Microsoft Shares Crucial vTPM Certificate Guidance for Hyper-V Admins

Microsoft is urging IT and system admins to review its newly published guide on handling virtual TPM (vTPM) certificates, especially when using Hyper-V Generation 2 virtual machines.

The document outlines what happens when these certificates aren’t properly transferred during VM migrations, and why ignoring this could leave workloads stuck.

Windows 11 and Windows Server 2025 rely on vTPM to enable key security features like BitLocker and Secure Boot, even inside VMs. But there’s a catch. Hyper-V generates two self-signed certificates per host, one for encryption and one for signing, and these are tied to the machine itself.

If you move the VM without them, migrations can break. Admins will find both certificates under “Shielded VM Local Certificates” in the Microsoft Management Console.

To keep things running, Microsoft recommends exporting both certs (including private keys) as a .PFX file and importing them on the new host. Otherwise, organizations could face issues relocating protected virtual machines.

Microsoft also provides PowerShell commands and step-by-step instructions for exporting, importing, and updating these certificates as they age.