Virtual Trusted Platform Modules (vTPM) in Hyper-V allow you to run guest operating systems, such as Windows 11 or Windows Server 2025 with security features enabled. One of the challenges of vTPMs is that they rely on certificates on the local Hyper-V server. Great if you’re only running the VM with the vTPM on that server, but a possible cause of issues if you want to move that VM to another server.
In this article I’ll show you how to manage the certificates that are associated with vTPMs so that you’ll be able to export or move VMs that use them, such as Windows 11 VMs, to any prepared Hyper-V host you manage.
When a vTPM is enabled on a Generation 2 virtual machine, Hyper-V automatically generates a pair of self-signed certificates on the host where the VM resides. These certificates are specifically named:
- "Shielded VM Encryption Certificate (UntrustedGuardian)(ComputerName)"
- "Shielded VM Signing Certificate (UntrustedGuardian)(ComputerName)".
These certificates are stored in a unique local certificate store on the Hyper-V host named "Shielded VM Local Certificates". By default, these certificates are provisioned with a validity period of 10 years.
For a vTPM-enabled virtual machine to successfully live migrate and subsequently start on a new Hyper-V host, the "Shielded VM Local Certificates" (both the Encryption and Signing certificates) from the source host must be present and trusted on all potential destination Hyper-V hosts.
Exporting vTPM related certificates.
You can transfer certificates from one Hyper-V host to another using the following procedure:
- On the source Hyper-V host, open mmc.exe. From the "File" menu, select "Add/Remove Snap-in..." In the "Add or Remove Snap-ins" window, select "Certificates" and click "Add." Choose "Computer account" and then "Local Computer".
- Navigate through the console tree to "Certificates (Local Computer) > Personal > Shielded VM Local Certificates".
- Select both the "Shielded VM Encryption Certificate" and the "Shielded VM Signing Certificate." Right-click the selected certificates, choose "All Tasks," and then click "Export".
- In the Certificate Export Wizard, on the "Export Private Key" page, select "Yes, export the private key". The certificates are unusable for their intended purpose without their associated private keys.
- Select "Personal Information Exchange - PKCS #12 (.PFX)" as the export file format. Select "Include all certificates in the certification path if possible". Provide a strong password to protect the PFX file. This password will be required during the import process.
To perform this process using the command line, display details of the certificates in the "Shielded VM Local Certificates" store, including their serial numbers.
certutil -store "Shielded VM Local Certificates"
Use the serial numbers to export each certificate, ensuring the private key is included. Replace <Serial_Number_Encryption_Cert> and <Serial_Number_Signing_Cert> with the actual serial numbers, and "YourSecurePassword" with a strong password:
certutil -exportPFX -p "YourSecurePassword" "Shielded VM Local Certificates" <Serial_Number_Encryption_Cert> C:\Temp\VMEncryption.pfx
certutil -exportPFX -p "YourSecurePassword" "Shielded VM Local Certificates" <Serial_Number_Signing_Cert> C:\Temp\VMSigning.pfx
Importing vTPM related certificates
To import these certificates on a Hyper-V host that you want to migrate a vTPM enabled VM to, perform the following steps:
- Transfer the exported PFX files to all Hyper-V hosts that will serve as potential live migration targets.
- On each target host, open mmc.exe and add the "Certificates" snap-in for the "Computer account" (Local Computer).
- Navigate to "Certificates (Local Computer) > Personal." Right-click the "Personal" folder, choose "All Tasks," and then click "Import".
- Proceed through the Certificate Import Wizard. Ensure the certificates are placed in the "Shielded VM Local Certificates" store.
- After completing the wizard, verify that both the Encryption and Signing certificates now appear in the "Shielded VM Local Certificates" store on the new host.
You can accomplish the same thing using PowerShell with the following command:
Import-PfxCertificate -FilePath "C:\Backup\CertificateName.pfx" -CertStoreLocation "Cert:\LocalMachine\Shielded VM Local Certificates" -Password (ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText)
Updating vTPM related certificates.
Self signed vTPM certificates automatically expire after 10 years. Resetting the key protector for a vTPM-enabled VM in Hyper-V allows you change or renew the underlying certificates (especially if the private key changes). Here are the requirements and considerations around this process:
- The VM must be in an off state to change security settings or reset the key protector
- The host must have the appropriate certificates (including private keys) in the "Shielded VM Local Certificates" store. If the private key is missing, the key protector cannot be set or validated.
- Always back up the VM and existing certificates before resetting the key protector, as this process can make previously encrypted data inaccessible if not performed correctly.
- The VM must be at a supported configuration version (typically version 7.0 or higher) to support vTPM and key protector features.
To save the Current Key Protector: On the source Hyper-V host, retrieve the current Key Protector for the VM and save it to a file.
Get-VMKeyProtector -VMName 'VM001' | Out-File '.\VM001.kp'
To reset the key protector with a new local key protector:
Set-VMKeyProtector -VMName "<VMNAME>" -NewLocalKeyProtector
This command instructs Hyper-V to generate a new key protector using the current local certificates. After resetting, enable vTPM if needed:
Enable-VMTPM -VMName "<VMNAME>"
It is important to note that if an incorrect Key Protector is applied to the VM, it may fail to start. In such cases, the Set-VMKeyProtector -RestoreLastKnownGoodKeyProtector cmdlet can be used to revert to the last known working Key Protector.
More information: Set-VMKeyProtector: https://learn.microsoft.com/en-us/powershell/module/hyper-v/set-vmkeyprotector
Microsoft
