Skip to content

Hyper V

HotCakeX edited this page Mar 23, 2023 · 29 revisions

Notes about Shielded VMs

  • Shielded VMs can't be simply moved to another Hyper-V host and used there, nor can they be de-shielded in another host, if the certificate is not in place on the new host. This results in the error "the key protector could not be unwrapped", which is desired.
  • Shielding a VM is for keeping bad actors or malware out of the VM, not for keeping malware inside VM. i.e., Shielding a VM is for keeping the VM secure, not for keeping the host secure.
  • You can use the command below to get details about your Hyper-V host, including checks whether your host runs in local/standalone mode or is part of a Guarded Fabric
HgsClientConfiguration

How to Import and Export TPM-enabled or Shielded Hyper-V VM certificates with PowerShell

TPM requirement, which is a great security feature, was added to Windows 11. on the host, it is managed by the OS and UEFI, but when you create a Virtual Machine (VM) that runs an OS like Windows 11, you have to know how to manage it properly so that your VM will stay secure everywhere and you will maintain your access to your VM even if you import/export it to a different Hyper-V host or reinstall your host OS.

Here is a screenshot of my Hyper-V VM on Windows 11 with the following security features enabled:

  1. Secure Boot
  2. Trusted Platform Module (TPM)
  3. Encrypt State and VM migration traffic
  4. Shielding (this enables all of the security features above Plus more)

image

When a VM uses TPM or Shielding, Windows creates 2 certificates in the Local Machine Certificate Store => Shielded VM Local Certificates => Certificates

One of them is for encryption and the other one is for signing. They both contain private keys. If these 2 certificates don't exist in that folder in the Local Machine Certificate store of a Hyper-V host, your VM won't be able to start, which is great because that prevents unauthorized users from accessing your data.

What you need to do is to export those 2 certificates (with private keys) and store them in a safe place (such as OneDrive's personal Vault) as a backup.

If you completely reinstall Windows or move the VMs to a different Hyper-V host and Import the certificates, you will be able to continue using your Shielded VMs, but when you create new Shielded VMs on the new host, 2 more certificates will be added to the Local Machine Certificate Store => Shielded VM Local Certificates => Certificates, so you will have 4 certificates in total, 2 of which are tied to your old VMs and the other 2 are tied to the new VMs that you create on the new host. each generated certificate has 10 years expiry date from the time it's created.


You can Import/Export the certificates using GUI, but here I'm going to show how to automate it using PowerShell:

Export all the available Host Guardian service certificates with private keys and extended properties

$CertificatePassword = ConvertTo-SecureString -String "hotcakex" -Force -AsPlainText
Get-Item "Cert:\LocalMachine\Shielded VM Local Certificates\*" | ForEach-Object {
Export-PfxCertificate -Cert $_ -FilePath ".\$($_.Issuer)-$($_.Thumbprint).pfx" -Password $CertificatePassword -CryptoAlgorithmOption AES256_SHA256}

Import the certificates with private keys

$ShieldedCertsPath = 'Cert:\LocalMachine\Shielded VM Local Certificates'; if (-NOT (Test-Path $ShieldedCertsPath)) { New-Item -Path 'Cert:\LocalMachine\Shielded VM Local Certificates' }
$CertificatePassword = ConvertTo-SecureString -String "hotcakex" -Force -AsPlainText
$CertificateLocation = "C:\Users\Admin\OneDrive\Desktop\Hyper-V Guardian certificates\*.pfx"
get-item $CertificateLocation | ForEach-Object {
    Import-PfxCertificate -FilePath $_ -CertStoreLocation 'Cert:\LocalMachine\Shielded VM Local Certificates' -Password $CertificatePassword -Exportable
}

You should change the values for $CertificateLocation and $CertificatePassword varaibles according to your own needs and environment.

Note that this configuration is for standalone systems. an actual shielded virtual machine is a lot more secure because the host's security and health is properly attested in a Guarded Fabric, using Host Guardian Service (HGS) on a Windows Server.


How to enable Nested Virtualization for all the VMs on the Hyper-V host

Source:

https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization

The command is this

Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true

but in order to automatically enable nested virtualization for all VMs, this is how I do it

All of the VMs must be in Off state when enabling nested virtualization

(Get-VM).name | ForEach-Object {Set-VMProcessor -VMName $_ -ExposeVirtualizationExtensions $true}

This is how to verify nested virtualization is enabled for all of your VMs

(Get-VM).name | ForEach-Object {get-VMProcessor -VMName $_} | Select-Object -Property VMName,ExposeVirtualizationExtensions








C#


Clone this wiki locally