Migrating local VM owner certificates for VMs with vTPM

Published Mar 21 2019 05:14 PM 5,395 Views
Occasional Visitor
First published on TECHNET on Dec 14, 2017
Whenever I want to replace or reinstall a system which is used to run virtual machines with a virtual trusted platform module (vTPM), I've been facing a challenge: For hosts that are not part of a guarded fabric , the new system does need to be authorized to run the VM.
Some time ago, I wrote a blog post focused on running VMs with a vTPM on additional hosts , but the approach highlighted there does not solve everything when the original host is decommissioned. The VMs can be started on the new host, but without the original owner certificates, you cannot change the list of allowed guardians anymore.

This blog post shows a way to export the information needed from the source host and import it on a destination host. Please note that this technique only works for local mode and not for a host that is part of a guarded fabric. You can check whether your host runs in local mode by running Get-HgsClientConfiguration . The property Mode should list Local as a value.

Exporting the default owner from the source host


The following script exports the necessary information of the default owner (" UntrustedGuardian ") on a host that is configured using local mode. When running the script on the source host, two certificates are exported: a signing certificate and an encryption certificate.


Importing the UntrustedGuardian on the new host


On the destination host, the following snippet creates a new guardian using the certificates that have been exported in the previous step.


Please note that importing the "UntrustedGuardian" on the new host has to be done before creating new VMs with a vTPM on this host -- otherwise a new guardian with the same name will already be present and the creation with the PowerShell snippet above will fail.

With these two steps, you should be able to migrate all the necessary bits to keep your VMs with vTPM running in your dev/test environment. This approach can also be used to back up your owner certificates, depending on how these certificates have been created.
9 Comments
New Contributor

This article would be great if the script and snippet Lars refers to were actually obtainable from the blog. It seems that these were removed when the page was migrated to this site from TechNet.

Regular Visitor

@Craig-Anderson-Icare  - I was able to dig up the Google Cache version from the original article with intact code snippets.

 

https://webcache.googleusercontent.com/search?q=cache:G_tK3wcq3eUJ:https://blogs.technet.microsoft.c...

New Contributor

@Ryan Sheldon - thanks for finding that!

New Contributor

Export-UntrustedGuardian.ps1 Contents:

 

$GuardianName = 'UntrustedGuardian'
$CertificatePassword = Read-Host -Prompt 'Please enter a password to secure the certificate files' -AsSecureString

$guardian = Get-HgsGuardian -Name $GuardianName

if (-not $guardian)
{
    throw "Guardian '$GuardianName' could not be found on the local system."
}

$encryptionCertificate = Get-Item -Path "Cert:\LocalMachine\Shielded VM Local Certificates\$($guardian.EncryptionCertificate.Thumbprint)"
$signingCertificate = Get-Item -Path "Cert:\LocalMachine\Shielded VM Local Certificates\$($guardian.SigningCertificate.Thumbprint)"

if (-not ($encryptionCertificate.HasPrivateKey -and $signingCertificate.HasPrivateKey))
{
    throw 'One or both of the certificates in the guardian do not have private keys. ' + `
          'Please ensure the private keys are available on the local system for this guardian.'
}

Export-PfxCertificate -Cert $encryptionCertificate -FilePath ".\$GuardianName-encryption.pfx" -Password $CertificatePassword
Export-PfxCertificate -Cert $signingCertificate -FilePath ".\$GuardianName-signing.pfx" -Password $CertificatePassword
New Contributor

Import-UntrustedGuardian.ps1 Contents:

 

teGuardianName = 'UntrustedGuardian'
$CertificatePassword = Read-Host -Prompt 'Please enter the password that was used to secure the certificate files' -AsSecureString
New-HgsGuardian -Name $NameOfGuardian -SigningCertificate ".\$NameOfGuardian-signing.pfx" -SigningCertificatePassword $CertificatePassword -EncryptionCertificate ".\$NameOfGuardian-encryption.pfx" -EncryptionCertificatePassword $CertificatePassword -AllowExpired -AllowUntrustedRoot
Occasional Contributor

What if I no longer have access to the source device that originally ran the VMs (it was wiped and sent back to Microsoft)? How can I clear the vTPM info from the VM entirely and create a new vTPM since the guardian certs are gone forever?

Microsoft

That is my issue as well Ashley, source system is dead and gone.....

Occasional Contributor

Were you able to figure this out, Chuck? Fortunately for us we could just throw away the VMs and recreate them, but it would've been a real nightmare if we couldn't.

Microsoft

Unfortunately no. At least I only lost 3 VMs but it is still a pain. I have since modified my procedures to backup the certs to a central repository using code based on the code Craig-Anderson-Icare supplied above. Minimizing impacts and futureproofing are the best I can do at this point. I may try automating backing up the bitlocker keys centrally as well.

 

%3CLINGO-SUB%20id%3D%22lingo-sub-382406%22%20slang%3D%22en-US%22%3EMigrating%20local%20VM%20owner%20certificates%20for%20VMs%20with%20vTPM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-382406%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20TECHNET%20on%20Dec%2014%2C%202017%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20Whenever%20I%20want%20to%20replace%20or%20reinstall%20a%20system%20which%20is%20used%20to%20run%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fvirtualization%2Fhyper-v%2Flearn-more%2Fgeneration-2-virtual-machine-security-settings-for-hyper-v%23encryption-support-settings-in-hyper-v-manager%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20virtual%20machines%20with%20a%20virtual%20trusted%20platform%20module%20%3C%2FA%3E%20(vTPM)%2C%20I've%20been%20facing%20a%20challenge%3A%20For%20hosts%20that%20are%20not%20part%20of%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fvirtualization%2Fguarded-fabric-shielded-vm%2Fguarded-fabric-and-shielded-vms%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20guarded%20fabric%20%3C%2FA%3E%20%2C%20the%20new%20system%20does%20need%20to%20be%20authorized%20to%20run%20the%20VM.%20%3CBR%20%2F%3E%20Some%20time%20ago%2C%20I%20wrote%20a%20blog%20post%20focused%20on%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fvirtualization%2F2016%2F10%2F25%2Fallowing-an-additional-host-to-run-a-vm-with-virtual-tpm%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20running%20VMs%20with%20a%20vTPM%20on%20additional%20hosts%20%3C%2FA%3E%20%2C%20but%20the%20approach%20highlighted%20there%20does%20not%20solve%20everything%20when%20the%20original%20host%20is%20decommissioned.%20The%20VMs%20can%20be%20started%20on%20the%20new%20host%2C%20but%20without%20the%20original%20owner%20certificates%2C%20you%20cannot%20change%20the%20list%20of%20allowed%20guardians%20anymore.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20This%20blog%20post%20shows%20a%20way%20to%20export%20the%20information%20needed%20from%20the%20source%20host%20and%20import%20it%20on%20a%20destination%20host.%20Please%20note%20that%20this%20technique%20only%20works%20for%20%3CEM%3E%20local%20%3C%2FEM%3E%20mode%20and%20not%20for%20a%20host%20that%20is%20part%20of%20a%20guarded%20fabric.%20You%20can%20check%20whether%20your%20host%20runs%20in%20local%20mode%20by%20running%3CCODE%3E%0A%20%20%20Get-HgsClientConfiguration%0A%20%20%3C%2FCODE%3E%0A%20%20.%20The%20property%0A%20%20%3CCODE%3E%0A%20%20%20Mode%0A%20%20%3C%2FCODE%3E%0A%20%20should%20list%0A%20%20%3CCODE%3E%0A%20%20%20Local%0A%20%20%3C%2FCODE%3E%0A%20%20as%20a%20value.%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CH3%20id%3D%22toc-hId-1484148396%22%20id%3D%22toc-hId-1507234744%22%20id%3D%22toc-hId-1507234744%22%3E%0A%20%20%20Exporting%20the%20default%20owner%20from%20the%20source%20host%0A%20%20%3C%2FH3%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20The%20following%20script%20exports%20the%20necessary%20information%20of%20the%20default%20owner%20(%22%0A%20%20%3CCODE%3E%0A%20%20%20UntrustedGuardian%0A%20%20%3C%2FCODE%3E%0A%20%20%22)%20on%20a%20host%20that%20is%20configured%20using%20local%20mode.%20When%20running%20the%20script%20on%20the%20source%20host%2C%20two%20certificates%20are%20exported%3A%20a%20signing%20certificate%20and%20an%20encryption%20certificate.%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CH3%20id%3D%22toc-hId--1068008565%22%20id%3D%22toc-hId--1044922217%22%20id%3D%22toc-hId--1044922217%22%3E%0A%20%20%20Importing%20the%20UntrustedGuardian%20on%20the%20new%20host%0A%20%20%3C%2FH3%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20On%20the%20destination%20host%2C%20the%20following%20snippet%20creates%20a%20new%20guardian%20using%20the%20certificates%20that%20have%20been%20exported%20in%20the%20previous%20step.%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20Please%20note%20that%20importing%20the%20%22UntrustedGuardian%22%20on%20the%20new%20host%20has%20to%20be%20done%20before%20creating%20new%20VMs%20with%20a%20vTPM%20on%20this%20host%20--%20otherwise%20a%20new%20guardian%20with%20the%20same%20name%20will%20already%20be%20present%20and%20the%20creation%20with%20the%20PowerShell%20snippet%20above%20will%20fail.%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20With%20these%20two%20steps%2C%20you%20should%20be%20able%20to%20migrate%20all%20the%20necessary%20bits%20to%20keep%20your%20VMs%20with%20vTPM%20running%20in%20your%20dev%2Ftest%20environment.%20This%20approach%20can%20also%20be%20used%20to%20back%20up%20your%20owner%20certificates%2C%20depending%20on%20how%20these%20certificates%20have%20been%20created.%0A%20%20%3CBR%20%2F%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-382406%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Dec%2014%2C%202017%20Whenever%20I%20want%20to%20replace%20or%20reinstall%20a%20system%20which%20is%20used%20to%20run%20virtual%20machines%20with%20a%20virtual%20trusted%20platform%20module%20(vTPM)%2C%20I've%20been%20facing%20a%20challenge%3A%20For%20hosts%20that%20are%20not%20part%20of%20a%20guarded%20fabric%2C%20the%20new%20system%20does%20need%20to%20be%20authorized%20to%20run%20the%20VM.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-382406%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eguarded%20fabric%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ehyper%20v%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eshielded%20vm%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Evtpm%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392197%22%20slang%3D%22en-US%22%3ERe%3A%20Migrating%20local%20VM%20owner%20certificates%20for%20VMs%20with%20vTPM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392197%22%20slang%3D%22en-US%22%3E%3CP%3EImport-UntrustedGuardian.ps1%20Contents%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EteGuardianName%20%3D%20'UntrustedGuardian'%0A%24CertificatePassword%20%3D%20Read-Host%20-Prompt%20'Please%20enter%20the%20password%20that%20was%20used%20to%20secure%20the%20certificate%20files'%20-AsSecureString%0ANew-HgsGuardian%20-Name%20%24NameOfGuardian%20-SigningCertificate%20%22.%5C%24NameOfGuardian-signing.pfx%22%20-SigningCertificatePassword%20%24CertificatePassword%20-EncryptionCertificate%20%22.%5C%24NameOfGuardian-encryption.pfx%22%20-EncryptionCertificatePassword%20%24CertificatePassword%20-AllowExpired%20-AllowUntrustedRoot%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392196%22%20slang%3D%22en-US%22%3ERe%3A%20Migrating%20local%20VM%20owner%20certificates%20for%20VMs%20with%20vTPM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392196%22%20slang%3D%22en-US%22%3E%3CP%3EExport-UntrustedGuardian.ps1%20Contents%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%24GuardianName%20%3D%20'UntrustedGuardian'%0A%24CertificatePassword%20%3D%20Read-Host%20-Prompt%20'Please%20enter%20a%20password%20to%20secure%20the%20certificate%20files'%20-AsSecureString%0A%0A%24guardian%20%3D%20Get-HgsGuardian%20-Name%20%24GuardianName%0A%0Aif%20(-not%20%24guardian)%0A%7B%0A%20%20%20%20throw%20%22Guardian%20'%24GuardianName'%20could%20not%20be%20found%20on%20the%20local%20system.%22%0A%7D%0A%0A%24encryptionCertificate%20%3D%20Get-Item%20-Path%20%22Cert%3A%5CLocalMachine%5CShielded%20VM%20Local%20Certificates%5C%24(%24guardian.EncryptionCertificate.Thumbprint)%22%0A%24signingCertificate%20%3D%20Get-Item%20-Path%20%22Cert%3A%5CLocalMachine%5CShielded%20VM%20Local%20Certificates%5C%24(%24guardian.SigningCertificate.Thumbprint)%22%0A%0Aif%20(-not%20(%24encryptionCertificate.HasPrivateKey%20-and%20%24signingCertificate.HasPrivateKey))%0A%7B%0A%20%20%20%20throw%20'One%20or%20both%20of%20the%20certificates%20in%20the%20guardian%20do%20not%20have%20private%20keys.%20'%20%2B%20%60%0A%20%20%20%20%20%20%20%20%20%20'Please%20ensure%20the%20private%20keys%20are%20available%20on%20the%20local%20system%20for%20this%20guardian.'%0A%7D%0A%0AExport-PfxCertificate%20-Cert%20%24encryptionCertificate%20-FilePath%20%22.%5C%24GuardianName-encryption.pfx%22%20-Password%20%24CertificatePassword%0AExport-PfxCertificate%20-Cert%20%24signingCertificate%20-FilePath%20%22.%5C%24GuardianName-signing.pfx%22%20-Password%20%24CertificatePassword%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392192%22%20slang%3D%22en-US%22%3ERe%3A%20Migrating%20local%20VM%20owner%20certificates%20for%20VMs%20with%20vTPM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392192%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F133999%22%20target%3D%22_blank%22%3E%40Ryan%20Sheldon%3C%2FA%3E%26nbsp%3B-%20thanks%20for%20finding%20that!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391979%22%20slang%3D%22en-US%22%3ERe%3A%20Migrating%20local%20VM%20owner%20certificates%20for%20VMs%20with%20vTPM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391979%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310905%22%20target%3D%22_blank%22%3E%40Craig-Anderson-Icare%3C%2FA%3E%26nbsp%3B%20-%20I%20was%20able%20to%20dig%20up%20the%20Google%20Cache%20version%20from%20the%20original%20article%20with%20intact%20code%20snippets.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwebcache.googleusercontent.com%2Fsearch%3Fq%3Dcache%3AG_tK3wcq3eUJ%3Ahttps%3A%2F%2Fblogs.technet.microsoft.com%2Fvirtualization%2F2017%2F12%2F14%2Fmigrating-local-vm-owner-certificates-for-vms-with-vtpm%2F%2B%26amp%3Bcd%3D8%26amp%3Bhl%3Den%26amp%3Bct%3Dclnk%26amp%3Bgl%3Dus%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwebcache.googleusercontent.com%2Fsearch%3Fq%3Dcache%3AG_tK3wcq3eUJ%3Ahttps%3A%2F%2Fblogs.technet.microsoft.com%2Fvirtualization%2F2017%2F12%2F14%2Fmigrating-local-vm-owner-certificates-for-vms-with-vtpm%2F%2B%26amp%3Bcd%3D8%26amp%3Bhl%3Den%26amp%3Bct%3Dclnk%26amp%3Bgl%3Dus%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391512%22%20slang%3D%22en-US%22%3ERe%3A%20Migrating%20local%20VM%20owner%20certificates%20for%20VMs%20with%20vTPM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391512%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20article%20would%20be%20great%20if%20the%20script%20and%20snippet%20Lars%20refers%20to%20were%20actually%20obtainable%20from%20the%20blog.%20It%20seems%20that%20these%20were%20removed%20when%20the%20page%20was%20migrated%20to%20this%20site%20from%20TechNet.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1967383%22%20slang%3D%22en-US%22%3ERe%3A%20Migrating%20local%20VM%20owner%20certificates%20for%20VMs%20with%20vTPM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1967383%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20if%20I%20no%20longer%20have%20access%20to%20the%20source%20device%20that%20originally%20ran%20the%20VMs%20(it%20was%20wiped%20and%20sent%20back%20to%20Microsoft)%3F%20How%20can%20I%20clear%20the%20vTPM%20info%20from%20the%20VM%20entirely%20and%20create%20a%20new%20vTPM%20since%20the%20guardian%20certs%20are%20gone%20forever%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Mar 21 2019 05:14 PM
Updated by: