C:\WINDOWS\system32>  Enable-VMTPM -VMNAME "TPM"   --// Here TPM is virtual machine name

Some more mandatory settings to enable TPM
Enable-WindowsOptionalFeature -Feature IsolatedUserMode -Online

New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Force

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard   -Name EnableVirtualizationBasedSecurity -Value 1 -PropertyType DWord –Force

Reboot