Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Saturday, May 26, 2018 6:32 PM
I'm running Server 2016 Hyper-V and am trying to enable vTPM on Gen 2 guests running Server 2016. When I check the "Enable TPM" under the guest settings, it fails to start with the error:
"The virtual maching 'SVR-DC1' can't start because the host's Isolated User mode is off. Enabled Isolated User Mode feature in the host to start the virtual machine.
I cannot find a way to enable IUM. All documentation that I can find indicates that it is no longer a separate feature on the latest versions of Windows.
All replies (11)
Saturday, May 26, 2018 6:54 PM
Hi!
What is your current build of Windows Server 2016?
Did you check if you have the feature or if you can enable it?
Enable-WindowsOptionalFeature -Feature IsolatedUserMode -Online
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Force
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Name EnableVirtualizationBasedSecurity -Value 1 -PropertyType DWord -Force
Best regards,
Leon
Blog: https://thesystemcenterblog.com LinkedIn:
Saturday, May 26, 2018 9:12 PM
10.0.14393.2068
I've set the registry keys both via powershell and GPO and verified that they are set correctly.
Can't install the 'IsolatedUserMode' feature. Best I can tell that was removed/changed during the fall updates. It does not appear in the list if I try to add roles/features from RSAT. The powershell method returns: "Feature name isolatedusermode is unknown."
Also the powershell command has changed as it is no longer -Feature but rather -FeatureName.
I think IUM was rolled into Virtualization Based Security (VBS) during the fall update. System Info says that Device Guard Virtualization based security is enabled but not running and I can't figure out how to get it to run.
Sunday, May 27, 2018 12:39 AM
Okay, do you see anything in the event log (with source: TPM-WMI) ?
Your TPM chip is enabled right? (check tpm.msc)
Also ensure the KB3213522 is installed on the host, too. The KB3213522 fixed an issue related to virtualization-based security (VBS).
Hypothesis: Maybe if the VMs were created when the "IsolatedUserMode" feature still existed, but the host has been updated and now the feature no longer exists so you get the error.
Have you tried creating a new Gen2 VM and enabling the vTPM?
Best regards,
Leon
Blog: https://thesystemcenterblog.com LinkedIn:
Sunday, May 27, 2018 2:02 AM
Don't have a physical TPM but it's not required for vTPM and I don't believe it is even used when you are doing live migration (which I will be) since the VM isn't tied to a physical host.
These are brand new Gen2 VMs and the host has been clean installed several times.
Only two TPM-WMI event logs
- Event 1282: The TBS device identifier has been generated
- Event 1281: This event triggers the TBS device identifier generation
Servers are up to date. That KB shows to be a cumulative update released 1/4/17 and has been replaced by the latest cumulative updates which are installed.
Do you have any idea how to get the Device Guard virtualization based security running?
Wednesday, May 30, 2018 6:25 PM
Any ideas?
Wednesday, May 30, 2018 7:27 PM
Have you enabled the GPO for the Device Guard Virtualization Based Security?
1) From the Group Policy Management Console, go to Computer Configuration -> Administrative Templates -> System -> Device Guard.
2) Double-click Turn On Virtualization Based Security, and then click the Enabled option.
3) In the Select Platform Security Level box, choose Secure Boot or Secure Boot and DMA Protection.
4) In the Credential Guard Configuration box, click Enabled with UEFI lock, and then click OK. If you want to be able to turn off Windows Defender Credential Guard remotely, choose Enabled without lock.
5) Close the Group Policy Management Console.
6) Open a command prompt and run gpupdate /force
Blog: https://thesystemcenterblog.com LinkedIn:
Sunday, June 3, 2018 4:00 AM
Yeah I've set that GPO and updated. I've verified the registry settings on the Hyper-V server are updated to match the GPO. 
Sunday, June 3, 2018 4:25 PM
Okay, everything looks correct, this is indeed very odd.
Do you have the possibility to run a repair or reinstall on this Windows Server 2016? It appears that this is some sort of bug..
Best regards,
Leon
Blog: https://thesystemcenterblog.com LinkedIn:
Monday, June 4, 2018 2:23 PM
I've reinstalled both the host and the guest two times.
I've found a couple other threads referencing this issue since the 1709? server update that rolled the Isolated User Mode into the Virtualization Based Security but none seem to have a resolution to it
Is there a dependent Intel chipset feature that needs to be installed? I saw one post that referenced enabled Intel Platform Trust Technology to get it working. I didn't see Intel PTT as an options in the SuperMicro BIOS though.
Wednesday, October 31, 2018 8:53 AM
Hi,
Did anyone find a solution for this? We have exactly the same issue on some of our servers, and we can't find out what the difference between the hosts is.
They are based on the same OS image, in the same Windows domain and hit by the same GPO's.
Wednesday, April 10, 2019 4:15 PM
Did you ever get this figured out? We have some servers with this exact same problem.