Microsoft’s Guide on Managing Virtual Trusted Platform Module (vTPM) Certificates
Microsoft has recently released an in-depth guidance for IT and system administrators concerning the management of virtual Trusted Platform Module (vTPM) certificates. This guidance is particularly important for those handling guest operating systems such as Windows 11 and Windows Server 2025, which operate on Hyper-V Generation 2 Virtual Machines (VMs).Implementing these practices correctly ensures the retention of critical security features when VMs are migrated across different hosts.
The Importance of TPM 2.0 for Enhanced Security
Windows 11 and Windows Server 2025 have specific system requirements, including TPM 2.0, which aim to improve security standards compared to their predecessors like Windows 10. Microsoft has previously clarified how these security enhancements function, emphasizing their role in creating a more secure environment for users.
How vTPM Functions Within Virtual Machines
At its core, vTPM facilitates essential security capabilities such as BitLocker encryption and Secure Boot in virtual environments. However, Microsoft highlights a pivotal aspect of vTPM management: it binds each instance to two self-signed certificates generated on the local host. Without transferring these certificates adequately, critical processes such as live migrations and manual exports of vTPM-enabled VMs could encounter significant issues, potentially hindering organizations’ ability to move protected workloads effectively.
Understanding the Certificates Involved
For each vTPM-enabled Generation 2 VM, Hyper-V creates and stores two self-signed certificates: an encryption certificate and a signing certificate. These certificates are located in the “Shielded VM Local Certificates” store, accessible via the Certificates (Local Computer) > Personal section in the Microsoft Management Console (MMC).The certificates are as follows:
- Shielded VM Encryption Certificate (UntrustedGuardian)(ComputerName)
- Shielded VM Signing Certificate (UntrustedGuardian)(ComputerName)
Both certificates come with a default validity period of 10 years.
Steps for Proper Migration
To ensure successful migration of vTPM-enabled VMs, Microsoft instructs administrators to export both the encryption and signing certificates, including their private keys, into a PFX (Personal Information Exchange) file. These should then be imported into the equivalent store on the target hosts to establish their trust.
Resources for IT Professionals
Microsoft has provided comprehensive instructions for exporting, importing, and updating these certificates in cases of expiration, alongside relevant PowerShell commands for ease of execution. For detailed information, visit the full blog post on Microsoft’s Tech Community website here.
Leave a Reply