none
BindToHostTPM error in Hyper-V Manager Win 10 1803

    Question

  • Does 1803 break compatibility with Windows Server 2016?

    How can I fix this?

    On my technician computer, the settings in virtual machine \ settings \ hardware \ security have become unavailable for all gen 2 vms on all Hyper-V servers. It reads ‘Load Failed” as well as “Property ‘BindToHostTPM’ does not exist in class ‘Msvm_SecuritySettingData’.

    This error makes sense, since it does’t exist in Msvm_SecuritySettingData

    class Msvm_SecuritySettingData : CIM_SettingData{

    boolean TpmEnabled;
      boolean KsdEnabled;
      boolean ShieldingRequested;
      boolean DataProtectionRequested;
      boolean EncryptStateAndVmMigrationTraffic;
      boolean VirtualizationBasedSecurityOptOut;
    };

    Hyper-V Manager: Windows 10 1803, build 17134.112

    Hyper-V Server: Hyper-V Server 2016 build 14393

    Thursday, June 21, 2018 5:49 AM

All replies

  • Hi,

    Thanks for your question.

    I have done some research for this symptom, Please refer to the link:

    https://blogs.technet.microsoft.com/datacentersecurity/2018/06/08/what-is-new-in-windows-10-1803-for-paw/

    A shielded VM can start on a host device after the device can attest its health to the correct HGS server. To further secure the VM, ensure only the owner of the VM can start it, we added a policy to lock the shielded VM on the device where it is created. This is a policy controlled by the administrator, the setting is stored in the shielding data file, and it will be enforced at the shielded VM creation time.

    New-ShieldingDataFile [-ShieldingDataFilePath] <string> [-Owner] <Guardian> [-VolumeIDQualifier] <VolumeIDQualifier[]> [-AnswerFile] <NamedFileContent> [[-OtherFile] <NamedFileContent[]>] [[-Guardian] <Guardian[]>] [-Policy {Shielded | EncryptionSupported}]  [-BindToHostTpm <bool>] [-WhatIf] [-Confirm]  [<CommonParameters>] 
    

    By setting the BindToHostTpm to true, the shielded VM will only start on the device where it is created. This is to prevent a case where an insider tries to steal a shielded VM and attempts to get it started on a different PAW device.

    We can see the shielded VM can start by retrieving the parameter BindToHostTpm, however, it can’t find it from the shielding data file. It may be a known issue.

    Based on the specific situation, we suggest you try to start the shielded VM from the Hyper-V server locally to see if it works.

    Reference link:

    https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms

    Hope this helps. If you have any question and concern, please feel free to let me know.

    Best  regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, June 22, 2018 5:52 AM
    Moderator
  • Thanks for finding this but I don't see how this applies to my configuration because all I have is plain regular config 8.0 gen 2 VMs.

    There is no PAW devices or shielded VMs or any of that. I shouldn't have this error, right?

    Friday, June 22, 2018 10:10 AM
  • I have this problem too. Windows 2016 Datacenter with Gen2 Windows 10 1803 VM.

    I running Hyper-V Manager on Windows 10 1803 and connecting to VM on Server 2016. 

    I see same error. If I open settings for VM directly on Server 2016, no problem.

    VM not shielded, even secure boot turned off.

    Friday, June 22, 2018 10:57 AM
    • Edited by PKersey Friday, June 22, 2018 11:15 AM typo
    Friday, June 22, 2018 11:15 AM
  • I'm also seeing this with windows 2016 server, just needed to turn off secure boot via PS to install a new VM.  This seems to be yet another bug from Microsoft with the last updates. 
    • Proposed as answer by Thomas M.T. _ Wednesday, July 25, 2018 1:56 PM
    Monday, June 25, 2018 2:52 PM