none
Key Protector could not be unwrapped - Host Guardian Service issue - Win10 Hyper-V - Win10 Guest VM won't start after 1709 update RRS feed

  • Question

  • Hello,

    I tried to start my Windows 10 guest VM today after updating my host Windows 10 machine to 1709 (Fall Creators update).

    I'm receiving an error regarding the key protector could not be unwrapped, Host Guardian Service being unable to determine the host guardian client configuration and messages that the trust relationship between this workstation and the primary domain failed.

    I checked that my workstation is not experiencing any trust issues with my domain (ran Test-ComputerSecureChannel and returned True ... ran it again with the -repair switch just in case and still returning True).

    I'm guessing this was caused by the 1709 update to my Win10 host machine. I also tried editing the settings of the VM > Security > Unchecking "Encrypt state and virtual machine migration traffic" but I get a similar error that "the host guardian service client configuration settings could not be retrieved."

    Here's the details from the event log, event ID 2014:

    Log Name:      Microsoft-Windows-HostGuardianService-Client/Admin
    Source:        Microsoft-Windows-HostGuardianService-Client
    Date:          11/4/2017 11:23:26 PM
    Event ID:      2014
    Task Category: Kps
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      FMTTB38.FMTSD.com
    Description:
    The Host Guardian Service Client failed to unwrap a Key Protector on behalf of a calling process. This event will normally correspond to a failure to start up a guarded virtual machine. Consult the description for further details. This could be related to an attestation issue, a Key Protection Server issue, or a network connectivity issue:

    System.SystemException: The trust relationship between this workstation and the primary domain failed.

       at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed)
       at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
       at System.Security.Principal.NTAccount.Translate(Type targetType)
       at Microsoft.Windows.RemoteAttestation.Core.AttestationCertificateManager.CreateAndInstallSelfSignedSigningCertificate(TimeSpan validityPeriod, Boolean useWebAppPool)
       at Microsoft.Windows.KdsClient.AttestationClientLocalNative.SetUpLocalModeSigningCert()
       at Microsoft.Windows.KdsClient.HgsClient.Initialize()
       at Microsoft.Windows.KdsClient.HgsClient.<>c.<.cctor>b__35_0()
       at System.Lazy`1.CreateValue()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Lazy`1.get_Value()
       at Microsoft.Windows.KdsClient.Interop.ManagedEntry.UnwrapKeyProtector(IntPtr keyProtectorPointer, IntPtr unwrappedKpPointer, IntPtr errorContextPointer)
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-HostGuardianService-Client" Guid="{7DEE1FDC-FFA8-4087-912A-95189D6A2D7F}" />
        <EventID>2014</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>5</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-11-05T06:23:26.930544200Z" />
        <EventRecordID>2</EventRecordID>
        <Correlation ActivityID="{6858873C-69FD-48B5-BA18-A748F9A67C9B}" />
        <Execution ProcessID="10584" ThreadID="8848" />
        <Channel>Microsoft-Windows-HostGuardianService-Client/Admin</Channel>
        <Computer>FMTTB38.FMTSD.com</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="Message">System.SystemException: The trust relationship between this workstation and the primary domain failed.

       at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean&amp; someFailed)
       at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
       at System.Security.Principal.NTAccount.Translate(Type targetType)
       at Microsoft.Windows.RemoteAttestation.Core.AttestationCertificateManager.CreateAndInstallSelfSignedSigningCertificate(TimeSpan validityPeriod, Boolean useWebAppPool)
       at Microsoft.Windows.KdsClient.AttestationClientLocalNative.SetUpLocalModeSigningCert()
       at Microsoft.Windows.KdsClient.HgsClient.Initialize()
       at Microsoft.Windows.KdsClient.HgsClient.&lt;&gt;c.&lt;.cctor&gt;b__35_0()
       at System.Lazy`1.CreateValue()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Lazy`1.get_Value()
       at Microsoft.Windows.KdsClient.Interop.ManagedEntry.UnwrapKeyProtector(IntPtr keyProtectorPointer, IntPtr unwrappedKpPointer, IntPtr errorContextPointer)</Data>
      </EventData>
    </Event>

    Sunday, November 5, 2017 6:53 AM

All replies

  • Double checking the Local Machine's Personal Certificates, there is a certificate now for Microsoft Local Attestation Service. Lo and behold, that certificate is not valid, because it's self-signed.

    Added that certificate to the trusted root store, rebooted, check your VM again.

    If still no help, in order to ensure daily work runs fine, I suggest to roll back to previous version and wait for update.

    Good luck.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 6, 2017 3:06 AM
    Moderator
  • Unfortunately I have already tried adding those certs (I had 3 of them) to my trusted root store and it doesn't not resolve the issue.
    Tuesday, November 7, 2017 6:18 AM
  • Please feedback this situation via Feedback Hub.

    I will also submit this case to Microsoft, try to roll back to previous Windows for normal work.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 7, 2017 9:20 AM
    Moderator
  • Not sure if another update was pushed ... I haven't had time to check into details, BUT the VM now starts up without any errors. When I have a moment to look into it, I will try to post back with findings. But, I'm happy to report that the VM is accessible again.
    Thursday, November 9, 2017 8:49 PM
  • Good news, let's check VM for some days, if it still runs normally, I think issue has been resolved, please mark your reply to close this case. 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 10, 2017 9:06 AM
    Moderator
  • I checked and there weren't any updates applied in the span of time when the VM started working, so I'm still unsure what the resolution was ... but the VM still starts normally now.
    • Edited by Zach Saltzman Wednesday, November 15, 2017 4:48 PM
    • Marked as answer by Zach Saltzman Wednesday, November 15, 2017 4:49 PM
    • Unmarked as answer by Zach Saltzman Tuesday, November 28, 2017 6:29 AM
    Wednesday, November 15, 2017 4:48 PM