Microsoft added more security features to Windows Server 2016 and one of them is the vTPM. You can now use a vTPM right inside the VM without using a physical TPM processor. A virtual Trusted Platform Module (vTPM) is a software-based representation of a physical Trusted Platform Module that can generate keys. In this article, we shall discuss “how to enable vTPM in Windows Server 2016 Hyper-v: Fix the device that cannot use a TPM module”. Please see Enable HyperV on Windows: How to install Windows 11 on HyperV, and how to fix “There was an error opening the Trusted Platform Module snap-in: You do not have permission to open the Trusted Platform Module Console“.
When a vTPM is added to a virtual machine, the guest operating system on the VM creates and stores keys that are private to it. When the vTPM is enabled and the guest operating system is compromised the vTPM will greatly reduce the risk.
Here is a YouTube video discussing the topic "Steps to enable vTPM in Windows Server 2016 HYPER V".
The keys generated will be used by the operating system for encryption or signing purposes. Both the vTPM and Bitlocker can add a layer of protection to Windows Server 2016. In this article, I will be showing you how to Enable vTPM and BitLocker on Windows Server on HyperV.
The same steps are applicable to all versions of Windows Server. Once this is done
you can store your VM in any location without being afraid your VM files will be stolen or compromised.
Reason for the error “The Device can use a Trusted Platform Module”.
If your VM does not have vTPM enabled you will not be able to use BitLocker except you do some strenuous work which you can avoid by just enabling it on your VM.
Below is the image showing what will be prompted when it is not enabled.
Enable vTPM and BitLocker in Windows server
Follow these steps on how to enable vTPM in Windows Server 2016 HYPER-V
- Open the Hyper-V
- Select and right-click the VM you want to encrypt and click Settings
3. On the Settings page click on Security TPM enabled and on the Right-hand section check the Enable Trusted Platform Module box. Click Ok. This will ensure the vTPM is enabled on the device.
4. Start the Virtual Machine and log in.
Read this if you want to know How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, and How to correctly disable Microsoft BitLocker Administration and Monitoring encrypted devices.
Launch Device Manager
5. Go into the Device Manager and Expand Security Devices you will see the Trusted Platform Module 2.0 listed.
Enable BitLocker: Install BitLocker Role on Hyper VM
6. It’s now time to encrypt the Virtual Machine. Add the BitLocker Drive Encryption feature and restart the VM.
Enable BitLocker on Windows Server
7. Now search for BitLocker and open it. Click Turn On BitLocker.
8. Save the key to a file or print and change the location of the file from your system. Keep in a safe place.
9. Select how you want to encrypt your disk. Click Next
10. You can start the encryption and be sure that nobody can copy your VM files to another HYPER-V to use it. This is How and where to find your BitLocker recovery key in Windows.
I hope you found this blog post on how to enable vTPM in Windows Server 2016 Hyper-v: Fix the device that cannot use a TPM module interesting and helpful. In case you have any questions do not hesitate to ask in the comment section.