Modern Workplace Brewer, MVP & MCT
Hyper-V Windows10 2019 Host Guardian Service

Hyper-V Server 2019 Shielded VMs issues

by Jeroen Burgerhout 2 min read

Recently I brought back life in to one of my old NUCs to install Hyper-V Server 2019. That was the easy part. 😊
But today I wanted to “migrate” VMs from my desktop-NUC to the newly Hyper-V server. So, I made an export of the VM, copied it over to the Hyper-V NUC, did an import of the VM. So far, so good.

Then I clicked on the icon to start the VM and within one second, an error message popped up, with a message about the Host Guardian Service.

HyperVCert-1

After doing research, I found out that the VMs on my desktop-NUC are shielded through a certificate and I had to export the certificates belonging to the shielded VM and import them on the Hyper-V server. After I did this, the VM could start again.

What exactly have I done? Let us start!
Presume that you already have exported your VM(s) and copied it over to the Hyper-V server, we going to start right away with the certificates.

Exporting the certificates

First, you need to export the certificates that are in the “Shielded VM Local Certificates” certificate store on your machine. We can do this by using an elevated prompt.

HyperVCert-3

  1. Type certutil -store “Shielded VM Local Certificates”

HyperVCert-2

  1. In the cmd window, find the serial numbers for both certificates.
  2. Type certutil -exportpfx -p “SuperDuperPassword!” “Shielded VM Local Certificates” 737f1210b23ce5a6493d3e0187f74ccd C:\Temp\ShieldedVMEncryption.pfx
  3. Type certutil -exportpfx -p “SuperDuperPassword!” “Shielded VM Local Certificates” 5f064038ebd022b94c14442d3e1ef611 C:\Temp\ShieldedVMSigning.pfx
  4. At this moment you should have two exported certificates in the C:\Temp folder.
    HyperVCert-4

Importing the certificates

  1. Copy both files to your Hyper-V server.
  2. Switch over to your Hyper-V server and open the command prompt.
  3. Type certutil -importpfx "Shielded VM Local Certificates" c:\Temp\ShieldedVMEncryption.pfx
  4. Type your password and the certificate is in the certificate store.
  5. Type certutil -importpfx "Shielded VM Local Certificates" c:\Temp\ShieldedVMSigning.pfx
  6. Type your password and also this certificate is in the certificate store.

HyperVCert-5

  1. If you open the certificate store of the Hyper-V server, you will see four certificates. Two of your Hyper-V server and the two imported certificates of your machine.

HyperVCert-6

Start your imported VM

After you followed the above steps, you can start your virtual machine on your Hyper-V Server 2019.

Read more posts by this author

Jeroen Burgerhout

Modern Workplace Brewer | MVP | MCT | Author | Microsoft 365 | Intune | Entra ID | CEO (Chief Everything Officer) | Founder @workplacedudes

The link has been copied!
You’ve successfully subscribed to Jeroen Burgerhout
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.