Microsoft today has published a detailed guidance for IT admins and system admins on handling virtual Trusted Platform Module (vTPM) certificates. The company says this is crucial to understand and implement correctly since guest OS like Windows 11 and Windows Server 2025, running on Hyper-V Generation 2 VMs, can retain full security features when moved across hosts.

Microsoft has always maintained that the system requirements of Windows 11 like TPM 2.0 are designed to give the OS better security by default than Windows 10. It recently published an explainer describing how that is.

For those wondering how it works, vTPM enables security features like BitLocker and Secure Boot within virtual machines. However, Hyper-V binds each vTPM instance to two self-signed certificates on the local host. Without a proper certificate transfer, Microsoft warns that live migrations and manual exports of vTPM-enabled VMs can fail and this can be a major issue since it will leave organizations unable to relocate protected workloads.

Microsoft notes that Hyper-V hosts automatically generate two self-signed certificates, an encryption certificate and a signing certificate, for each vTPM-enabled Generation 2 VM, and store them in the “Shielded VM Local Certificates” store under Certificates (Local Computer) > Personal in the Microsoft Management Console (MMC). They are:

• Shielded VM Encryption Certificate (UntrustedGuardian)(ComputerName)
• Shielded VM Signing Certificate (UntrustedGuardian)(ComputerName)

Both the encryption and signing certificates default to a 10-year validity period.

To migrate properly, Microsoft notes that admins must export both certificates with their private keys as a PFX (Personal Information Exchange) file and import them into the same store on target hosts, thus marking them as trusted.

The company has laid out detailed steps for exporting, importing and updating (in the case of expiration of the certificates), and has also provided PowerShell commands for the same. You can find the blog post in full detail here on Microsoft's Tech Community website.