valorad/Export-UntrustedGuardian.ps1

## Export-UntrustedGuardian.ps1
$GuardianName = 'UntrustedGuardian'
$CertificatePassword = Read-Host -Prompt 'Please enter a password to secure the certificate files' -AsSecureString

$guardian = Get-HgsGuardian -Name $GuardianName

if (-not $guardian)
{
    throw "Guardian '$GuardianName' could not be found on the local system."
}

$encryptionCertificate = Get-Item -Path "Cert:\LocalMachine\Shielded VM Local Certificates\$($guardian.EncryptionCertificate.Thumbprint)"
$signingCertificate = Get-Item -Path "Cert:\LocalMachine\Shielded VM Local Certificates\$($guardian.SigningCertificate.Thumbprint)"

if (-not ($encryptionCertificate.HasPrivateKey -and $signingCertificate.HasPrivateKey))
{
    throw 'One or both of the certificates in the guardian do not have private keys. ' + `
          'Please ensure the private keys are available on the local system for this guardian.'
}

Export-PfxCertificate -Cert $encryptionCertificate -FilePath ".\$GuardianName-encryption.pfx" -Password $CertificatePassword
Export-PfxCertificate -Cert $signingCertificate -FilePath ".\$GuardianName-signing.pfx" -Password $CertificatePassword

# Adapted from https://nathanblasac.com/error-when-migrating-hyper-v-vm-lab-to-different-host-the-key-protector-could-not-be-unwrapped-f6174f68a860

## Import-UntrustedGuardian.ps1
$NameOfGuardian = 'previous-host-name-unTG'
$CertificatePassword = Read-Host -Prompt 'Please enter the password that was used to secure the certificate files' -AsSecureString
New-HgsGuardian -Name $NameOfGuardian -SigningCertificate ".\$NameOfGuardian-signing.pfx" -SigningCertificatePassword $CertificatePassword -EncryptionCertificate ".\$NameOfGuardian-encryption.pfx" -EncryptionCertificatePassword $CertificatePassword -AllowExpired -AllowUntrustedRoot

# Adapted from https://nathanblasac.com/error-when-migrating-hyper-v-vm-lab-to-different-host-the-key-protector-could-not-be-unwrapped-f6174f68a860
	$GuardianName = 'UntrustedGuardian'
	$CertificatePassword = Read-Host -Prompt 'Please enter a password to secure the certificate files' -AsSecureString

	$guardian = Get-HgsGuardian -Name $GuardianName

	if (-not $guardian)
	{
	throw "Guardian '$GuardianName' could not be found on the local system."
	}

	$encryptionCertificate = Get-Item -Path "Cert:\LocalMachine\Shielded VM Local Certificates\$($guardian.EncryptionCertificate.Thumbprint)"
	$signingCertificate = Get-Item -Path "Cert:\LocalMachine\Shielded VM Local Certificates\$($guardian.SigningCertificate.Thumbprint)"

	if (-not ($encryptionCertificate.HasPrivateKey -and $signingCertificate.HasPrivateKey))
	{
	throw 'One or both of the certificates in the guardian do not have private keys. ' + `
	'Please ensure the private keys are available on the local system for this guardian.'
	}

	Export-PfxCertificate -Cert $encryptionCertificate -FilePath ".\$GuardianName-encryption.pfx" -Password $CertificatePassword
	Export-PfxCertificate -Cert $signingCertificate -FilePath ".\$GuardianName-signing.pfx" -Password $CertificatePassword

	# Adapted from https://nathanblasac.com/error-when-migrating-hyper-v-vm-lab-to-different-host-the-key-protector-could-not-be-unwrapped-f6174f68a860
	$NameOfGuardian = 'previous-host-name-unTG'
	$CertificatePassword = Read-Host -Prompt 'Please enter the password that was used to secure the certificate files' -AsSecureString
	New-HgsGuardian -Name $NameOfGuardian -SigningCertificate ".\$NameOfGuardian-signing.pfx" -SigningCertificatePassword $CertificatePassword -EncryptionCertificate ".\$NameOfGuardian-encryption.pfx" -EncryptionCertificatePassword $CertificatePassword -AllowExpired -AllowUntrustedRoot

	# Adapted from https://nathanblasac.com/error-when-migrating-hyper-v-vm-lab-to-different-host-the-key-protector-could-not-be-unwrapped-f6174f68a860