Hyper-V VM import error – “The key protector could not be unwrapped”

Recently I exported my Windows 11 lab and wanted to import it to another Hype-V host. Export from old and import to new host went great, but after I started imported VM I got unpleasant “The key protector could not be unwapped” error. We will quickly look at it and resolve it.

After import to the new Hyper-V host and attempt to start imported Windows 11 VM I got following error: The key protector could not be unwrapped

Reason for this is – TPM. I enabled security features for Windows 11 VMs on old Hyper-V host, and that is how I installed Windows 11. With export of the VM, you won’t transfer all security details and certs.

In order to be able to start our imported Windows 11 VMs this is what we need to do. On the old Hyper-V host from which we exported VMs, we need to export VMs, and on the new Hyper-V host we need to import those certificates.

Before you start the process below (make sure you have backup of the machine you are importing) – you can just try to unmark Enable Secure Boot and unmark/disable Enable Trusted Platform Module in Security tab of the VM you imported (screenshotted above)- so both values should be unchecked – then you can try to boot VM – it should also work.

Old Hyper-V host

On the host from which we exported VMs, we need to do following: In search type in – run.

In new run windows, type in mmc and press ok. In mmc (Console1 window) press File and click on Add/Remove Snap-in..

From Available Snap-ins select Certificates and click on Add> . New window will open

In new window select Computer account and press Next

Select Local computer and press Finish

Certificates will appear in Selected snap-ins: . Press OK

In console window we will now have Certificates (Local Computer) menu. Select Shielded VM Local Certificates | Certificates. Two certificates should be inside. We need to export both certificates. I will show you how to export one, you will repeat same procedure for second one. Right click on certificate and select All Tasks – Export

On initial screen just press Next

Yes, export the Private key. Next

Delete the private key if the export is successful SHOULD BE DESELECTED. Except, if you really want to remove the key. Next

For encryption you will want AES256 and you also want strong password. This is my test lab, so I don’t really care much, but if it important production VMs, this should be considered very seriously. Next

Click on Browse, select directory where you want to export certificate, give it a name, and save.

I saved mine in Downloads folder. Next

Finish

Now, repeat he export process for a second certificate!!

Depending on the security sensitivity of the VMs you exported select medium for transferring exported certificates. It can be USB, network, secure file share, whatever you see fit.

Transfer both exported certificates to the new Hyper-V host where you imported VMs.

New Hyper-V host – Import Certificates

On new Hyper-V host, to which you imported VMs and are getting “The key protector could not be unwrapped” error, we are going to to import certificates from olf Hyper-V host.

Repeat, search run – mmc – certificates procedure from the beginning of the guide and navigate to Shielded VM Local Certificates – right click on Certificates – All Tasks – Import

In my case, I already have two certificates in that folder, these are Encryption and Signing certificates of that host. We will now add additional two certificates from the old host.

Click Next

On next screen select Browse… Navigate to the directory where you copied certificates from old Hyper-V host and in the bottom left of Open window select all files. You certs will now appear in the window – select one and press Open

Next

Enter password you defined at export, select Mark this key as exportable and press Next

Certificate store should be Shielded VM Local Certificates – Next

Finish

Import was success

Repeat the process for second certificate. In the end, your cert store should have four certificates in it

Let’s now try and start VM that gave “The key protector could not be unwrapped” error on new Hyper-V host.

Success, machine now starts on new Hyper-V host

Conclusion

This should be standard procedure for all the new VMs with TPM that you create and wish to export and backup modern VMs.