How to enable vTPM and BitLocker on Windows Server 2016 running on HyperV

If you’re running Windows Server 2016 as a virtual machine (VM) on Hyper-V and want to secure it with BitLocker, you’ll need to enable a virtual Trusted Platform Module (vTPM) first. BitLocker depends on TPM to securely store encryption keys, and on Hyper-V, this means configuring the VM to support vTPM through a generation 2 VM with Secure Boot enabled.

Here’s a step-by-step guide to get it done.

Prerequisites

Before you start, make sure:

• Your host is running Windows 10/11 Pro, Enterprise, or Windows Server 2016 or later.
• Hyper-V is installed and the VM is a Generation 2 VM.
• The VM is running Windows Server 2016.
• You have admin rights on both the host and the guest OS.
• BitLocker and the required Group Policy settings are configured inside the VM.

Step 1: Shut Down the VM

You can’t change the security settings of a VM while it’s running. Shut it down from Hyper-V Manager or via PowerShell:

Stop-VM -Name "YourVMName"

Step 2: Enable Secure Boot and Add vTPM

Now, configure the VM to support secure boot and add the virtual TPM chip.

Using Hyper-V Manager:

1. Open Hyper-V Manager.
2. Right-click the VM > Settings.
3. Under Security:
   • Check Enable Secure Boot.
   • Check Enable Trusted Platform Module.

Or via PowerShell:

Set-VM -Name "YourVMName" -SecureBootEnabled $true
Enable-VMTPM -VMName "YourVMName"

Step 3: Start the VM

Boot the VM normally:

Start-VM -Name "YourVMName"

Step 4: Configure BitLocker in the VM

Once you’re back inside the guest OS (Windows Server 2016), you can turn on BitLocker.

Option 1: Use the GUI

1. Go to Control Panel > BitLocker Drive Encryption.
2. Click Turn on BitLocker for the OS volume.
3. Choose your encryption method and save your recovery key.
4. Follow the prompts to start encryption.

Option 2: Use PowerShell

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -TPMandPinProtector

Note: You may need to configure Group Policy to allow BitLocker without a compatible TPM if you encounter errors. See below.

Step 5: (Optional) Configure Group Policy for BitLocker

If BitLocker refuses to start due to TPM requirements, adjust this Group Policy setting inside the VM:

1. Run gpedit.msc.
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
3. Open Require additional authentication at startup.
4. Enable it, and check Allow BitLocker without a compatible TPM.

Run gpupdate /force to apply the changes.

Wrapping Up

With vTPM enabled and BitLocker configured, your VM’s data is now protected with full-volume encryption. This is essential for compliance, protection against offline attacks, and peace of mind—especially if you’re hosting sensitive workloads in your Hyper-V environment.

Got any questions or stuck on a step? Drop a comment below or reach out—we’re here to help.