Hyper-V vTPM certificates: VM export and migration

Posted on 2025-07-08 by guenni

Windows[German]A TMP platform module (vTPM) is required for the virtualization of Windows 11 or Windows Server 2025. The Hyper-V virtualization platform included in Windows allows vTPN and other options to be configured. However, the problem is when such a VM is moved and the vTPM certificates break. I have just come across an article from Microsoft that deals with this issue.

It is known that guest operating systems such as Windows 11 or Windows Server 2025 with activated security functions (Secure Boot, Bitlocker) under Hyper-V are dependent on a functioning virtual but trustworthy TMP platform module (vTPM).

Hyper-V and vTPM for VMs

Under Hyper-V, it is no problem to provide the vTPM for virtual machines via the configuration and then install the guest operating system. The problem or challenge with vTPMs is that it relies on certificates on the local Hyper-V server.

When a vTPM is activated on a Generation 2 virtual machine, Hyper-V automatically generates a pair of self-signed certificates on the host where the VM is located. These certificates are specially named:

  • "Shielded VM Encryption Certificate (UntrustedGuardian)(ComputerName)"
  • "Shielded VM Signing Certificate (UntrustedGuardian)(ComputerName)"

These certificates are stored in a unique local certificate store on the Hyper-V host called "Shielded VM Local Certificates". By default, these certificates are provided with a validity period of 10 years. As long as the virtual machines (VMs) with the vTPM are running on this server, there is no need to worry (it is rare for a VM to run for longer than 10 years)

vTPM for VMs a problem during migration

However, if a VM is to be moved to another Hyper-V server, there may be problems. Then the certificate used for vTPM when setting up the VM breaks and becomes invalid on the other server. The administrator must therefore take precautions to migrate the certificates at the same time.

In order for a vTPM-enabled virtual machine to be successfully migrated live and then started on a new Hyper-V host, the "shielded local VM certificates" (both the encryption and signing certificates) from the source host must be available and trusted on all potential Hyper-V target hosts.

Hyper-V

Microsoft employee Orin Thomas discussed various aspects of this issue in the July 7, 2025 Techcommunity article Hyper-V Virtual TPMs, Certificates, VM Export and Migration. In the article, he shows how the certificates associated with vTPMs can be managed so that administrators can export or move the VMs with, for example, Windows 11 VMs to any prepared Hyper-V host they manage. Perhaps these explanations will be of interest to some readers.

This entry was posted in Virtualization, Windows and tagged , , . Bookmark the permalink.

One Response to Hyper-V vTPM certificates: VM export and migration

  1. d3x says:
    2025-07-09 at 15:54

    To be honest, Hyper-V Manager should just move them to new host along with VM files. Users shouldn't be forced to do additional manual work.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).