I have been very vocal in advocating against using VM snapshots for literally decades. In production, that is. In development, technical presales, or education, on the other hand, they can be a life-saving feature. If you are in a field where VM snapshots are necessary, and the hypervisor of your choosing happens to be Hyper-V on Server 2022, this post is for you.
The situation
Imagine you operate a bunch of standalone Hyper-V hosts on Server 2022. At the time of writing, it is quite common. if you have to run labs, classrooms or development environments. These types of environments usually also have the VMs snapshotted (or „checkpointed“, since we are in Hyper-V-land). Of course, the VMs are all Gen2, and, because we like being secure, they are also set to boot in SecureBoot mode!
Now imagine you’d like to copy these VMs to a different host. In a classroom situation this may be for distributing a lab to a number of students‘ environments, or maybe the host is just getting long in the tooth and needs to be evacuated before it rides off into the sunset.You’ve already read the excellent blog post by Orin Thomas about migrating protected VMs so you diligently transfer the two Shielded VM certificates from the current host to the new one.
You then export the VMs and import them on the target host. You issue
|
1 |
Get-VM * | Start-VM |
and all is well! Or so it seems at first glance.
Not all is well
Look at the VM configuration on the initial host:
And if you open the snapshot’s settings, the same configuration is there, just not editable, because it’s a snapshot:
The same configuration will be found in the VM settings after import:
The snapshot, however, looks rather different:
An attempt to start the VM after reverting to the snapshot (or „applying the checkpoint“) confirms this, albeit in a somewhat unexpected way:
But what if I try X, Y or Z?..
If you find something that works, please let me know. Here’s what I tried, and none of these things change the import behaviour:
- having vTPM enabled or disabled in a VM (unless you enable vTPM and have NOT transferred the Untrusted Guardian certs as per Orin’s blog, then there IS a difference)
- preserving VM IDs or generating new ones when importing, even registering in-situ
- importing Untrusted Guardian certs or not – as long as vTPM is not enabled, it makes zero difference
- creating a snapshot after import – that snapshot will boot, but the imported ones still won’t
- disabling and enabling SecureBoot – the VM will boot with SecureBoot disabled, but reenabling it restores the error message, despite the configuration actually looking more or less legit.
You keep talking about a different host…
But what if I try to import the exported VMs back on the same host they were initially exported from?
Unfortunately, you will experience the same behaviour. It does appear that the import process for snapshots is just broken (in regard to SecureBoot) on 2022.
Not all is lost, though
Now imagine your original host has indeed died (that’s what happened to me and prompted this post). Are the VMs lost forever?
You are in luck, for they are not. You can, as mentioned above, disable SecureBoot, and the VMs will boot, as long as the installed OS itself doesn’t require SecureBoot to be enabled.
You can also import your VMs on a Hyper-V host running Server 2025 or Windows 11 – these OSes do not exhibit the behaviour described above.
But I have huge snapshot trees!
You can use the PowerShell code like the following to disable SecureBoot and re-snap along your tree. Since you cannot remove snapshots that contain child snapshots and still preserve the hierarchy, parent snapshots are left untouched (and will still have SecureBoot enabled). Child snapshots with the suffix „-SBOFF“ are created for these. Snapshots at the end of tree branches are replaced by snapshots with the same name but SecureBoot disabled:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
[CmdletBinding()] Param( [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$VMName, [Parameter(Mandatory=$false)] [switch]$AddCurrentCheckpoint ) $vms = @(Get-VM $VMName) Write-Host "$($vms.Count) match the name $($VMName)" foreach ($vm in $vms) { Write-Host "Processing VM $($vm.Name)" $processedSnaps = @() if ($AddCurrentCheckpoint) { $curSnap = Checkpoint-VM -VM $vm -Passthru Write-Host "- created checkpoint $($curSnap.Name)" $processedSnaps += $curSnap.Id } $snaps = (Get-VMCheckpoint -VM $vm | Where-Object Name -ne $curSnap.Name) do { $procInThisCycle = 0 foreach ($snap in $snaps.Where({$_.Id -notin $processedSnaps})) { Write-Host "- trying snapshot $($snap.name)" $children = $snaps.Where({$_.ParentCheckpointId -eq $snap.Id}) $unprocChildren = $snaps.Where({($_.Id -notin $processedSnaps) -and ($_.ParentCheckpointId -eq $snap.Id)}) Write-Host "- snapshot $($snap.name) has $($children.Count) children, $($unprocChildren.Count) unprocessed" if ($unprocChildren.Count -gt 0) { continue } Write-Host "--- processing snapshot $($snap.name)" Restore-VMCheckpoint -VM $vm -Name $snap.name -Confirm:$false Set-VMFirmware -VM $vm -EnableSecureBoot Off if ($children.Count -eq 0) { Checkpoint-VM -VM $vm -SnapshotName $snap.Name Remove-VMCheckpoint -VMSnapshot $snap } else { Checkpoint-VM -VM $vm -SnapshotName "$($snap.Name)-SBOFF" } $processedSnaps += $snap.Id $procInThisCycle++ } } until ($procInThisCycle -eq 0) } |
This code does not have any error handling so use at your own peril 🙂
And in the future…
…you may consider using a backup/restore product for your lab/dev needs, if your infrastructure and budget allow it. Not to replace snapshots, that would probably bean overkill in most cases, but rather instead of using native export/import!
Happy snapshotting!
Image by Jacques GAIMARD from Pixabay