In my previous blog I showed you step-by-step how to install Windows 11 as a VM in Hyper-V. The difference with Windows 10 is that Windows 11 requires a TPM (Trusted Platform Module) chip in order to boot. As you could read in my previous blog, this is no problem at all. However, I’m the kind of guy that regularly reinstalls my laptop/desktop and also uses multiple devices to run the same VMs on. And in that case it gets a bit more complex.
A VM that is enabled with a TPM will be shielded, what means that it will be protected with encryption keys bound to the host. So if you copy the VM to another device/host or reinstall your device and try to restore the VM from backup, you will receive the following error when trying to start the VM:
[Window Title] Hyper-V Manager [Main Instruction] An error occurred while attempting to start the selected virtual machine(s). [Content] 'Win11-Pro' failed to start. 'Win11-Pro' could not initialize. The key protector could not be unwrapped. Details are included in the HostGuardianService-Client event log. [Expanded Information] 'Win11-Pro' failed to start. (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662) 'Win11-Pro' failed to start worker process: %%2148734208 (0x80131500). (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662) 'Win11-Pro' could not initialize. (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662) The key protector for the virtual machine 'Win11-Pro' could not be unwrapped. . Details are included in the HostGuardianService-Client event log. %%2148734208 (0x80131500). (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662)
It’s good to know that you can simply export the Shielded VM Certificates (2) and import them on the other hosts(s) or on your reinstalled device.
In step 1 of this blog I will show you step-by-step how to export the certificates from the original host (host were the VM is created) and in step 2 I show you how to import the certificates on the other host(s) / reinstalled device.
Step 1 : Export the Shielded VM Certificates from the host
First we need to export the Shielded VM Certificates from the device where the Windows 11 VM is created. Therefore, start MMC.EXE.
Open the File menu and click Add/Remove Snap-in…
On the left side, select Certificates and click Add
Select Computer account and click Next
Select Local computer and click Finish
Navigate to Certificates (Local Computer) > Shielded VM Local Certificates > Certificates. Select both the Shielded VM Certificates, right-click and navigate to All Tasks > Export…
Select Yes, export the private key and click Next
Select Personal Information Exchange – PKCS #12 (.PFX). Let all options unchecked and click Next
Select Password and fill in a new password (you need this password when importing the certificates on the target host). Click Next.
Select a folder to save the certificates in and click Next
Step 2 : Import the Shielded VM Certificates on the target host
On the new/other host or reinstalled device where you want to run the Windows 11 VM start MMC.exe and add the Certificates snap-in, just like you did in step one of this blog.
Navigate to Certificates (Local Computer) > Shielded VM Local Certificates > Certificates. Right-click Certificates and click All Tasks > Import
Browse to the .PFX file that you created in step one of this blog and click Next
Fill in your password and make sure “Mark this key as exportable” and “Include all extended properties” is selected.
Make sure the Shielded VM Local Certificates is selected and click Next
The Shielded VM certificates are now imported and the Windows 11 VM will now run as expected.