Backup VM Encryption & VM Signing certificate for Shielded VMs with Powershell

One of the new technologies that was introduced in Hyper-V 2016 is Shielded Virtual Machines.

In this post, I will show you how to back up Shielded VM Local Certificates with powershell.

These certificates are critical. If you loose them, there is no way to start Shielded VMs and they are permanently lost.

More info on this great article here https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/

This is the powershell script that I use to back up those certificates. Once, those certificates are exported/zipped, you need to move them to a secure location.
Currently, I'm using RMM tool to backup and move those certificate to a safe place automatically.

$ExportDestination = "c:\data\certs"
$certs = certutil -store "Shielded VM Local Certificates" 
$password = "YourCertPassword"

$shieldedVMEncryption = '*Issuer: CN=Shielded Vm Encryption Certificate*'
for ($i = 0; $i -lt $certs.Length; $i++) {

    if ($certs[$i] -like $shieldedVMEncryption) {
        $issuer = ((($certs[$i]).split(' ')))[-1]
        $issuer = $issuer.Replace('(', '')
        $issuer = $issuer.Replace(')', '')
        Write-host "Shielded cert is stored in line $($i-1)"
        $ShieldedCert = $certs[$i - 1]
        $FinalShieldedCert = $ShieldedCert.Split(" ")[-1]
        Write-host  $FinalShieldedCert -ForegroundColor Yellow
        certutil -exportPFX -p $password "Shielded VM Local Certificates" `
        $FinalShieldedCert  "$($ExportDestination)\\$($issuer)-ShieldedVMEncryption-$($i)-$($FinalShieldedCert).pfx"
    }

}

#For Signing Certificate
$shieldedVMSigning = '*Issuer: CN=Shielded Vm Signing Certificate*'
for ($i = 0; $i -lt $certs.Length; $i++) {

    if ($certs[$i] -like $shieldedVMSigning) {
        $issuer = ((($certs[$i]).split(' ')))[-1]
        $issuer = $issuer.Replace('(', '')
        $issuer = $issuer.Replace(')', '')
        Write-host "Shielded cert is stored in line $($i-1)"
        $ShieldedCert = $certs[$i - 1]
        $FinalShieldedCert = $ShieldedCert.Split(" ")[-1]
        Write-host  $FinalShieldedCert -ForegroundColor Yellow
        certutil -exportPFX -p $password "Shielded VM Local Certificates" `
        $FinalShieldedCert  "$($ExportDestination)\$($issuer)-ShieldedVMSigning-$($i)-$($FinalShieldedCert).pfx"
    }

}


$compress = @{

    path            = "$ExportDestination\*.pfx"
    DestinationPath = "$ExportDestination\ShieldedCerts"
}

Compress-Archive @compress -Force

Replace HyperV virtual switch for VMs with Powershell

Replace HyperV virtual switch for VMs with Powershell

In this post, I will show you how to replace virtual switch for VMs in an easy way with Powershell.

Recently I had to remove existing switch for all Virtual machines (~ 50) on one HyperV host. One of the reason why you would do that is to enable "SR-IOV" as you can't do that after you create switch.

All Vms had two network adapters with internal and public switches. In this case, we had to reconfigure those network adapters that use Public switch.

In order to accomplish this, you have to follow these steps:

1. Create new temporary switch that will replace existing public switch

2. Replace existing public switch with the new temp switch using these Powershell commands

$vms = get-vm  

foreach ($vm in $vms){

Get-VMNetworkAdapter -VMName $vm.name | where switchname -eq 'public' |

Connect-VMNetworkAdapter -SwitchName 'tempswitch'

}

3. Check if new switch is properly applied and remove 'old' public switch

4. Create new Public switch that will replace temp switch

4. Replace temp switch with a new Public switch using these Powershell commands

$vms = get-vm 

foreach ($vm in $vms){

Get-VMNetworkAdapter -VMName $vm.name | where switchname -eq 'tempswitch' |

Connect-VMNetworkAdapter -SwitchName 'public'

}