Jump to content
Login new information ×
Giveaway Contest ×
Login new information
Giveaway Contest
  • Software News

    Microsoft shares detailed guide to meet Windows 11 TPM requirements when moving VMs

    Karlston

    By Karlston,
    Published Date:

    • 791 views
    • 2 minutes
     Share
    • 791 views
    • 2 minutes

    Microsoft today has published a detailed guidance for IT admins and system admins on handling virtual Trusted Platform Module (vTPM) certificates. The company says this is crucial to understand and implement correctly since guest OS like Windows 11 and Windows Server 2025, running on Hyper-V Generation 2 VMs, can retain full security features when moved across hosts.

     

    Microsoft has always maintained that the system requirements of Windows 11 like TPM 2.0 are designed to give the OS better security by default than Windows 10. It recently published an explainer describing how that is.

     

    For those wondering how it works, vTPM enables security features like BitLocker and Secure Boot within virtual machines. However, Hyper-V binds each vTPM instance to two self-signed certificates on the local host. Without a proper certificate transfer, Microsoft warns that live migrations and manual exports of vTPM-enabled VMs can fail and this can be a major issue since it will leave organizations unable to relocate protected workloads.

     

    Microsoft notes that Hyper-V hosts automatically generate two self-signed certificates, an encryption certificate and a signing certificate, for each vTPM-enabled Generation 2 VM, and store them in the “Shielded VM Local Certificates” store under Certificates (Local Computer) > Personal in the Microsoft Management Console (MMC). They are:

     

    • Shielded VM Encryption Certificate (UntrustedGuardian)(ComputerName)
    • Shielded VM Signing Certificate (UntrustedGuardian)(ComputerName)

     

    Both the encryption and signing certificates default to a 10-year validity period.

     

    To migrate properly, Microsoft notes that admins must export both certificates with their private keys as a PFX (Personal Information Exchange) file and import them into the same store on target hosts, thus marking them as trusted.

     

    The company has laid out detailed steps for exporting, importing and updating (in the case of expiration of the certificates), and has also provided PowerShell commands for the same. You can find the blog post in full detail here on Microsoft's Tech Community website.

     

    Source

    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

    RIP Matrix | Farewell my friend  

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...