none
Windows 2016 Hyper V Cluster Live Migration Fails with TPM enabled RRS feed

  • Question

  • I've configured a 3 node Hyper V Failover Cluster running Windows 2016.  When I enable the virtual TPM on a virtual machine I am no longer able to live migrate it between nodes. 

    I'm assuming it has something to do with certificates?  I'm brand new to using TPM so not sure where to start.

    I get the following error message:

    Live migration of 'Virtual Machine Test1' failed.

     

    Virtual machine migration operation for 'Test1' failed at migration destination 'CA-EDM-NODE03'. (Virtual machine ID D55D24E2-3FEA-4753-B8DE-1CB4A345BB84)

     

    The version of the device 'Microsoft Virtual TPM Device' of the virtual machine 'Test1' is not compatible with device on physical computer 'CA-EDM-NODE03'. (Virtual machine ID D55D24E2-3FEA-4753-B8DE-1CB4A345BB84)

     

    The key protector for the virtual machine 'Saved State' could not be unwrapped. HostGuardianService returned: Generic failure (0x80041001) Local certificates not found : signingCount = 0, encryptCount = 0. Details are included in the HostGuardianService-Client event log. (Virtual machine ID 00000000-0000-0000-0000-000000000000)

    Wednesday, April 26, 2017 3:07 PM

Answers

  • Ok found my own answer.

    Just need to export the 2 certs located in the Shielded VM Local Certificates from the Source Hyper V Node

    -Shielded VM Encryption Certificate (Untrusted Gaurdian)

    -Shielded VM Signing Certificate (UntrustedGaurdian)

    Then import them to the other Hyper V Nodes on the cluster. 

    • Marked as answer by WhoIsHomer Friday, April 28, 2017 2:18 PM
    Friday, April 28, 2017 2:18 PM

All replies

  • Ok found my own answer.

    Just need to export the 2 certs located in the Shielded VM Local Certificates from the Source Hyper V Node

    -Shielded VM Encryption Certificate (Untrusted Gaurdian)

    -Shielded VM Signing Certificate (UntrustedGaurdian)

    Then import them to the other Hyper V Nodes on the cluster. 

    • Marked as answer by WhoIsHomer Friday, April 28, 2017 2:18 PM
    Friday, April 28, 2017 2:18 PM
  • Hi Sir,

    Thanks for your sharing .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, April 29, 2017 3:39 AM
    Moderator
  • Did you do anything else like a reboot?

    I'm in the same boat but its not working after importing the certs from one Hyper-V to the other.

    Monday, May 15, 2017 2:06 PM
  • Old post, but this is an issue I just came across too, so for anyone else who finds this thread, copying the Shielded VM Local Certificates to each host which may run the VM is indeed the fix. 

    The answer above could have been a little clearer about exactly what needs to be done though - each host generates two certificates, named as above, and stores them in the Shielded VM Local Certificates store that you can view through the MMC snap-in or 'certutil -store "Shielded VM Local Certificates"'.

    In order to migrate a VM to another host, that host must have the certificates from the source host in its Shielded VM Local Certificates store - both the public and private keys.

    This means that each host in a cluster (or standalone hosts that may migrate VMs between them) must have the public and private keys for both the Shielded VM Encryption and Signing Certificates for all other hosts that it may receive vTPM-enabled VM migrations from.

    I found that the simplest way to do this was to use certutil as shown about halfway down this article

    After ensuring that each host has both certificates from all other hosts, vTPM VMs can migrate as normal between them - at least they can for me!

    Wednesday, September 25, 2019 12:53 PM