Upgraded firmware and cleared TPM. After reboot was able to setup Win11 with TPM.
Server 2022 & 2025 Hyper-V New instance error "key protector could not be unwrapped"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 92%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Thonir
0
Reputation points
I just setup 3 Server 2025 and 1 Server 2022 servers, and installed the Hyper-V Feature. However, when I go to create a new VM host from MS ISO for Windows 11 I get the following:
The key protector could not be unwrapped. Details are included in the HostGuardianService-Client event log.
The event log
The remote attestation request failed because Isolated User Mode could not be detected. Verify that the Isolated User Mode feature is installed and that Virtualization Based Security has not been disabled manually or by local/domain-level policy. Event IDs 1025 and 3025 represent the same event.
So, I do not need Host Guardian because this is a small homelab for work, and I just want to be able to setup Win11 with TPM for Bitlocker. Nothing I have done seems to get this to work. Here are a few articles I have read and tried
https://www.reddit.com/r/HyperV/comments/16gxx0c/unable_to_enable_tpm_setting_the_key_protector/
https://bobcares.com/blog/hyper-v-the-key-protector-could-not-be-unwrapped/
I am not moving a VM from one host to another, and solutions state it is a cert issue from the original host. This cannot be the case because I am setting up the VM from scratch. I simply want to be able to Provision a new Windows 11 endpoint and enable Bitlocker....nothing special. What am I missing here? I previously had ESXi and Proxmox on these same host computers, and had 0 issues with Win11 TPM. TPM is enabled in BIOS, so, this has to be something with a Hyper-V setup somewhere.
Windows for business | Windows Server | User experience | Other
2 answers
Sort by: Most helpful
-
Thonir 0 Reputation points
2025-06-25T21:07:59.2433333+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 12%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Jack Leighton 0 Reputation points2025-07-30T18:13:21.99+00:00 Can you be more specific of what firmware you updated and what do you mean by cleared TPM? Having this exact issue on a Dell Poweredge R660.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 21%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
BryceSor 4,700 Reputation points Volunteer Moderator2025-07-31T00:30:24.7933333+00:00 Hi Thonir,
I would say he updated the bios/UEFI and TPM on the host computer running his server, you can clear the TPM in the bios or Windows.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 89%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Khan Sarfaraz Ahmed Sartaj 20 Reputation points2025-11-18T07:38:55.0533333+00:00 Export and Import Certificates:
- On the original Hyper-V host, export the certificates used for the Shielded VM.
- Open the Run dialog, type
mmc, and press Enter.- Add the Certificates snap-in for the Local Computer.
- Navigate to Shielded VM Local Certificates and export the certificates.
- Add the Certificates snap-in for the Local Computer.
- Open the Run dialog, type
- Import these certificates on the new Hyper-V host.
- Transfer the exported certificates to the new host.
- Open the Run dialog, type
mmc, and press Enter. - Add the Certificates snap-in for the Local Computer.
- Import the certificates into the Shielded VM Local Certificates store.
- Export and Import Certificates:
- On the original Hyper-V host, export the certificates used for the Shielded VM.
- Open the Run dialog, type
mmc, and press Enter. - Add the Certificates snap-in for the Local Computer.
- Navigate to Shielded VM Local Certificates and export the certificates.
- Open the Run dialog, type
- Import these certificates on the new Hyper-V host.
- Transfer the exported certificates to the new host.
- Open the Run dialog, type
mmc, and press Enter. - Add the Certificates snap-in for the Local Computer.
- Import the certificates into the Shielded VM Local Certificates store.
- On the original Hyper-V host, export the certificates used for the Shielded VM.
- On the original Hyper-V host, export the certificates used for the Shielded VM.