Forum Discussion

benlewis12's avatar
benlewis12
Copper Contributor
Feb 10, 2026

Encrypted vhdx moved to new host, boots without pin or recovery key

Hyper-V environment.  Enabled VTPM on guest Server, 2022 OS and encrypted OS drive C:\ with BitLocker.  Host server 2022 has physical TPM.  Shut down guest OS and copied vhdx file to another Hyper-V ...
encryption
Hyper-V
HyperV
vhdx
vtpm
windows server
FIRAT_BOYAN's avatar
FIRAT_BOYAN
MCT
Feb 15, 2026

Hello benlewis12,

What you observed is expected behaviour and not a flaw.

When BitLocker is enabled on a VM without vTPM present at provisioning time, the OS drive is typically protected with a clear key protector. That means the volume is encrypted but automatically unlocked at boot without TPM validation. In that state, copying the VHDX to another host will not trigger recovery because no TPM bound protector exists.

When you create the VM with vTPM enabled before installing the OS, BitLocker detects a TPM during provisioning and seals the Volume Master Key to that vTPM. The protector becomes TPM based. If you then move the VHDX to another host and attach it to a new VM with a different vTPM identity, PCR measurements change and BitLocker correctly enters recovery mode.

Key points:

BitLocker security depends on the active key protectors, not on the mere presence of encryption.

If you enable vTPM after BitLocker was already configured, the existing protector set does not automatically convert to TPM only protection.

You must verify with:

  • manage bde status
  • manage bde protectors get C:

If you see a Clear Key or no TPM protector, suspend and re enable BitLocker so that the VM reseals the key against the vTPM.

So vTPM does not only work during fresh install. It works whenever BitLocker is configured to use a TPM based protector. The difference you saw comes from how BitLocker was originally provisioned, not from a Hyper V bug.

  • benlewis12's avatar
    benlewis12
    Copper Contributor
    Feb 17, 2026

    I checked and I had both TPM and PIN as well as numerical password set on C:\  for the Key Protectors.  I suspended and re-enabled BitLocker then moved the vhdx to an offline HyperV host.  After creating a VM based on that vhdx It did not prompt for a PIN nor a recovery key on boot up. 

     

    As a further test, I turned off BitLocker on C:\  drive on my test VM and removed the bitlocker role completely and then rebooted.  Re-added BitLocker role, rebooted and set up BitLocker again.  I chose the enter a PIN option and rebooted again so encryption could be done.  Once that completed, output of manage-bde -status showed:

    Key Protectors:

    TPM And PIN

    Numerical Password

    Network (Certificate Based)

    Shut down VM, copied vhdx to an off network HyperV host.  Created a new virtual machine and attached the vhdx.  Could boot it up without a PIN or recovery key.  Once OS was running, logged in and C:\ was NOT encrypted and BitLocker role was not active on the server.  

     

    I definitely appreciate your responses but apparently, I'm still missing something.

     

    Thanks,

     

    Ben