Forum Discussion
Encrypted vhdx moved to new host, boots without pin or recovery key
Hyper-V environment. Enabled VTPM on guest Server, 2022 OS and encrypted OS drive C:\ with BitLocker. Host server 2022 has physical TPM. Shut down guest OS and copied vhdx file to another Hyper-V host server that is completely off network (also server 2022 with a physical TPM). Created a new VM based on the "encrypted" vhdx. I was able to start the VM without needing a PIN or a recovery key. Doesn't this defeat the whole point of encrypting vhd's? Searching says that this should not be possible, but I replicated it twice on two different off network Hyper-V host servers. Another odd thing is that when the guest boots on the new host and you log in, the drive is NOT encrypted. So, where's the security in that? Does anyone have any ideas on this or if I'm missing something completely? Or have I just made Microsoft angry for pointing out this glaring flaw??
1 Reply
I just wanted to post an update on this. I created a new VM but made sure to enable VTPM prior to installing the OS. Once the VM was up and running, I shut it down and copied the .vhdx to another off-network Hyper-V Host, created a new VM based on the .vhdx I copied over and attempted to boot. It prompted for a recovery key (as it should). So, my question is does VTPM only work if you enable it during a fresh VM install or is there a "bug" in Hyper-V where if you enable VTPM on an existing VM, it doesn't work as designed?
