Error when migrating Hyper-V VM LAB to different host: The key protector could not be unwrapped.
Published in
2 min readNov 10, 2020
Posting this for posterity. I found much of this posted on an MS tech community blog. However, some of it was missing code last time i checked. Here is a link to the original post.
I had a set of Hyper-V VM’s sitting on an older non domain joined host (serving as a lab).
Here is the error text:
The key protector could not be unwrapped.
I would get this error when attempting to power on the VM’s on the new host.
The problem is the VM owner certificates need to be exported from the old host to the new. So we have to first export the certificates with the below code:
Export-UntrustedGuardian.ps1$GuardianName = 'UntrustedGuardian'
$CertificatePassword = Read-Host -Prompt 'Please enter a password to secure the certificate files' -AsSecureString
$guardian = Get-HgsGuardian -Name $GuardianName
if (-not $guardian)
{
throw "Guardian '$GuardianName' could not be found on the local system."
}
$encryptionCertificate = Get-Item -Path "Cert:\LocalMachine\Shielded VM Local Certificates\$($guardian.EncryptionCertificate.Thumbprint)"
$signingCertificate = Get-Item -Path "Cert:\LocalMachine\Shielded VM Local Certificates\$($guardian.SigningCertificate.Thumbprint)"
if (-not ($encryptionCertificate.HasPrivateKey -and $signingCertificate.HasPrivateKey))
{
throw 'One or both of the certificates in the guardian do not have private keys. ' + `
'Please ensure the private keys are available on the local system for this guardian.'
}
Export-PfxCertificate -Cert $encryptionCertificate -FilePath ".\$GuardianName-encryption.pfx" -Password $CertificatePassword
Export-PfxCertificate -Cert $signingCertificate -FilePath ".\$GuardianName-signing.pfx" -Password $CertificatePassword
Then import the certs on the new host with the below code:
Import-UntrustedGuardian.ps1$GuardianName = 'UntrustedGuardian'
$CertificatePassword = Read-Host -Prompt 'Please enter the password that was used to secure the certificate files' -AsSecureString
New-HgsGuardian -Name $NameOfGuardian -SigningCertificate ".\$NameOfGuardian-signing.pfx" -SigningCertificatePassword $CertificatePassword -EncryptionCertificate ".\$NameOfGuardian-encryption.pfx" -EncryptionCertificatePassword $CertificatePassword -AllowExpired -AllowUntrustedRoot
Once the certs were imported on the new host, I was able to start the Virtual Machines.
