SOLVED
Hi guys,
I have a HP Proliant DL380 Gen10 server here which doesn't have a TPM chip. I have installed Windows Server 2016 Datacenter on it and enabled Hyper-V.
I want to enable virtual TPM on generation 2 VMs enabled on them. To enable vTPM on the VM's it doesn't require the host server to have a TPM chip according to microsoft.
The server is running UEFI and I have secure boot enabled. This is confirmed from the host OS (msinfo32).
The problem: when trying to start a Hyper-V generation 2 machine with vTPM enabled, it will prompt "The virtual machine xxx can't start because the host's Isolated User Mode is off." The error message itself is old, because "Isolated User Mode" has been deprecated in Server 2016 and Windows (1607 and later).
"Isolated User Mode" has been replaced with Virtualization Based Security which I have enabled with (tried all ways of enabling it; GPO and Registry) as per MS guide on Deploy Windows Defender Device Guard: enable virtualization-based security.
The core issue is that I can't get the status of "Device Guard Virtualization based security" (VBS) to change from "Enabled but not running" to "Running" (as seen in msinfo32).
What I have tried so far in this order:
Upgrading to newest BIOS/UEFI.
Upgrading to latest Windows Server 2016 October CU.
All possible combinations of the GPO for Turn On Virtualization Based Security.
In bios, unchecked secure boot and re-checked secure boot from UEFI, including remove all secure boot keys, reset bios to factory default settings.
Reinstalled with Windows Server 2016 Datacenter and enable Hyper-V role.
Tried not to update to latest CU with no effect and the updated with latest CU (October 2018).
Installed the HostGuardian windows feature.
Alas all attempts fails with the same deprecated error message, and the "Device Guard Virtualization based security" is still stuck at "Enabled but not running".
I know that this it not an easy question to answer, but any help would be greatly appreciated.
The end result that I am looking IS possible. Because I have another Gen10 server with same model, specs and it had no issue turning on vTPM. Also tested on older HP Proliant servers Gen9, 8, 7, 6 as well. I would like to point out that on the working ones, I did not have to change any BIOS/UEFI/GPO settings to get VBS running.
So I know it can be done, but I am stuck.
Hi,
This is Windows specific issue, You should raise a case with software team.
Regards,
Sudhir
>
