Today I tested the fail-over of a Windows 11 VM between two Hyper-V hosts and found that the VM doesn’t start on a different host.
I opened the mentioned log file and found an issue with a key protector.
Text description of the error:
The Host Guardian Service Client failed to unwrap a Key Protector on behalf of a calling process. This event will normally correspond to a failure to startup a shielded virtual machine. Consult the description for further details. This could be related to an attestation issue, a Key Protection Server issue, or a network connectivity issue:
System.ArgumentException: The certificates parameter is empty.
Parameter name: certificates
at Microsoft.Windows.KdsClient.HgsClient.UnwrapProtectionDescriptor(Byte[] ingressProtectionDescriptor, Byte[]& encryptedTransferKey, Byte[]& encryptedWrappingKey, Byte[]& encryptedKeys)
at Microsoft.Windows.KdsClient.Interop.ManagedEntry.UnwrapKeyProtector(IntPtr keyProtectorPointer, IntPtr unwrappedKpPointer, IntPtr errorContextPointer)
I understood that during the VM migration the certificate wasn’t copied. Moreover, there is no VM certification folder.
I went to the original Hyper-V host and ran mmc.
Added the certificate snap-in.
I chose the local computer account.
On the original host, there were VM-related certificates. I exported both of them to the PFX file with a private key.
There is a small warning here. Do not select the option to Delete the private key!! The host will no longer be able to open its own shielded VMs if you do that!
When you export a PFX file, the password is a mandatory thing. So set any password in this step.
In the last step, type any file name to save certificates from the server to the file.
Before you import the PFX certificate on the new Hyper-V host, create there the new certification store by Powershell command:
mkdir "Cert:\localmachine\Shielded VM Local Certificates"
Then double-click on the PFX file and import it to the Local Machine store.
Don’t forget to mark the private key as exportable. It helps in the future to repeat these steps.
Use the Shielded VM Local Certificates store as the target location.
Finally, the VM has been started.
๐๐๐
๐ฌDiscuss or ask a question in the Telegram๐ฌ
๐ะงะธัะฐัั ััั ะถะต ััะฐััั ะฝะฐ ััััะบะพะผ ๐ https://dzen.ru/media/samsitblog/virtualnaia-mashina-windows-11-ne-zapuskaetsia-izza-oshibkian-error-occured-while-attempting-to-start-the-selected-virtual-machine-64e33fcd22e35358b682239e