Inadvertently created a Hyper-V Shielded VM

Bree · 01 Nov 2021

Well here's an interesting twist. I appear to have inadvertantly created a Hyper-V Shielded VM, one that cannot be imported and run on any Host except the one it was created on.

Microsoft said:

To help protect against compromised virtualization fabric, Windows Server 2016 Hyper-V introduced shielded VMs. A shielded VM is a generation 2 VM (supported on Windows Server 2012 and later) that has a virtual TPM, is encrypted using BitLocker, and can run only on healthy and approved hosts ...

https://docs.microsoft.com/en-us/win...d-shielded-vms

On this Host machine (W10 Pro, 19043.1288) there are three VMs. The first two can be exported then imported to any Host, only the latest one is a Shielded VM. It is probably no coincidence that it is the only new VM I have created since enabling TPM in the Host machine's bios. I have tried importing it into two Host machines with the same results, one W11 Pro, the other W10 Pro.

Inadvertently created a Hyper-V Shielded VM-hyper-v-shielded-vm-key-protector-could-not-unwrapped.png

Inadvertently created a Hyper-V Shielded VM-hyper-v-shielded-vm-hostguardianservice-client-event-2014.png

The VM's hard drive is not even encrypted by BitLocker, it's s W11 Home VM so doesn't have BitLocker capabilities. As there is no BitLocker involved, it seems I can run the VM if I turn off the virtual TPM in the VM's settings, though that's hardly useful if I want to fully test a W11 VM

It appears that one solution is to export the Certificates from the original Host and import them to the new Host, but I'd much rather 'un-shield' the VM if that's possible.

Inadvertently created a Hyper-V Shielded VM-hyper-v-shielded-vm-certificate.png

Hyper-V 2016 Shielded Virtual Machines on Stand-Alone Hosts

hsehestedt · 01 Nov 2021

Wow, that's an interesting issue. I do have a couple of thoughts on this. Note that I need to test these ideas because this is just some random thinking at this point.

Thought #1: This part I know works, because this is how I do things...

I often create an initial VM but before I ever install the OS, I export it and make a backup. By doing this, I am saving a very small VM because the virtual HD has no data on it yet, but I have backed up the unique system ID. I then proceed to install Windows and make any changes / customizations that I want including activating that copy of Windows in the VM.

Because the activation is based upon that unique system ID, I can restore that VM in the future, then install Windows, and it will activate because I previously activated a copy of Windows with that unique ID. It doesn't matter that I exported prior to Windows being installed. Again, up to here, I know for a fact that this works.

Thought #2: If you follow the above, then you can at least backup the VM with its unique system ID so that it can be activated again in the future. So, this is where my idea for part two comes in: Rather than export your VM after it is fully configured, how about simply creating disk image backup using something like Macrium Reflect?

So, to restore the VM to another system, the workflow would look like this:

1) Import your VM that you exported prior to the OS being installed as noted above. These are generally only a few MB in size so it will import near instantly.

2) If your imported VM has a virtual HD, delete it, and create a new one to replace it. Your HD now has a new unique ID, but the system ID remains the same.

3) Boot the VM from your Macrium Reflect (or similar) recovery ISO and restore your fully configured VM.

I have not a clue if this would work. But, you have maintained the unique system ID and so Windows should be able to activate. You also have a new disk with a different ID than the original drive. Is that enough to get around this? In other words, is this protection somehow tied to the unique id of the virtual HDD? I don't know, but I guess it might be worth a test.

Feel free to tell me if this sounds like it is destined to fail.

Bree · 01 Nov 2021

hsehestedt said:

Wow, that's an interesting issue. I do have a couple of thoughts on this. ....
....Feel free to tell me if this sounds like it is destined to fail.

No, your ideas are sound. Preserving the ID of a VM is important if you want to preserve the digital licence that gets attached to it once you activate the VM .And I did use one of my keys to activate that particular VM so I need to preserve its ID.

But, you have maintained the unique system ID and so Windows should be able to activate. You also have a new disk with a different ID than the original drive. Is that enough to get around this? In other words, is this protection somehow tied to the unique id of the virtual HDD? I don't know, but I guess it might be worth a test.\

The imported VM will boot only if I turn off the virtual TPM. When I do so it says it is activated.

I have tried removing the .vhdx disk from the imported VM and replacing it with a new blank one, or even tried to boot it from an ISO with no drive attached at all. I have also tried detatching the .vhdx before exporting. In all cases the imported will not start if the VM's TPM is turned on, giving the error: "the key protector could not be unwrapped". No, the shielding is not linked to the HDD in any way.

One oddity is that although this VM quite obviously behaves as a Shielded VM, its setting on the original Host it was exported from say that it is not shielded.

Inadvertently created a Hyper-V Shielded VM-hyper-v-shielded-vm-settings-off.png

Turning Shielding on should look like this....

Inadvertently created a Hyper-V Shielded VM-hyper-v-shielded-vm-settings-.png

But after turning it on, then turning it off again then exporting the VM again, it is still behaving as a Shielded VM when importing it.

NavyLCDR · 01 Nov 2021

What happens if you uncheck the Enable Trusted Platform setting?

Bree · 02 Nov 2021

NavyLCDR said:

What happens if you uncheck the Enable Trusted Platform setting?

If I untick Enable Trusted Platform before exporting then import that to the new Host the imported VM will run. But if I then enable it on the new Host it does not start giving the error: "the key protector could not be unwrapped".

hsehestedt · 02 Nov 2021

Maybe the "easy" way around this would be initially setup the VM as if it was unsupported hardware without a TPM at all, export it in that state, then only enable the TPM afterward. Maybe not a great solution, but it should at least work that way.

Bree · 02 Nov 2021

hsehestedt said:

Maybe the "easy" way around this would be initially setup the VM as if it was unsupported hardware without a TPM at all, export it in that state, then only enable the TPM afterward. Maybe not a great solution, but it should at least work that way.

I don't really care about saving this VM for later use. It was just a clean install of W11 Home. What I really want to rescue and be able to use on any other Host is this VM's machine ID and the digital licence that goes with it. I used up one of my spare keys to activate this VM and as things stand I can only use its digital licence on that one Host machine.

hsehestedt · 02 Nov 2021

So, what happens if you delete the virtual HD. NOTE: Deleting it does not actually delete the VHD / VHDX file, it simply disconnects it from the VM. Will it then allow an export / import to another location or does that also not work?

Bree · 02 Nov 2021

hsehestedt said:

So, what happens if you delete the virtual HD....

Tried that in Post #3:

I have tried removing the .vhdx disk from the imported VM and replacing it with a new blank one, or even tried to boot it from an ISO with no drive attached at all. I have also tried detaching the .vhdx before exporting. In all cases the imported VM will not start if the VM's TPM is turned on, giving the error: "the key protector could not be unwrapped". No, the shielding is not linked to the HDD in any way.

hsehestedt · 02 Nov 2021

Sorry. Overlooked that.