vTPM requirements for VM in 2016

vTPM requirements for VM in 2016

Q. Does the vTPM feature of Hyper-V 2016 require a TPM in the physical host?

A. No. The virtual TPM (vTPM) feature of Windows Server 2016 for hardware version 7 Generation 2 VMs does not rely on a TPM in the physical host, instead its content is stored as part of the resource state of the VM but that resource state is encrypted and protected in most scenarios as part of a shielded VM that works with the Host Guardian Service (HGS). As part of the interaction with the HGS the Hyper-V host ideally uses its local TPM to confirm the boot path and code integrity as part of the attestation process although if a TPM 2.0 is not present in the server AD-based attestation is also possible. Therefore a TPM in the host is desirable but not required for the vTPM nor does it store the content of vTPMs even when a TPM is present in a system. There cannot be a hard link between a vTPM and a TPM in the host as this would break the ability to live migrate a VM between hosts.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish