Digital Trusted Platform Modules (vTPM) in Hyper-V permit you to run visitor working methods, resembling Home windows 11 or Home windows Server 2025 with safety features enabled. One of many challenges of vTPMs is that they depend on certificates on the native Hyper-V server. Nice when you’re solely working the VM with the vTPM on that server, however a doable reason behind points if you wish to transfer that VM to a different server.
On this article I’ll present you how you can handle the certificates which are related to vTPMs so that you just’ll be capable of export or transfer VMs that use them, resembling Home windows 11 VMs, to any ready Hyper-V host you handle.
When a vTPM is enabled on a Technology 2 digital machine, Hyper-V routinely generates a pair of self-signed certificates on the host the place the VM resides. These certificates are particularly named:
- “Shielded VM Encryption Certificates (UntrustedGuardian)(ComputerName)”
- “Shielded VM Signing Certificates (UntrustedGuardian)(ComputerName)”.
These certificates are saved in a singular native certificates retailer on the Hyper-V host named “Shielded VM Native Certificates”. By default, these certificates are provisioned with a validity interval of 10 years.
For a vTPM-enabled digital machine to efficiently dwell migrate and subsequently begin on a brand new Hyper-V host, the “Shielded VM Native Certificates” (each the Encryption and Signing certificates) from the supply host have to be current and trusted on all potential vacation spot Hyper-V hosts.
Exporting vTPM associated certificates.
You possibly can switch certificates from one Hyper-V host to a different utilizing the next process:
- On the supply Hyper-V host, open mmc.exe. From the “File” menu, choose “Add/Take away Snap-in…” Within the “Add or Take away Snap-ins” window, choose “Certificates” and click on “Add.” Select “Pc account” after which “Native Pc”.
- Navigate by means of the console tree to “Certificates (Native Pc) > Private > Shielded VM Native Certificates”.
- Choose each the “Shielded VM Encryption Certificates” and the “Shielded VM Signing Certificates.” Proper-click the chosen certificates, select “All Duties,” after which click on “Export”.
- Within the Certificates Export Wizard, on the “Export Non-public Key” web page, choose “Sure, export the personal key”. The certificates are unusable for his or her meant function with out their related personal keys.
- Choose “Private Info Trade – PKCS #12 (.PFX)” because the export file format. Choose “Embody all certificates within the certification path if doable”. Present a powerful password to guard the PFX file. This password will likely be required through the import course of.
To carry out this course of utilizing the command line, show particulars of the certificates within the “Shielded VM Native Certificates” retailer, together with their serial numbers.
certutil -store "Shielded VM Native Certificates"
Use the serial numbers to export every certificates, making certain the personal key’s included. Change
certutil -exportPFX -p "YourSecurePassword" "Shielded VM Native Certificates"C:TempVMEncryption.pfx certutil -exportPFX -p "YourSecurePassword" "Shielded VM Native Certificates"
C:TempVMSigning.pfx Importing vTPM associated certificates
To import these certificates on a Hyper-V host that you just need to migrate a vTPM enabled VM to, carry out the next steps:
- Switch the exported PFX information to all Hyper-V hosts that may function potential dwell migration targets.
- On every goal host, open mmc.exe and add the “Certificates” snap-in for the “Pc account” (Native Pc).
- Navigate to “Certificates (Native Pc) > Private.” Proper-click the “Private” folder, select “All Duties,” after which click on “Import”.
- Proceed by means of the Certificates Import Wizard. Make sure the certificates are positioned within the “Shielded VM Native Certificates” retailer.
- After finishing the wizard, confirm that each the Encryption and Signing certificates now seem within the “Shielded VM Native Certificates” retailer on the brand new host.
You possibly can accomplish the identical factor utilizing PowerShell with the next command:
Import-PfxCertificate -FilePath "C:BackupCertificateName.pfx" -CertStoreLocation "Cert:LocalMachineShielded VM Native Certificates" -Password (ConvertTo-SecureString -String "YourPassword" -Pressure -AsPlainText)
Updating vTPM associated certificates.
Self signed vTPM certificates routinely expire after 10 years. Resetting the important thing protector for a vTPM-enabled VM in Hyper-V permits you modify or renew the underlying certificates (particularly if the personal key adjustments). Listed below are the necessities and concerns round this course of:
- The VM have to be in an off state to vary safety settings or reset the important thing protector
- The host should have the suitable certificates (together with personal keys) within the “Shielded VM Native Certificates” retailer. If the personal key’s lacking, the important thing protector can’t be set or validated.
- At all times again up the VM and current certificates earlier than resetting the important thing protector, as this course of could make beforehand encrypted information inaccessible if not carried out appropriately.
- The VM have to be at a supported configuration model (usually model 7.0 or larger) to assist vTPM and key protector options.
To avoid wasting the Present Key Protector: On the supply Hyper-V host, retrieve the present Key Protector for the VM and reserve it to a file.
Get-VMKeyProtector -VMName 'VM001' | Out-File '.VM001.kp'
To reset the important thing protector with a brand new native key protector:
Set-VMKeyProtector -VMName "" -NewLocalKeyProtector
This command instructs Hyper-V to generate a brand new key protector utilizing the present native certificates. After resetting, allow vTPM if wanted:
Allow-VMTPM -VMName ""
You will need to notice that if an incorrect Key Protector is utilized to the VM, it might fail to begin. In such circumstances, the Set-VMKeyProtector -RestoreLastKnownGoodKeyProtector cmdlet can be utilized to revert to the final recognized working Key Protector.
Extra info: Set-VMKeyProtector: https://be taught.microsoft.com/en-us/powershell/module/hyper-v/set-vmkeyprotector
