MicrosoftDocs · Synertry · Apr 20, 2025
diff --git a/docset/winserver2016-ps/pki/Import-PfxCertificate.md b/docset/winserver2016-ps/pki/Import-PfxCertificate.md
@@ -16,8 +16,9 @@ Imports certificates and private keys from a Personal Information Exchange (PFX)
 ## SYNTAX
 
 ```
-Import-PfxCertificate [-Exportable] [-Password <SecureString>] [[-CertStoreLocation] <String>]
- [-FilePath] <String> [-WhatIf] [-Confirm] [<CommonParameters>]
+Import-PfxCertificate [-Exportable] [-ProtectPrivateKey <ProtectPrivateKeyType>] [-Password <SecureString>]
+ [[-CertStoreLocation] <String>] [-FilePath] <String>
+ [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -56,6 +57,15 @@ This example imports the PFX file mypfx.pfx into the My store for the machine ac
 The **Password** parameter is not required since this PFX file is protected using the domain account of this machine.
 This requires a Windows Server® 2012 domain controller.
 
+### EXAMPLE 4
+```
+PS C:\>Get-ChildItem -Path c:\mypfx\my.pfx | Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -ProtectPrivateKey vsm 
+```
+
+This example imports the PFX file `my.pfx` with a private key into the My store for the current user.
+The **Password** parameter is not required since this PFX file is not password protected.
+The private key will be protected by virtualized-based security (VBS) and cannot be exported.
+
 ## PARAMETERS
 
 ### -CertStoreLocation
@@ -105,6 +115,24 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -ProtectPrivateKey
+Specifies whether to protect the imported private key by virtualized-based security.
+If this parameter is specified with the value `vsm`, then the private key cannot be exported.
+Virtual Secure Mode (VSM) capabilities were introduced in Windows 10 and Windows Server 2016.
+
+```yaml
+Type: Microsoft.CertificateServices.Commands.ProtectPrivateKeyType
+Parameter Sets: (All)
+Aliases: 
+Accepted values: none, vsm
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -FilePath
 Specifies the path for the PFX file.
 
@@ -177,3 +205,5 @@ The imported **X509Certificate2** object contained in the PFX file that is assoc
 [Export-PfxCertificate](./Export-PfxCertificate.md)
 
 [System Store Locations](/windows/desktop/seccrypto/system-store-locations)
+
+[Virtualization-based Security](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs)
diff --git a/docset/winserver2019-ps/pki/Import-PfxCertificate.md b/docset/winserver2019-ps/pki/Import-PfxCertificate.md
@@ -16,8 +16,9 @@ Imports certificates and private keys from a Personal Information Exchange (PFX)
 ## SYNTAX
 
 ```
-Import-PfxCertificate [-Exportable] [-Password <SecureString>] [[-CertStoreLocation] <String>]
- [-FilePath] <String> [-WhatIf] [-Confirm] [<CommonParameters>]
+Import-PfxCertificate [-Exportable] [-ProtectPrivateKey <ProtectPrivateKeyType>] [-Password <SecureString>] 
+ [[-CertStoreLocation] <String>] [-FilePath] <String>
+ [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -56,6 +57,15 @@ This example imports the PFX file mypfx.pfx into the My store for the machine ac
 The **Password** parameter is not required since this PFX file is protected using the domain account of this machine.
 This requires a Windows Server® 2012 domain controller.
 
+### EXAMPLE 4
+```
+PS C:\>Get-ChildItem -Path c:\mypfx\my.pfx | Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -ProtectPrivateKey vsm 
+```
+
+This example imports the PFX file `my.pfx` with a private key into the My store for the current user.
+The **Password** parameter is not required since this PFX file is not password protected.
+The private key will be protected by virtualized-based security (VBS) and cannot be exported.
+
 ## PARAMETERS
 
 ### -CertStoreLocation
@@ -105,6 +115,24 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -ProtectPrivateKey
+Specifies whether to protect the imported private key by virtualized-based security.
+If this parameter is specified with the value `vsm`, then the private key cannot be exported.
+Virtual Secure Mode (VSM) capabilities were introduced in Windows 10 and Windows Server 2016.
+
+```yaml
+Type: Microsoft.CertificateServices.Commands.ProtectPrivateKeyType
+Parameter Sets: (All)
+Aliases: 
+Accepted values: none, vsm
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -FilePath
 Specifies the path for the PFX file.
 
@@ -177,3 +205,5 @@ The imported **X509Certificate2** object contained in the PFX file that is assoc
 [Export-PfxCertificate](./Export-PfxCertificate.md)
 
 [System Store Locations](/windows/desktop/seccrypto/system-store-locations)
+
+[Virtualization-based Security](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs)
diff --git a/docset/winserver2022-ps/pki/Import-PfxCertificate.md b/docset/winserver2022-ps/pki/Import-PfxCertificate.md
@@ -17,9 +17,9 @@ destination store.
 ## SYNTAX
 
 ```
-Import-PfxCertificate [-Exportable] [-Password <SecureString>]
- [[-CertStoreLocation] <String>] [-FilePath] <String> [-WhatIf] [-Confirm]
- [<CommonParameters>]
+Import-PfxCertificate [-Exportable] [-ProtectPrivateKey <ProtectPrivateKeyType>] [-Password <SecureString>]
+ [[-CertStoreLocation] <String>] [-FilePath] <String>
+ [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -72,6 +72,17 @@ This example imports the PFX file `mypfx.pfx` into the My store for the machine
 **Password** parameter is not required since this PFX file is protected using the domain account of
 this machine. This requires a Windows Server 2012 or later domain controller.
 
+### EXAMPLE 4
+
+```powershell
+Get-ChildItem -Path C:\mypfx.pfx |
+    Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -ProtectPrivateKey vsm
+```
+
+This example imports the PFX file `mypfx.pfx` with a private key into the My store for the current user.
+The **Password** parameter is not required since this PFX file is not password protected.
+The private key will be protected by virtualized-based security (VBS) and cannot be exported.
+
 ## PARAMETERS
 
 ### -CertStoreLocation
@@ -124,6 +135,25 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -ProtectPrivateKey
+
+Specifies whether to protect the imported private key by virtualized-based security.
+If this parameter is specified with the value `vsm`, then the private key cannot be exported.
+Virtual Secure Mode (VSM) capabilities were introduced in Windows 10 and Windows Server 2016.
+
+```yaml
+Type: Microsoft.CertificateServices.Commands.ProtectPrivateKeyType
+Parameter Sets: (All)
+Aliases: 
+Accepted values: none, vsm
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -FilePath
 
 Specifies the path for the PFX file.
@@ -206,3 +236,5 @@ keys.
 [Export-PfxCertificate](./Export-PfxCertificate.md)
 
 [System Store Locations](/windows/desktop/seccrypto/system-store-locations)
+
+[Virtualization-based Security](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs)
diff --git a/docset/winserver2025-ps/pki/Import-PfxCertificate.md b/docset/winserver2025-ps/pki/Import-PfxCertificate.md
@@ -17,9 +17,9 @@ destination store.
 ## SYNTAX
 
 ```
-Import-PfxCertificate [-Exportable] [-Password <SecureString>]
- [[-CertStoreLocation] <String>] [-FilePath] <String> [-WhatIf] [-Confirm]
- [<CommonParameters>]
+Import-PfxCertificate [-Exportable] [-ProtectPrivateKey <ProtectPrivateKeyType>] [-Password <SecureString>]
+ [[-CertStoreLocation] <String>] [-FilePath] <String>
+ [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -72,6 +72,17 @@ This example imports the PFX file `mypfx.pfx` into the My store for the machine
 **Password** parameter is not required since this PFX file is protected using the domain account of
 this machine. This requires a Windows Server 2012 or later domain controller.
 
+### EXAMPLE 4
+
+```powershell
+Get-ChildItem -Path C:\mypfx.pfx |
+    Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -ProtectPrivateKey vsm
+```
+
+This example imports the PFX file `mypfx.pfx` with a private key into the My store for the current user.
+The **Password** parameter is not required since this PFX file is not password protected.
+The private key will be protected by virtualized-based security (VBS) and cannot be exported.
+
 ## PARAMETERS
 
 ### -CertStoreLocation
@@ -124,6 +135,25 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -ProtectPrivateKey
+
+Specifies whether to protect the imported private key by virtualized-based security.
+If this parameter is specified with the value `vsm`, then the private key cannot be exported.
+Virtual Secure Mode (VSM) capabilities were introduced in Windows 10 and Windows Server 2016.
+
+```yaml
+Type: Microsoft.CertificateServices.Commands.ProtectPrivateKeyType
+Parameter Sets: (All)
+Aliases: 
+Accepted values: none, vsm
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -FilePath
 
 Specifies the path for the PFX file.
@@ -206,3 +236,5 @@ keys.
 [Export-PfxCertificate](./Export-PfxCertificate.md)
 
 [System Store Locations](/windows/desktop/seccrypto/system-store-locations)
+
+[Virtualization-based Security](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs)