Blog Post

ITOps Talk Blog
4 MIN READ

Hyper-V Virtual TPMs, Certificates, VM Export and Migration

OrinThomas's avatar
OrinThomas
Icon for Microsoft rankMicrosoft
Jul 06, 2025

Virtual Trusted Platform Modules (vTPM) in Hyper-V allow you to run guest operating systems, such as Windows 11 or Windows Server 2025 with security features enabled. One of the challenges of vTPMs is that they rely on certificates on the local Hyper-V server. Great if you’re only running the VM with the vTPM on that server, but a possible cause of issues if you want to move that VM to another server.

In this article I’ll show you how to manage the certificates that are associated with vTPMs so that you’ll be able to export or move VMs that use them, such as Windows 11 VMs, to any prepared Hyper-V host you manage.

When a vTPM is enabled on a Generation 2 virtual machine, Hyper-V automatically generates a pair of self-signed certificates on the host where the VM resides. These certificates are specifically named:

  • "Shielded VM Encryption Certificate (UntrustedGuardian)(ComputerName)"
  • "Shielded VM Signing Certificate (UntrustedGuardian)(ComputerName)".

These certificates are stored in a unique local certificate store on the Hyper-V host named "Shielded VM Local Certificates". By default, these certificates are provisioned with a validity period of 10 years.

 

For a vTPM-enabled virtual machine to successfully live migrate and subsequently start on a new Hyper-V host, the "Shielded VM Local Certificates" (both the Encryption and Signing certificates) from the source host must be present and trusted on all potential destination Hyper-V hosts.

Exporting vTPM related certificates.

You can transfer certificates from one Hyper-V host to another using the following procedure:

  1. On the source Hyper-V host, open mmc.exe. From the "File" menu, select "Add/Remove Snap-in..." In the "Add or Remove Snap-ins" window, select "Certificates" and click "Add." Choose "Computer account" and then "Local Computer".
  2. Navigate through the console tree to "Certificates (Local Computer) > Personal > Shielded VM Local Certificates".
  3. Select both the "Shielded VM Encryption Certificate" and the "Shielded VM Signing Certificate." Right-click the selected certificates, choose "All Tasks," and then click "Export".
  4. In the Certificate Export Wizard, on the "Export Private Key" page, select "Yes, export the private key". The certificates are unusable for their intended purpose without their associated private keys.
  5. Select "Personal Information Exchange - PKCS #12 (.PFX)" as the export file format. Select "Include all certificates in the certification path if possible". Provide a strong password to protect the PFX file. This password will be required during the import process.

To perform this process using the command line, display details of the certificates in the "Shielded VM Local Certificates" store, including their serial numbers.

certutil -store "Shielded VM Local Certificates"

Use the serial numbers to export each certificate, ensuring the private key is included. Replace <Serial_Number_Encryption_Cert> and <Serial_Number_Signing_Cert> with the actual serial numbers, and "YourSecurePassword" with a strong password:

certutil -exportPFX -p "YourSecurePassword" "Shielded VM Local Certificates" <Serial_Number_Encryption_Cert> C:\Temp\VMEncryption.pfx

certutil -exportPFX -p "YourSecurePassword" "Shielded VM Local Certificates" <Serial_Number_Signing_Cert> C:\Temp\VMSigning.pfx

Importing vTPM related certificates

To import these certificates on a Hyper-V host that you want to migrate a vTPM enabled VM to, perform the following steps:

  1. Transfer the exported PFX files to all Hyper-V hosts that will serve as potential live migration targets.
  2. On each target host, open mmc.exe and add the "Certificates" snap-in for the "Computer account" (Local Computer).
  3. Navigate to "Certificates (Local Computer) > Personal." Right-click the "Personal" folder, choose "All Tasks," and then click "Import".
  4. Proceed through the Certificate Import Wizard. Ensure the certificates are placed in the "Shielded VM Local Certificates" store.
  5. After completing the wizard, verify that both the Encryption and Signing certificates now appear in the "Shielded VM Local Certificates" store on the new host.

You can accomplish the same thing using PowerShell with the following command:

Import-PfxCertificate -FilePath "C:\Backup\CertificateName.pfx" -CertStoreLocation "Cert:\LocalMachine\Shielded VM Local Certificates" -Password (ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText)

Updating vTPM related certificates.

Self signed vTPM certificates automatically expire after 10 years. Resetting the key protector for a vTPM-enabled VM in Hyper-V allows you change or renew the underlying certificates (especially if the private key changes). Here are the requirements and considerations around this process:

  • The VM must be in an off state to change security settings or reset the key protector
  • The host must have the appropriate certificates (including private keys) in the "Shielded VM Local Certificates" store. If the private key is missing, the key protector cannot be set or validated.
  • Always back up the VM and existing certificates before resetting the key protector, as this process can make previously encrypted data inaccessible if not performed correctly.
  • The VM must be at a supported configuration version (typically version 7.0 or higher) to support vTPM and key protector features.

To save the Current Key Protector: On the source Hyper-V host, retrieve the current Key Protector for the VM and save it to a file.

Get-VMKeyProtector -VMName 'VM001' | Out-File '.\VM001.kp'

To reset the key protector with a new local key protector:

Set-VMKeyProtector -VMName "<VMNAME>" -NewLocalKeyProtector

This command instructs Hyper-V to generate a new key protector using the current local certificates. After resetting, enable vTPM if needed:

Enable-VMTPM -VMName "<VMNAME>"

It is important to note that if an incorrect Key Protector is applied to the VM, it may fail to start. In such cases, the Set-VMKeyProtector -RestoreLastKnownGoodKeyProtector cmdlet can be used to revert to the last known working Key Protector.

More information: Set-VMKeyProtector: https://learn.microsoft.com/en-us/powershell/module/hyper-v/set-vmkeyprotector

Published Jul 06, 2025
Version 1.0
windows server

7 Comments

  • swhitestrath's avatar
    swhitestrath
    Brass Contributor
    Oct 01, 2025

    I’ve been experimenting with vTPM in Hyper-V, particularly around enabling virtualization-based security features (Credential Guard, code integrity, etc.)
    In a lab setup I tried the following approach using the following PowerShell scripts. https://github.com/SergeCaron/UntrustedGuardianMove

    • On Host A, when I first enabled vTPM on a VM, Hyper-V generated the usual Shielded VM Encryption and Shielded VM Signing certificates.
    • I exported these as PFX files
    • On Host B, I imported them and created a guardian using the exported certs
    New-HgsGuardian -Name $GuardianName -SigningCertificate "$SigningCertificate" -SigningCertificatePassword $CertificatePassword -EncryptionCertificate "$EncryptionCertificate" -EncryptionCertificatePassword $CertificatePassword -AllowExpired -AllowUntrustedRoot

    My Observations

    • With this setup, both hosts appear to be able to share the same certificate pair.
    • Existing vTPM-enabled VMs created on Host A can be migrated to Host B and started successfully.
    • In my limited testing, new VMs created on Host B after importing the certs also seem to work under this same shared pair.

    I realize this reduces security because it creates a single point of failure: if that certificate pair is ever compromised, any host with those certs could decrypt the vTPM state and run the VMs. There’s no per-host trust boundary.

    I know ideally the correct and supported way forward would be to deploy a Host Guardian Service (HGS) but that’s quite an undertaking.

    Beyond the obvious single-point-of-failure risk, are there other downsides or hidden pitfalls to this approach? I’m not proposing this as best practice, just exploring the concept and looking for insights into whether sharing a certificate pair across hosts is something Hyper-V is designed to support.

     

     

  • Jpanski's avatar
    Jpanski
    Brass Contributor
    Jul 14, 2025

    Thanks for the article.  It came at a good time with Windows 10 reaching EOL.

    I do have a question regarding backups/restores.  I recently had an issue where I had to restore a Windows 11 virtual machine to another host since the original host was gone.  I couldn't get the VM to start and now know why.  I got an error the key protector could not be unwrapped.  Is there anything that can be done for restores when the original host/certificates are gone?  Outside of restoring the entire host and exporting the certificates, I don't see a way to restore certificates from a backup.  Thank you.

    • OrinThomas's avatar
      OrinThomas
      Icon for Microsoft rankMicrosoft
      Jul 15, 2025

      If the backup contains the VHDX file and the VM was not fully shielded (only encrypted with vTPM), and you can afford loss of the vTPM state, you might:

      • Create a new VM
      • Attach the existing VHDX file
      • Do not enable vTPM or shielding

       

      However, this will break:

      • BitLocker inside the guest
      • Any features relying on vTPM (e.g., Secure Boot with key attestations)

       

      If BitLocker was used inside the guest OS (which is common with vTPM), and the protector used TPM-only mode, you're locked out unless you have:

      • The BitLocker recovery key
      • Or a saved recovery password ID
      • Karl-WE's avatar
        Karl-WE
        MVP
        Dec 09, 2025

        Hi OrinThomas​, thank you for sharing this guidance. That's excellent and helpful. Hopefully there is a same reference in the documentation for Windows 11, Windows Server and Azure Local. Didn't check at the time of writing. 

         

        I would like to emphasize this all doesn't apply not only to VMs running on Windows 11, but also to business use, such as Windows Server, Azure Local and to clusters when you need to move the VM to another cluster. 

         

        While I understand the "don't shoot the messenger" sentiment, the whole design is overly complicated when VMs need to move as part of a shared-nothing live migration, or even worse, from one cluster or Windows instance to another. Let me bring up some use cases:

         

        Scenarios

        A customer using Windows 11 or Windows Server, or Azure Local for VMs productive or lab. 

         

        Questions for guidance:

        1. Will Windows Backup or a third party such as Veeam B&R backup and restore the VM certificates with the VM by default, when saving a vTPM protected VM?
        2. What about customers or consumers using Windows 11 with multiboot, especially Windows Insides, when one instance of Windows becomes inaccessible? 
        3. The BitLocker key is not saved or is inaccessible. (see your instructions above)
        4. Windows won't boot anymore due to a bug or failure? How to fetch the certs from Windows RE or Booting the ISO?
        5. Export and import the VM will deal with the certs. Shared nothing live migration / storage migration seems not. 
        6. Will storage / Hyper-V replica deal with the cert management? 
        7. Sidequest: What about all the VMs coming from other vendors like VMware that end up as Gen1 VMs, because no one dealt with Secure Boot? How can we convert Gen1 to Gen2. While scripts exist it's not supported or endorsed by Microsoft. Gen1 cannot handle vTPM and with the current market movements and migrations we are just creating unintentional legacy at scale. (WAC VM conversion extension for Windows Server or Azure Migrate for Azure and Azure Local).

         

        Here's the catch:

        Previously, it was very easy to recover the VMs. Now we need to disable vTPM in a worst case scenario and sacrificing the VM security. 

        Personally I expect that vTPM will become the norm and be required (hopefully) with Windows Server vNext, to comply with Microsofts efforts for improved security. 

        This got skipped intentionally. 

        Although it is not mandatory, unlike with Windows 11, customers and users can and should choose vTPM for Windows Server 2022 and 2025, so they can leverage more security features within the VM. It's not just for Bitlocker. 

         

        In the above scenarios, certs management using old tools or the Windows Admin Center could become problematic. 

        For vTPM the same rules apply to Hyper-V and VMware vTPM. Yet for VMware I believe there is a host based cert, not sure if it's a pair for each VM. It's not my area. 

         

         We should expect vTPM to become the de facto standard, which will require easier management and greater awareness in the future. 

        Thank you for sharing more guidance for the listed questions and common scenarios. 

         

        Other references: BLOG: Windows 11 security and how to get there, if you want | Microsoft Community Hub

         

  • echikongen's avatar
    echikongen
    Copper Contributor
    Jul 09, 2025

    Thanks for this great article.

    I have a Hyper-V VM with vTPM. The VM should autoenroll a certificate with key attestation which should be saved in vTPM. But I didn't get it working because there is no Endorsement Key. Does Hyper-V vTPM offer a Endorsement Key (EK) Certificate? "Get-TpmEndorsementKeyInfo" shows nothing.

    • OrinThomas's avatar
      OrinThomas
      Icon for Microsoft rankMicrosoft
      Jul 09, 2025

      This is what I got on two different VMs with vTPMs, one running on Hyper-V, the other on Azure. - you aren't getting this result (Present etc?)

      • echikongen's avatar
        echikongen
        Copper Contributor
        Jul 09, 2025

        Exactly. For VMware it looks this way:

        So I think Microsoft does not support EK with their vTPM.