Comments on: Hyper-V 2016 Shielded Virtual Machines on Stand-Alone Hosts https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/ Hyper-V guides, how-tos, tips, and expert advice for system admins and IT professionals Wed, 31 Mar 2021 06:26:32 +0000 hourly 1 By: Eric Siron https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/#comment-3881 Fri, 12 Mar 2021 18:08:00 +0000 http://www.altaro.com/hyper-v/?p=10911#comment-3881 In reply to Anthony H..

I don’t believe that there is any way to get that original vTPM key back once the source keypair is lost. I believe that you’ll have to flush the TPM settings. Sorry 🙁

]]>
By: Anthony H. https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/#comment-3873 Thu, 25 Feb 2021 05:57:00 +0000 http://www.altaro.com/hyper-v/?p=10911#comment-3873 Hello,

I am running a single Windows 10 host (not on a domain, just a personal workstation) with a TPM 2 chip and Hyper-V enabled, and a shielded VM that is stored on a NAS and accessed via an iSCSI connection.

My host experienced a failure and I had to reinstall Windows 10 from scratch. Once it was back up, I opened up Hyper-V and imported the VM in place (meaning that the VHD, etc. were not copied from the NAS).

If I enable the TPM in the VM settings, I get the “key protector could not be unwrapped” error. If I disable the TPM in the VM settings, then the VM boots normally… except that I cannot access my work VPN or use any of the SSO functions to access work resources. In other words, the VHD is not encrypted; I just use the TPM to store work credentials.

In this scenario, can I recover and reuse the existing keys?

If not, I can go through the process of getting certs to access my work environment… but then I need to be able to flush the existing TPM settings and reenable them.

Failing that, I would guess I need to build a new VM from scratch and then redo the work to get it to access my work environment. This I know how to do, but I’d rather not if at all possible.

Many thanks in advance!

]]>
By: Eric Siron https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/#comment-3685 Sun, 05 Jul 2020 20:04:00 +0000 http://www.altaro.com/hyper-v/?p=10911#comment-3685 In reply to Luke Hester.

Enable shielding on any VM.

]]>
By: Luke Hester https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/#comment-3666 Sat, 06 Jun 2020 01:41:00 +0000 http://www.altaro.com/hyper-v/?p=10911#comment-3666 Nice article.

I’m trying to import the keys to another Hyper-V host but the certificate store “Shielded VM Local Certificates” doesn’t exist. What can I do to create the store?

]]>
By: Jase https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/#comment-3272 Wed, 29 May 2019 01:57:00 +0000 http://www.altaro.com/hyper-v/?p=10911#comment-3272 Thanks for the guide. It was very helpful and a detailed guide that covered everything!

]]>
By: Eric Siron https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/#comment-3262 Sun, 19 May 2019 19:24:00 +0000 http://www.altaro.com/hyper-v/?p=10911#comment-3262 In reply to Jason.

I did some tinkering with this today. Basically, it exhibits this behavior as a protection mechanism for the virtual TPM. Without it, you would have no way to trust the integrity of the vTPM. That, of course, would then cascade through anything that relied on the vTPM.

]]>
By: Eric Siron https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/#comment-3261 Sat, 18 May 2019 17:13:00 +0000 http://www.altaro.com/hyper-v/?p=10911#comment-3261 In reply to Jason.

I will roll through a few permutations to see where all of this falls out. I would expect that any VM other than the original could not read a Bitlocker-ed VHDX.

]]>
By: Jason https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/#comment-3256 Sun, 12 May 2019 18:15:00 +0000 http://www.altaro.com/hyper-v/?p=10911#comment-3256 In reply to Eric Siron.

Couldn’t boot the VM. Just got ““The key protector could not be unwrapped”

It’s a bit lockered VM with two additional bitlockered virtual drives. Unfortunately I wasn’t in the mood to play at the time as I was in the middle of reinstalling the VM host and this particular VM has all our data on it (hence the bitlocker). I was just grateful for your blog and relieved I could get the certificates back from a backup.

It would have been interesting to see if I could have mounted the additional drives on to another VM but I presume the result would have been the same until I installed the certificates.

]]>
By: Eric Siron https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/#comment-3255 Fri, 10 May 2019 19:31:00 +0000 http://www.altaro.com/hyper-v/?p=10911#comment-3255 In reply to Jason.

I’ll have to play with that when I start doing my more indepth testing. I would not expect that behavior either.
You couldn’t open the VHDX at all, or you could open it but not read anything? As in, you couldn’t even boot the VM, or you could start it but it couldn’t read its disk?

]]>
By: Jason https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/#comment-3253 Fri, 10 May 2019 13:58:00 +0000 http://www.altaro.com/hyper-v/?p=10911#comment-3253 In reply to Eric Siron.

Sorry I probably didn’t make myself clear. As far as we were concerned this wasn’t a ‘shielded’ VM. We never chose it to be shielded and both powershell and the GUI show it isn’t shielded but it seems that Microsoft are still using certificates to protect it.

We had assumed that as long as we had the Bitlocker keys we could always restore it even if the TPM wasn’t available but we were wrong. Fortunately we have backups of the host that we could get the certificates from but I can see this tripping up a lot of people who don’t fully test their disaster recovery.

I don’t know if this behaviour has always been the case but this was on Server 2016.

]]>