Ricky Gao Blog - Enjoy Learning

How to enable Virtual TPM on Hyper-V

TPM (Trusted Platform Module) is always the must have hardware chips on Windows platform. And VM (Virtual Machine) is always the easiest way for testing.

However, when it comes to specific security testing which rely on TPM, we need to start talk about TPM on VM.

Fortunately most of the virtualization platform today support Virtual TPM, and most of the Virtual TPM does NOT need hardware TPM on host device.

Hyper-v is even free on Windows 10 (Pro or Enterprise edition). so our testing environment now can be as simple as a Windows 10 device with multiple VMs running on it.

In order to enable Virtual TPM, you have to meet the below pre-requisites

1. Hardware support virtualization: almost every single CPU support it today

The host device does NOT need TPM hardware, below is my host machine


2. Windows Server 2016 Technical Preview, Windows 10 build 10586 or higher versions

3. WinRM

winrm quickconfig


Enable Virtual TPM

  1. Open a Windows PowerShell as an administrator.
  2. Run the following commands:


Enable-WindowsOptionalFeature -Feature IsolatedUserMode -Online

New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Force

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Name EnableVirtualizationBasedSecurity -Value 1 -PropertyType DWord –Force




Enable VM TPM settings

Settings->Security->Trusted Platform Module


Start VM

Check TPM status



Sometimes above steps still cannot get it working, especially trying to enable on your existing VMs, just try below (thanks to my friend Bryce):


Enable-WindowsOptionalFeature -Feature IsolatedUserMode -Online

New-HgsGuardian -Name ‘Guardian’ -GenerateCertificates

$Owner = Get-HgsGuardian -Name ‘Guardian’

$KeyProtector = New-HgsKeyProtector -Guardian $Owner -Owner $Owner –AllowUntrustedRoot

Set-VMKeyProtector -VMName ‘Windows 10 Enterprise’ -KeyProtector $KeyProtector.RawData

Enable-VMTPM -VMName ‘Windows 10 Enterprise’

Replace ‘Windows 10 Enterprise’ with the name of your VM in hyperV


More information about Hyper-V Virtual TMP can be found here

By rickygao on April 5, 2016 | HYPER-V, Tech, Windows Client | A comment?

How to renew your free StartCom SSL certificate

Last time, I talked about How to get a public signed FREE SSL certificate from StartCom, it’s been a while and the certificate maybe is already expired or about to expire.


So this time let’s talk about how to renew your free StartSSL certificate.

0. The first of first thing we need to check is your StartCom authentication certificate, which is your only identity to login into their portal


If unfortunately you lost your authentication certificate, you will get a very unfriendly page like below


Another way you can check if you still have that authentication certificate is from below:


Certificates – Current User – Personal



So I’ve lost my client authentication certificate, what shall I do?

Make sure that you are using the same computer and browser you used to register. If you are certain that you’ve lost the client certificate and you can’t login anymore, register once again by using a different email address (if the original certificate hasn’t expired yet). Contact the CertMaster with your details and we’ll try to associate your new client authentication certificate with your original account.

Once you’ve logged in, follow below steps to renew the SSL certificate:

1. Validate your domain and email

Follow the validation menu to validate your domain again.

After validation, you will see your domain has been validated as below


2. Renew user “Authentication Certificate”

Usually the user “Authentication Certificate” will be expired very soon as well, so we have to renew these certificate first to ensure we will still have access to the portal.

Click on “Certificates Wizard”


Choose “Authentication Certificate” as target


Select the key size


Select your validated email and Hash


The new user authentication certificate will be installed on your local user certificate store


3. Renew SSL certificate

Back to “Certificate Wizard”, select “SSL Certificate” this time


Confirm certificate details, create a password


Save the Private key to a local file

Note: This key is the encrypted key, we will decrypted for future use later


Choose your top domain


Type in the sub domain you want to renew the certificate




Save the certificate to a local file, will use it later

Decrypt the private key: copy the encrypted key file we saved earlier and create a password


Generate the P12 certificate



Save it

Note: if you need to convert .p12 certificate to .pfx, you will need to import the .p12 certificate to your local certificate store and export as .pfx

4. Upload newly renewed certificate

In my instance, I have to upload the new certificate to my ASUS Router and NAS

5. All done and enjoy

By rickygao on November 27, 2015 | PKI, Tech | A comment?