Hyper V

How to Import and Export TPM-enabled Hyper-V VM certificates with PowerShell

TPM requirement, which is a great security feature, was added to Windows 11. On the host, it is managed by the OS and UEFI, but when you create a Virtual Machine (VM) that runs an OS like Windows 11, you have to know how to manage it properly so that your VM will stay secure everywhere and you will maintain your access to your VM even if you import/export it to a different Hyper-V host or reinstall your host OS.

Here is a screenshot of my Hyper-V VM on Windows 11 with the following security features enabled:

Secure Boot
Trusted Platform Module (TPM)

When a VM uses TPM, Windows creates 2 certificates in the Local Machine Certificate Store => Shielded VM Local Certificates => Certificates

One of them is for encryption and the other one is for signing. They both contain private keys. If these 2 certificates don't exist in that folder in the Local Machine Certificate store of a Hyper-V host, your VM won't be able to start

What you need to do is to export those 2 certificates (with private keys) and store them in a safe place (such as OneDrive's personal Vault) as a backup.

If you completely reinstall Windows or move the VMs to a different Hyper-V host and Import the certificates, you will be able to continue using your VMs, but when you create new TPM enabled VMs on the new host, 2 more certificates will be added to the Local Machine Certificate Store => Shielded VM Local Certificates => Certificates, so you will have 4 certificates in total, 2 of which are tied to your old VMs and the other 2 are tied to the new VMs. Each generated certificate has 10 years expiry date from the time it was created.

You can Import/Export the certificates using GUI, but here I'm going to show how to automate it using PowerShell:

Export all the available Host Guardian service certificates with private keys and extended properties

$CertificatePassword = ConvertTo-SecureString -String "hotcakex" -Force -AsPlainText
Get-Item "Cert:\LocalMachine\Shielded VM Local Certificates\*" | ForEach-Object {
Export-PfxCertificate -Cert $_ -FilePath ".\$($_.Issuer)-$($_.Thumbprint).pfx" -Password $CertificatePassword -CryptoAlgorithmOption AES256_SHA256}

Import the certificates with private keys

$ShieldedCertsPath = 'Cert:\LocalMachine\Shielded VM Local Certificates'; if (-NOT (Test-Path $ShieldedCertsPath)) { New-Item -Path 'Cert:\LocalMachine\Shielded VM Local Certificates' }
$CertificatePassword = ConvertTo-SecureString -String "hotcakex" -Force -AsPlainText
$CertificateLocation = "C:\Users\Admin\OneDrive\Desktop\Hyper-V Guardian certificates\*.pfx"
get-item $CertificateLocation | ForEach-Object {
    Import-PfxCertificate -FilePath $_ -CertStoreLocation 'Cert:\LocalMachine\Shielded VM Local Certificates' -Password $CertificatePassword -Exportable
}

You should change the values for $CertificateLocation and $CertificatePassword varaibles according to your own needs and environment.

You can find more info about those commands here:
- Import-PfxCertificate
- Export-PfxCertificate

How to enable Nested Virtualization for all the VMs on the Hyper-V host

Source:

https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization

The command is this

Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true

but in order to automatically enable nested virtualization for all VMs, this is how I do it

All of the VMs must be in Off state when enabling nested virtualization

(Get-VM).name | ForEach-Object {Set-VMProcessor -VMName $_ -ExposeVirtualizationExtensions $true}

This is how to verify nested virtualization is enabled for all of your VMs

(Get-VM).name | ForEach-Object {get-VMProcessor -VMName $_} | Select-Object -Property VMName,ExposeVirtualizationExtensions

Confidential Computing on Azure

Azure confidential computing makes it easier to trust the cloud provider, by reducing the need for trust across various aspects of the compute cloud infrastructure. Azure confidential computing minimizes trust for the host OS kernel, the hypervisor, the VM admin, and the host admin.

Continue reading

Shielded VMs are deprecated concepts

They are deprecated starting with Windows Server 2022.. They were prone to modern attacks such as side-channel.

The following details about Shielded VMs are old and no longer valid

Shielded VMs can't be simply moved to another Hyper-V host and used there, nor can they be de-shielded in another host, if the certificate is not in place on the new host. This results in the error "the key protector could not be unwrapped", which is desired.
Shielding a VM is for keeping bad actors or malware out of the VM, not for keeping malware inside VM. i.e., Shielding a VM is for keeping the VM secure, not for keeping the host secure.
You can use the command below to get details about your Hyper-V host, including checks whether your host runs in local/standalone mode or is part of a Guarded Fabric

HgsClientConfiguration

Note that this configuration is for standalone systems. an actual shielded virtual machine is a lot more secure because the host's security and health is properly attested in a Guarded Fabric, using Host Guardian Service (HGS) on a Windows Server.

Here is an official video about the feature and how it protects your VMs:
- Introduction to Shielded Virtual Machines in Windows Server 2016 - YouTube
- Microsoft Mechanics

Scenario: Hyper-V, Enhanced session mode, no authentication in the VM's OS

When you create a VM in Hyper-V that doesn't have any authentication method for login such as Password or PIN, and use Enhanced session-mode to connect to it, there might be an issue where the RDP disconnects once after each restart of the VM and Hyper-V virtual machine connection asks you to connect to the VM again by clicking/tapping on the connect button. To fix this, set a local password for the user account of the OS in VM.