When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft shares detailed guide to meet Windows 11 TPM requirements when moving VMs

Microsoft has published a detailed guide on how to meet the requirements of Windows 11 TPM 2.0 when moving and migrating virtual machines.

Neowin · · Hot! with 7 comments

windows 11 tpm

Microsoft today has published a detailed guidance for IT admins and system admins on handling virtual Trusted Platform Module (vTPM) certificates. The company says this is crucial to understand and implement correctly since guest OS like Windows 11 and Windows Server 2025, running on Hyper-V Generation 2 VMs, can retain full security features when moved across hosts.

Microsoft has always maintained that the system requirements of Windows 11 like TPM 2.0 are designed to give the OS better security by default than Windows 10. It recently published an explainer describing how that is.

For those wondering how it works, vTPM enables security features like BitLocker and Secure Boot within virtual machines. However, Hyper-V binds each vTPM instance to two self-signed certificates on the local host. Without a proper certificate transfer, Microsoft warns that live migrations and manual exports of vTPM-enabled VMs can fail and this can be a major issue since it will leave organizations unable to relocate protected workloads.

Microsoft notes that Hyper-V hosts automatically generate two self-signed certificates, an encryption certificate and a signing certificate, for each vTPM-enabled Generation 2 VM, and store them in the “Shielded VM Local Certificates” store under Certificates (Local Computer) > Personal in the Microsoft Management Console (MMC). They are:

  • Shielded VM Encryption Certificate (UntrustedGuardian)(ComputerName)
  • Shielded VM Signing Certificate (UntrustedGuardian)(ComputerName)

Both the encryption and signing certificates default to a 10-year validity period.

To migrate properly, Microsoft notes that admins must export both certificates with their private keys as a PFX (Personal Information Exchange) file and import them into the same store on target hosts, thus marking them as trusted.

The company has laid out detailed steps for exporting, importing and updating (in the case of expiration of the certificates), and has also provided PowerShell commands for the same. You can find the blog post in full detail here on Microsoft's Tech Community website.

The LG logo
Next Article

LG's Q2 2025 profits drop sharply, outlines plans for future growth

A monitor with SQL written on it and a paper checklist with a pen
Previous Article

Azure Arc for SQL Server now helps businesses plan migrations with clearer cost insights

7 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here