Inadvertently created a Hyper-V Shielded VM

Page 2 of 2 FirstFirst 12

  1. Posts : 11,247
    Windows / Linux : Arch Linux
       #11

    Hi folks

    @Bree
    @hsehestedt


    Interesting discussion -- but isn't the system behaving "As designed" -- a shielded VM shouldn't be "exportable" etc by any of the "usual methods"

    The best way though IMO to test all these things is to do them all entirely from "External Virtual HDD's" --Not VM's but physical Virtual hard drives, boot from them and do all this VM testing -- the VHDX's on "Physical boot" behave identically to "Local hard drive Windows" installations. Then if the whole thing gets hosed up just delete / re-initialize the external HDD. !!! Using SDD with USB3 / 3.1->SATA connector still yields comparable performance to internal HDD / SSD.

    Sorry if not a solution to the problem --but IMO a vastly superior way of testing and if it all goes pear shaped just re-initialize the external device.

    For creating Physical Windows Systems on external devices using "Boot from Physical Virtual hard drives" - note NOT VM's - these are 100% Windows installations with physical OS and hardware - 100% equivalent to a Windows installation oh main internal HDD :

    ISO from SysPrep-ed Image not bootable from external disk... | Windows 11 Forum

    Cheers
    jimbo
      My Computer


  2. Posts : 31,472
    10 Home x64 (22H2) (10 Pro on 2nd pc)
    Thread Starter
       #12

    jimbo45 said:
    ... isn't the system behaving "As designed" -- a shielded VM shouldn't be "exportable" etc by any of the "usual methods"
    While that is true, at no point in creating this VM did I ask for it to be shielded, nor was I informed at any point that it would be un-exportable. In fact, the Settings for this VM specifically say that shielding is NOT enabled. If I had known I'd be stuck with a digital licence attached to a VM I cannot reuse on any other machine then I wouldn't have wasted one of my few remaining keys on activating it.

      My Computers


  3. Posts : 11,247
    Windows / Linux : Arch Linux
       #13

    Bree said:
    While that is true, at no point in creating this VM did I ask for it to be shielded, nor was I informed at any point that it would be un-exportable. If I had known I wouldn't have wasted one of my few remaining keys on activating it. Now I'm stuck with a digital licence attached to a VM I cannot reuse on any other machine.
    Hi there
    @Bree

    Actually you probably can.

    1) use Macrium or whatever to clone the VM to a physical disk somewhere on your machine.
    2) use Macrium recovery to "Fix Windows boot problems
    3) boot the newly "cloned" Windows system.
    4) fix any driver issues by entering Device Manager and go down all the devices marked Unknown device or have queries against them by :
    a) against the device choose update driver
    b) choose "install from this computer"
    c) choose from any previous "physical version" of windows that worked -- even a mounted Macrium image will be OK the directory "windows\system32\Driverstore -- ensure subfolders is clicked too.
    d) after all done --reboot. Chances are that you won't have to re-activate Windows again. It's worked for me enough times.

    Q.E.D !!!!

    Cheers
    jimbo
      My Computer


  4. Posts : 31,472
    10 Home x64 (22H2) (10 Pro on 2nd pc)
    Thread Starter
       #14

    jimbo45 said:
    Hi there
    @Bree

    Actually you probably can.

    1) use Macrium or whatever to clone the VM to a physical disk somewhere on your machine....
    Thanks for the suggestion. Actually it was trivially easy to boot the imported .vhdx on a new VM created from scratch on the new Host. Although the imported VM was shielded, its .vhdx was not bitlocker protected so I could just attach it to another VM. But it did not activate as the installed key was the generic Home key and not the W7 Home key I had used to activate the original VM.

    But your suggestions did inspire me to try another way to transfer activation. I signed in to the activated VM on the old host, then switched it from a local account to a Microsoft account. Then I shut it down and signed in to the unactivated clone VM on the new Host. Running the Activation Troubleshooter and selecting 'I have changed hardware' enabled me to transfer activation to this new clone VM.

    So thank you, you put me on the right track for a practical solution.
      My Computers


  5. Posts : 11,247
    Windows / Linux : Arch Linux
       #15

    jimbo45 said:
    Hi there
    @Bree

    Actually you probably can.

    1) use Macrium or whatever to clone the VM to a physical disk somewhere on your machine.
    2) use Macrium recovery to "Fix Windows boot problems
    3) boot the newly "cloned" Windows system.
    4) fix any driver issues by entering Device Manager and go down all the devices marked Unknown device or have queries against them by :
    a) against the device choose update driver
    b) choose "install from this computer"
    c) choose from any previous "physical version" of windows that worked -- even a mounted Macrium image will be OK the directory "windows\system32\Driverstore -- ensure subfolders is clicked too.
    d) after all done --reboot. Chances are that you won't have to re-activate Windows again. It's worked for me enough times.

    Q.E.D !!!!

    Cheers
    jimbo
    @Bree

    Thanks !!

    Glad you fixed it !!!


    The Physical VHDX system is brilliant -- amazing that it's still relatively in the realms of the "Unknown" for most people

    If I was so minded I could probably create a script to do it automatically !!! however a few command line entries aren't that hard. I'm surprised with all these builds etc more people don't test this way - especially booting from external devices.

    There's still also a good reason for VM's as well as these can run "concurrently" and also are good for Initial testing to see if the basic OS actually works - especially on home computers. VM passthru is also good -- always better to have "More tools in the armoury".

    As an old NATO Military colleague of mine always reminded me : "If you go to a Gunfight don't come armed with just a Knife" !!! although my military days are "Long Gone" !!!.

    anyway have fun

    Done enough for today --"My Beer is getting cold"

    Cheers
    jimbo
      My Computer


  6. Posts : 31,472
    10 Home x64 (22H2) (10 Pro on 2nd pc)
    Thread Starter
       #16

    jimbo45 said:
    ...The Physical VHDX system is brilliant -- amazing that it's still relatively in the realms of the "Unknown" for most people...
    Yes, I have used it on another of my machines. It's testing a Win11 upgrade on an unsupported 5th gen i5. For comparison I wanted to dual boot with the Win10 I had upgraded from, so I restored its Macrium image to a .vhdx and can also boot from that. My first time trying this, but it was easy (with the help of a tutorial by @Kari).


    Anyway, the only lingering question is why on earth did the old Hyper-V Host create a shielded VM (without any visible indication it had done so)? And why was it impossible to turn off the shielding once in place? Having now rescued my activation for re-use another time that's no longer an urgent question. But it would be nice to know how to avoid falling into the same trap in the future.
      My Computers


  7. Posts : 4,173
    Windows 11 Pro, 22H2
       #17

    Bree, just wanted to say thanks for bringing up this whole topic. I must admit I have never heard of a shielded VM prior to this discussion.
      My Computers


  8. Posts : 31,472
    10 Home x64 (22H2) (10 Pro on 2nd pc)
    Thread Starter
       #18

    Well, it has happened again. This newly created VM on the new Host machine cannot be exported and imported into any other Host machine.

    Its Settings specifically say that Shielding is NOT enabled, despite that the imported VM fails to run with the error: "the key protector could not be unwrapped"

    This makes me think that the problem is not exactly a Shielded VM as such, rather it seems to be related to any VM that has its TPM enabled in its settings and was created on a Host that itself has TPM enabled. The only way to get such an exported VM to run on any other host is to turn off TPM in its Settings after importing it.

    Now that Windows 11 requires TPM to be enabled such a situation would increasingly be the norm. I fear this problem may be seen more often in the future, an exported VM can only be imported successfully by the original Host. Perhaps @Kari would know how to get round it and successfully export/import such a VM to another Host, but I can see no simple solution apart from exporting the Certificates as well as the VM.
      My Computers


  9. Posts : 1,323
    Windows 11 Pro 64-bit
       #19

    Interesting topic, Bree.
    Thanks for bringing it to attention, I'll keep this in mind when moving VMs.

    Unfortunately I believe it works as it should, making this a side-effect for us.
    As we all know, each TPM device is unique, once W11 fully interconnects with it, it will make things nasty it you would have swapped your (major swap: TPM or motherboard) hardware, in this case virtual one.

    Correct me if wrong:
    While we save/export a VM with its UUID, this guarantees us the activation.
    But by the looks of it the TPM state and ID cannot be saved/exported in the VM to other host.
    And so checks between TPM and OS will prevent boot.
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 07:19.
Find Us




Windows 10 Forums