Enterprise Mobility + Security, Intune, Microsoft Endpoint Manager, Windows 10/11

How to move or restore a Windows 11 VM in Hyper-V with TPM enabled (Shielded VMs)

November 16, 2021
3,931 views

In my previous blog I showed you step-by-step how to install Windows 11 as a VM in Hyper-V. The difference with Windows 10 is that Windows 11 requires a TPM (Trusted Platform Module) chip in order to boot. As you could read in my previous blog, this is no problem at all. However, I’m the kind of guy that regularly reinstalls my laptop/desktop and also uses multiple devices to run the same VMs on. And in that case it gets a bit more complex.

A VM that is enabled with a TPM will be shielded, what means that it will be protected with encryption keys bound to the host. So if you copy the VM to another device/host or reinstall your device and try to restore the VM from backup, you will receive the following error when trying to start the VM:

[Window Title]
Hyper-V Manager

[Main Instruction]
An error occurred while attempting to start the selected virtual machine(s).

[Content]
'Win11-Pro' failed to start.

'Win11-Pro' could not initialize.

The key protector could not be unwrapped. Details are included in the HostGuardianService-Client event log.

[Expanded Information]
'Win11-Pro' failed to start. (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662)

'Win11-Pro' failed to start worker process: %%2148734208 (0x80131500). (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662)

'Win11-Pro' could not initialize. (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662)

The key protector for the virtual machine 'Win11-Pro' could not be unwrapped. . Details are included in the HostGuardianService-Client event log. %%2148734208 (0x80131500). (Virtual machine ID 41A50835-7DBD-4EA8-91FA-15445FA37662)

It’s good to know that you can simply export the Shielded VM Certificates (2) and import them on the other hosts(s) or on your reinstalled device.

In step 1 of this blog I will show you step-by-step how to export the certificates from the original host (host were the VM is created) and in step 2 I show you how to import the certificates on the other host(s) / reinstalled device.

Step 1 : Export the Shielded VM Certificates from the host

First we need to export the Shielded VM Certificates from the device where the Windows 11 VM is created. Therefore, start MMC.EXE.

Open the File menu and click Add/Remove Snap-in…

On the left side, select Certificates and click Add

Select Computer account and click Next

Select Local computer and click Finish

Click OK

Navigate to Certificates (Local Computer) > Shielded VM Local Certificates > Certificates. Select both the Shielded VM Certificates, right-click and navigate to All Tasks > Export…

Click Next

Select Yes, export the private key and click Next

Select Personal Information Exchange – PKCS #12 (.PFX). Let all options unchecked and click Next

Select Password and fill in a new password (you need this password when importing the certificates on the target host). Click Next.

Select a folder to save the certificates in and click Next

Click Finish

Click OK

Step 2 : Import the Shielded VM Certificates on the target host

On the new/other host or reinstalled device where you want to run the Windows 11 VM start MMC.exe and add the Certificates snap-in, just like you did in step one of this blog.

Navigate to Certificates (Local Computer) > Shielded VM Local Certificates > Certificates. Right-click Certificates and click All Tasks > Import

Click Next

Browse to the .PFX file that you created in step one of this blog and click Next

Fill in your password and make sure “Mark this key as exportable” and “Include all extended properties” is selected.

Make sure the Shielded VM Local Certificates is selected and click Next

Click Finish

Click OK

The Shielded VM certificates are now imported and the Windows 11 VM will now run as expected.

FacebookTwitterRedditLinkedInWhatsAppEmail

9 comments

Your email address will not be published.

  • If my primary windows disk crashed and I don’t have access to my original host windows 11, but my VM was on another disk and I can import it on a fresh windows install, it launch but I get this error about TPM. If I disable TPM I can boot the VM but I get a warning about TPM not active. Is there a way to reenable TPM without the original certificate ? The other option I have not tried yet is to backup my running VM which seems to works for now but the warning is always there when I boot. I will try using Acronis and restore to a new fresh VM with TPM. I’m out of option 🙁

    Reply

      • Thanks, I ended up recreating a new VM from scratch and restoring all my data. I will extract everything now since the new VM is working, if it should append again 🙂

        Reply

  • Very impressive and detailed article shared. Interesting and informative post thanks for share with us.

    Reply

  • Great post! I used this today while reinstalling Windows and while moving the certs went fine, my VMs still do not start, but there’s a different error, wondering if you’ve seen similar.

    [Window Title]
    Virtual Machine Connection

    [Main Instruction]
    The application encountered an error while attempting to change the state of ‘VM_NAME’.

    [Content]
    ‘VM_NAME’ failed to start.

    Microsoft Virtual TPM Device (Instance ID 736E6AA9-A3F8-49C0-9550-A963214D259A): Failed to Power on with Error ‘The parameter is incorrect.’.

    [Expanded Information]
    ‘VM_NAME’ failed to start. (Virtual machine ID 7913BCB6-1635-413F-A4D4-6D9E36DD8BB8)

    ‘VM_NAME’ Microsoft Virtual TPM Device (Instance ID 736E6AA9-A3F8-49C0-9550-A963214D259A): Failed to Power on with Error ‘The parameter is incorrect.’ (0x80070057). (Virtual machine ID 7913BCB6-1635-413F-A4D4-6D9E36DD8BB8)

    [V] See details [Close]

    Reply

  • I have this error, but when I create a new VM with windows 11, haven’t been able to make it run, how do you solve it? not moving or copying the VM from another host, but when creating a new VM in the same host. Thanks

    Reply

  • I was able to export the cert from the host the Win11 VM was created on but there isn’t a Shielded VM certificate store on the target host. How do i create one?

    Reply

    • Hi Andre, make sure that you export both certificates including the private key. When importing the certificates on the new hosts, both keys should be appear.

      Reply

    • I had the same problem of not having the Shielded VM Certificate Store directory on my destination host. I solved this by creating a new VM with super basic settings and didn’t install an OS. Then before starting the VM, I went into its Settings->Security and checked Enable TPM as it was off by default. Then I turned on the VM which immediately created the Shielded VM Certificate Store directory in the Certificate Utility. Then I followed the instructions to import the certs now that the directory existed.

      Other than this little twist, these instructions were great, thank you.

      Reply

About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close