Blog Post

ITOps Talk Blog
4 MIN READ

Hyper-V Virtual TPMs, Certificates, VM Export and Migration

OrinThomas's avatar
OrinThomas
Icon for Microsoft rankMicrosoft
Jul 06, 2025
Virtual Trusted Platform Modules (vTPM) in Hyper-V allow you to run guest operating systems, such as Windows 11 or Windows Server 2025 with security features enabled. One of the challenges of vTPMs i...
Published Jul 06, 2025
Version 1.0
windows server
OrinThomas's avatar
OrinThomas
Icon for Microsoft rankMicrosoft
Jul 15, 2025

If the backup contains the VHDX file and the VM was not fully shielded (only encrypted with vTPM), and you can afford loss of the vTPM state, you might:

  • Create a new VM
  • Attach the existing VHDX file
  • Do not enable vTPM or shielding

 

However, this will break:

  • BitLocker inside the guest
  • Any features relying on vTPM (e.g., Secure Boot with key attestations)

 

If BitLocker was used inside the guest OS (which is common with vTPM), and the protector used TPM-only mode, you're locked out unless you have:

  • The BitLocker recovery key
  • Or a saved recovery password ID
Karl-WE's avatar
Karl-WE
MVP
Dec 09, 2025

Hi OrinThomas​, thank you for sharing this guidance. That's excellent and helpful. Hopefully there is a same reference in the documentation for Windows 11, Windows Server and Azure Local. Didn't check at the time of writing. 

 

I would like to emphasize this all doesn't apply not only to VMs running on Windows 11, but also to business use, such as Windows Server, Azure Local and to clusters when you need to move the VM to another cluster. 

 

While I understand the "don't shoot the messenger" sentiment, the whole design is overly complicated when VMs need to move as part of a shared-nothing live migration, or even worse, from one cluster or Windows instance to another. Let me bring up some use cases:

 

Scenarios

A customer using Windows 11 or Windows Server, or Azure Local for VMs productive or lab. 

 

Questions for guidance:

  1. Will Windows Backup or a third party such as Veeam B&R backup and restore the VM certificates with the VM by default, when saving a vTPM protected VM?
  2. What about customers or consumers using Windows 11 with multiboot, especially Windows Insides, when one instance of Windows becomes inaccessible? 
  3. The BitLocker key is not saved or is inaccessible. (see your instructions above)
  4. Windows won't boot anymore due to a bug or failure? How to fetch the certs from Windows RE or Booting the ISO?
  5. Export and import the VM will deal with the certs. Shared nothing live migration / storage migration seems not. 
  6. Will storage / Hyper-V replica deal with the cert management? 
  7. Sidequest: What about all the VMs coming from other vendors like VMware that end up as Gen1 VMs, because no one dealt with Secure Boot? How can we convert Gen1 to Gen2. While scripts exist it's not supported or endorsed by Microsoft. Gen1 cannot handle vTPM and with the current market movements and migrations we are just creating unintentional legacy at scale. (WAC VM conversion extension for Windows Server or Azure Migrate for Azure and Azure Local).

 

Here's the catch:

Previously, it was very easy to recover the VMs. Now we need to disable vTPM in a worst case scenario and sacrificing the VM security. 

Personally I expect that vTPM will become the norm and be required (hopefully) with Windows Server vNext, to comply with Microsofts efforts for improved security. 

This got skipped intentionally. 

Although it is not mandatory, unlike with Windows 11, customers and users can and should choose vTPM for Windows Server 2022 and 2025, so they can leverage more security features within the VM. It's not just for Bitlocker. 

 

In the above scenarios, certs management using old tools or the Windows Admin Center could become problematic. 

For vTPM the same rules apply to Hyper-V and VMware vTPM. Yet for VMware I believe there is a host based cert, not sure if it's a pair for each VM. It's not my area. 

 

 We should expect vTPM to become the de facto standard, which will require easier management and greater awareness in the future. 

Thank you for sharing more guidance for the listed questions and common scenarios. 

 

Other references: BLOG: Windows 11 security and how to get there, if you want | Microsoft Community Hub