Microsoft added more security features to Windows Server 2016 and one of them is the vTPM. You can now use a vTPM right inside the VM without using a physical TPM processor. A virtual Trusted Platform Module (vTPM) is a software-based representation of a physical Trusted Platform Module that can generate keys. When a vTPM is added to a virtual machine, the guest operating system on the VM creates and stores keys that are private to it. When the vTPM is enabled and the guest operating system is compromised the vTPM will greatly reduce the risk. The keys generated can be used by the operating system for encryption or signing purpose. Both the vTPM and Bitlocker can add a layer of protection to Windows Server 2016. In this article, I will be showing
you how to enable vTPM on Windows Server 2016 Hyper-V and enable BitLocker within your VM. Once this is done you can store your VM in any location without being afraid your VM files will be stolen or compromised. Read this if you want to know How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, if you want to disable read this How to correctly disable Microsoft BitLocker Administration and Monitoring encrypted devices. This is How and where to find your BitLocker recovery key in Windows.
If your VM does not have vTPM enabled you will not be able to use BitLocker except you do some strenuous work which you can avoid by just enabling it on your VM. Below is the image showing you the message you will get when it is not enabled.
Follow these steps on how to enable vTPM in Windows Server 2016 HYPER-V
- Open the Hyper-V
- Select and right-click the VM you want to encrypt and click Settings
3. On the Settings page click on Security TPM enabled and on the Right-hand section check the Enable Trusted Platform Module box. Click Ok.
4. Start the Virtual Machine and login.
5. Go into the Device Manager and Expand Security Devices you will see the Trusted Platform Module 2.0 listed.
6. It’s now time to encrypt the Virtual Machine. Add the BitLocker Drive Encryption feature and restart the VM.
7. Now search for BitLocker and open it. Click Turn On BitLocker.
8. Save the key to a file or print and change the location of the file from your system. Keep in a safe place.
9. Select how you want to encrypt your disk. Click Next
10. You can start the encryption and be sure that nobody can copy your VM files to another HYPER-V to use it. Here is a YouTube link.
I hope you found this blog post How to enable vTPM in Windows Server 2016 HYPER-V interesting and helpful. In case you have any questions do not hesitate to ask in the comment section.