Digital Trusted Platform Modules (vTPM) in Hyper-V help you run visitor working techniques, resembling Home windows 11 or Home windows Server 2025 with security measures enabled. One of many challenges of vTPMs is that they depend on certificates on the native Hyper-V server. Nice should you’re solely operating the VM with the vTPM on that server, however a attainable reason behind points if you wish to transfer that VM to a different server.
On this article I’ll present you the way to handle the certificates which might be related to vTPMs so that you simply’ll be capable of export or transfer VMs that use them, resembling Home windows 11 VMs, to any ready Hyper-V host you handle.
When a vTPM is enabled on a Era 2 digital machine, Hyper-V robotically generates a pair of self-signed certificates on the host the place the VM resides. These certificates are particularly named:
- “Shielded VM Encryption Certificates (UntrustedGuardian)(ComputerName)”
- “Shielded VM Signing Certificates (UntrustedGuardian)(ComputerName)”.
These certificates are saved in a singular native certificates retailer on the Hyper-V host named “Shielded VM Native Certificates”. By default, these certificates are provisioned with a validity interval of 10 years.
For a vTPM-enabled digital machine to efficiently reside migrate and subsequently begin on a brand new Hyper-V host, the “Shielded VM Native Certificates” (each the Encryption and Signing certificates) from the supply host have to be current and trusted on all potential vacation spot Hyper-V hosts.
Exporting vTPM associated certificates.
You may switch certificates from one Hyper-V host to a different utilizing the next process:
- On the supply Hyper-V host, open mmc.exe. From the “File” menu, choose “Add/Take away Snap-in…” Within the “Add or Take away Snap-ins” window, choose “Certificates” and click on “Add.” Select “Laptop account” after which “Native Laptop”.
- Navigate by means of the console tree to “Certificates (Native Laptop) > Private > Shielded VM Native Certificates”.
- Choose each the “Shielded VM Encryption Certificates” and the “Shielded VM Signing Certificates.” Proper-click the chosen certificates, select “All Duties,” after which click on “Export”.
- Within the Certificates Export Wizard, on the “Export Non-public Key” web page, choose “Sure, export the non-public key”. The certificates are unusable for his or her supposed goal with out their related non-public keys.
- Choose “Private Data Alternate – PKCS #12 (.PFX)” because the export file format. Choose “Embrace all certificates within the certification path if attainable”. Present a robust password to guard the PFX file. This password shall be required throughout the import course of.
To carry out this course of utilizing the command line, show particulars of the certificates within the “Shielded VM Native Certificates” retailer, together with their serial numbers.
certutil -store "Shielded VM Native Certificates"
Use the serial numbers to export every certificates, guaranteeing the non-public secret is included. Exchange
certutil -exportPFX -p "YourSecurePassword" "Shielded VM Native Certificates"C:TempVMEncryption.pfx certutil -exportPFX -p "YourSecurePassword" "Shielded VM Native Certificates"
C:TempVMSigning.pfx Importing vTPM associated certificates
To import these certificates on a Hyper-V host that you simply need to migrate a vTPM enabled VM to, carry out the next steps:
- Switch the exported PFX recordsdata to all Hyper-V hosts that can function potential reside migration targets.
- On every goal host, open mmc.exe and add the “Certificates” snap-in for the “Laptop account” (Native Laptop).
- Navigate to “Certificates (Native Laptop) > Private.” Proper-click the “Private” folder, select “All Duties,” after which click on “Import”.
- Proceed by means of the Certificates Import Wizard. Make sure the certificates are positioned within the “Shielded VM Native Certificates” retailer.
- After finishing the wizard, confirm that each the Encryption and Signing certificates now seem within the “Shielded VM Native Certificates” retailer on the brand new host.
You may accomplish the identical factor utilizing PowerShell with the next command:
Import-PfxCertificate -FilePath "C:BackupCertificateName.pfx" -CertStoreLocation "Cert:LocalMachineShielded VM Native Certificates" -Password (ConvertTo-SecureString -String "YourPassword" -Pressure -AsPlainText)
Updating vTPM associated certificates.
Self signed vTPM certificates robotically expire after 10 years. Resetting the important thing protector for a vTPM-enabled VM in Hyper-V permits you alter or renew the underlying certificates (particularly if the non-public key modifications). Listed below are the necessities and concerns round this course of:
- The VM have to be in an off state to vary safety settings or reset the important thing protector
- The host should have the suitable certificates (together with non-public keys) within the “Shielded VM Native Certificates” retailer. If the non-public secret is lacking, the important thing protector can’t be set or validated.
- All the time again up the VM and current certificates earlier than resetting the important thing protector, as this course of could make beforehand encrypted knowledge inaccessible if not carried out appropriately.
- The VM have to be at a supported configuration model (usually model 7.0 or increased) to help vTPM and key protector options.
To save lots of the Present Key Protector: On the supply Hyper-V host, retrieve the present Key Protector for the VM and reserve it to a file.
Get-VMKeyProtector -VMName 'VM001' | Out-File '.VM001.kp'
To reset the important thing protector with a brand new native key protector:
Set-VMKeyProtector -VMName "" -NewLocalKeyProtector
This command instructs Hyper-V to generate a brand new key protector utilizing the present native certificates. After resetting, allow vTPM if wanted:
Allow-VMTPM -VMName ""
You will need to notice that if an incorrect Key Protector is utilized to the VM, it might fail to start out. In such circumstances, the Set-VMKeyProtector -RestoreLastKnownGoodKeyProtector cmdlet can be utilized to revert to the final identified working Key Protector.
Extra info: Set-VMKeyProtector: https://study.microsoft.com/en-us/powershell/module/hyper-v/set-vmkeyprotector