In my previous blog I showed you step-by-step how to install Windows 11 as a VM in Hyper-V. The difference with Windows 10 is that Windows 11 requires a TPM (Trusted Platform Module) chip in order to boot. As you could read in my previous blog, this is no problem at all. However, I’m the kind of guy that regularly reinstalls my laptop/desktop and also uses multiple devices to run the same VMs on. And in that case it gets a bit more complex.
A VM that is enabled with a TPM will be shielded, what means that it will be protected with encryption keys bound to the host. So if you copy the VM to another device/host or reinstall your device and try to restore the VM from backup, you will receive the following error when trying to start the VM:
[Window Title] Hyper-V Manager [Main Instruction] An error occurred while attempting to start the selected virtual machine(s). [Content] 'Win11-Pro' failed to start. 'Win11-Pro' could not initialize. The key protector could not be unwrapped. Details are included in the HostGuardianService-Client event log. [Expanded Information] 'Win11-Pro' failed to start. (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662) 'Win11-Pro' failed to start worker process: %%2148734208 (0x80131500). (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662) 'Win11-Pro' could not initialize. (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662) The key protector for the virtual machine 'Win11-Pro' could not be unwrapped. . Details are included in the HostGuardianService-Client event log. %%2148734208 (0x80131500). (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662)
It’s good to know that you can simply export the Shielded VM Certificates (2) and import them on the other hosts(s) or on your reinstalled device.
In step 1 of this blog I will show you step-by-step how to export the certificates from the original host (host were the VM is created) and in step 2 I show you how to import the certificates on the other host(s) / reinstalled device.
Step 1 : Export the Shielded VM Certificates from the host
First we need to export the Shielded VM Certificates from the device where the Windows 11 VM is created. Therefore, start MMC.EXE.
Open the File menu and click Add/Remove Snap-in…
On the left side, select Certificates and click Add
Select Computer account and click Next
Select Local computer and click Finish
Click OK
Navigate to Certificates (Local Computer) > Shielded VM Local Certificates > Certificates. Select both the Shielded VM Certificates, right-click and navigate to All Tasks > Export…
Click Next
Select Yes, export the private key and click Next
Select Personal Information Exchange – PKCS #12 (.PFX). Let all options unchecked and click Next
Select Password and fill in a new password (you need this password when importing the certificates on the target host). Click Next.
Select a folder to save the certificates in and click Next
Click Finish
Click OK
Step 2 : Import the Shielded VM Certificates on the target host
On the new/other host or reinstalled device where you want to run the Windows 11 VM start MMC.exe and add the Certificates snap-in, just like you did in step one of this blog.
Navigate to Certificates (Local Computer) > Shielded VM Local Certificates > Certificates. Right-click Certificates and click All Tasks > Import
Click Next
Browse to the .PFX file that you created in step one of this blog and click Next
Fill in your password and make sure “Mark this key as exportable” and “Include all extended properties” is selected.
Make sure the Shielded VM Local Certificates is selected and click Next
Click Finish
Click OK
The Shielded VM certificates are now imported and the Windows 11 VM will now run as expected.
If my primary windows disk crashed and I don’t have access to my original host windows 11, but my VM was on another disk and I can import it on a fresh windows install, it launch but I get this error about TPM. If I disable TPM I can boot the VM but I get a warning about TPM not active. Is there a way to reenable TPM without the original certificate ? The other option I have not tried yet is to backup my running VM which seems to works for now but the warning is always there when I boot. I will try using Acronis and restore to a new fresh VM with TPM. I’m out of option 🙁
Hi Denis, as far is I know (and tried) you always need the original cert. You cannot disable TMP and re-enable TMP (no new cert will be created).
Thanks, I ended up recreating a new VM from scratch and restoring all my data. I will extract everything now since the new VM is working, if it should append again 🙂
Very impressive and detailed article shared. Interesting and informative post thanks for share with us.
Great post! I used this today while reinstalling Windows and while moving the certs went fine, my VMs still do not start, but there’s a different error, wondering if you’ve seen similar.
[Window Title]
Virtual Machine Connection
[Main Instruction]
The application encountered an error while attempting to change the state of ‘VM_NAME’.
[Content]
‘VM_NAME’ failed to start.
Microsoft Virtual TPM Device (Instance ID 736E6AA9-A3F8-49C0-9550-A963214D259A): Failed to Power on with Error ‘The parameter is incorrect.’.
[Expanded Information]
‘VM_NAME’ failed to start. (Virtual machine ID 7913BCB6-1635-413F-A4D4-6D9E36DD8BB8)
‘VM_NAME’ Microsoft Virtual TPM Device (Instance ID 736E6AA9-A3F8-49C0-9550-A963214D259A): Failed to Power on with Error ‘The parameter is incorrect.’ (0x80070057). (Virtual machine ID 7913BCB6-1635-413F-A4D4-6D9E36DD8BB8)
[V] See details [Close]
I have this error, but when I create a new VM with windows 11, haven’t been able to make it run, how do you solve it? not moving or copying the VM from another host, but when creating a new VM in the same host. Thanks
I was able to export the cert from the host the Win11 VM was created on but there isn’t a Shielded VM certificate store on the target host. How do i create one?
Hi Andre, make sure that you export both certificates including the private key. When importing the certificates on the new hosts, both keys should be appear.
I had the same problem of not having the Shielded VM Certificate Store directory on my destination host. I solved this by creating a new VM with super basic settings and didn’t install an OS. Then before starting the VM, I went into its Settings->Security and checked Enable TPM as it was off by default. Then I turned on the VM which immediately created the Shielded VM Certificate Store directory in the Certificate Utility. Then I followed the instructions to import the certs now that the directory existed.
Other than this little twist, these instructions were great, thank you.
Thanks for this. Great write-up!