VirtualBox

Opened 10 months ago

Last modified 2 months ago

#21741 new defect

TPM breaks after Windows update - Windows 11 Guest on Linux Host (VirtualBox 7.0.8)

Reported by: kyuz0 Owned by:
Component: other Version: VirtualBox-7.0.8
Keywords: tpm Cc:
Guest type: Windows Host type: Linux

Description

I'm reporting an issue I've been trying to troubleshoot that's making it impossible to run Windows 11 VMs on Linux guests, due to the TPM breaking at the first Windows Update after the VM is enrolled into Azure AD with Intune.

I do not have enough information yet, but I have the high level summary and I'm looking for guidance of what additional information I need to gather and and to the ticket and what additional tests I can run to figure out what's breaking.

Summary:

  • I install Windows 11 on a Linux Host, TPM v2 and Secure Boot enabled
  • I install the guest additions and all the Windows updates
  • All works fine
  • I enrol the device in company Azure AD / Intune
  • Reset the device so that I can join company Intune/AD
  • All works fine, policies are applied, device joined to AD, Bitlocker enabled
  • This works and survives multiple reboots of the VM and host

Issue appearance:

  • At the first Windows update, something nasty happens to this configuration and when I reboot the computer I'm asked to insert the Bitlocker recovery key
  • After doing so, I can login but the device can't recognise the TPM any more ("Your computer Trusted Platform Module (TPM) has malfunctioned") - totally nuked. Which means it fails forever logins into company resources, Office365 and Bitlocker

What I tried:

  • Removing and re-installing the guest additions - no effect
  • From the Windows device manager, removing and reinstalling the TPM driver, no cookie, the thing still complains that there's an issue with the TPM and will refuse to work.

I'm out of options here, I can confirm that something "destroys" the Virtual TPM, it even disappears from the UEFI boot menu configuration options of the VM in spite of being still enabled in the VirtualBox VM configuration.

Attachments (6)

Screenshot from 2023-06-26 10-08-00.png (11.2 KB ) - added by kyuz0 10 months ago.
VBox BIOS Cannot find TPM
TPMEnabled.png (63.4 KB ) - added by kyuz0 10 months ago.
TPM and Secure Boot Enabled in VM Configuration
SecureBootEnabledBIOS.png (6.8 KB ) - added by kyuz0 10 months ago.
Secure Boot Enabled in BIOS
Captura de pantalla 2023-06-26 a las 20.27.12.jpg (58.0 KB ) - added by ElMaSkA 10 months ago.
TCG2 Configuration in Device Manager
Captura de pantalla 2023-06-26 a las 20.27.51.jpg (62.2 KB ) - added by ElMaSkA 10 months ago.
TCG2 Configuration
Captura de pantalla 2023-06-19 a las 19.44.41.jpg (37.8 KB ) - added by ElMaSkA 10 months ago.
Error in TPM device on Win 11's Device Manager

Download all attachments as: .zip

Change History (17)

comment:1 by ElMaSkA, 10 months ago

Hello kyuz0 and experts.

I have 2 VMs with Win 11 (one VM on a macOS host and another on a Win 10 host) and both stopped responding by the TPM.

Details are in the following thread: https://forums.virtualbox.org/viewtopic.php?p=537789#p537789

Best regards.

by kyuz0, 10 months ago

VBox BIOS Cannot find TPM

by kyuz0, 10 months ago

Attachment: TPMEnabled.png added

TPM and Secure Boot Enabled in VM Configuration

by kyuz0, 10 months ago

Attachment: SecureBootEnabledBIOS.png added

Secure Boot Enabled in BIOS

comment:2 by kyuz0, 10 months ago

Hi,

This issue just happened and it's not related to Windows updates as I had thought. VBox somehow nuked its own TPM on its own. I have attached screenshots showing that it is enabled in the VM configuration, but when I go to the VBox BIOS, there's no TPM device anymore showed even though Secure Boot is enabled.

Please, can anybody provide some troubleshooting steps?

by ElMaSkA, 10 months ago

TCG2 Configuration in Device Manager

by ElMaSkA, 10 months ago

TCG2 Configuration

by ElMaSkA, 10 months ago

Error in TPM device on Win 11's Device Manager

comment:3 by ElMaSkA, 10 months ago

Hi,

These screenshots I have taken from building a fresh installation of Win 11 from scratch. As you can see, these are the settings that should appear in the UEFI and allow enabling/disabling of the TPM at the UEFI level and that in the Win 11 VMs where I have the problem, before these settings appeared and at some point they disappeared.

In addition to this, I add a screenshot at the OS level where the following error message appears in the device manager (the same message appears in my 2 VMs with Win 11, one on a Win 10 host and the other on a macOS host Fortune).

kyuz0 please, can you check if you get the same error code in the TPM module that you see in the Win 11 Device Manager?

Br.

comment:4 by kyuz0, 10 months ago

Hi, when the TPM disappears, I indeed get the same error in Windows 11 Device Manager.

comment:5 by kyuz0, 9 months ago

I have an update on this. VirtualBox stores the BIOS/UEFI settings in a .nvram file in the machine folder. When the TPM gets corrupted, it is possible to restore it to a working order by replacing the current .nvram file with a snapshot (you'll find that in the Snapshot folder if you took a working snapshot of the system when the TPM worked). This approach allows you to restore the VM to a working state without having to restore the disk back to a previous snapshot.

It still remains to be determined what exactly is getting broken in the BIOS/UEFI of the machine and what is causing it to be broken. I suspect the Windows driver might make some API calls to the TPM that are not handled correctly in the VBox implementation, causing the TPM to become broken.

If anybody from the VBox dev team is interested and willing to take ownership of the ticket, I can provide the broken nvram and the working one for further analysis.

comment:6 by ElMaSkA, 9 months ago

In my case, unfortunately, I did not take any snapshots so I will have to wait until they can solve this problem. I will also be able to provide the .nvram file if any developer asks me for it.

comment:7 by ElMaSkA, 9 months ago

I have been able to solve the problem whereby the TCG2 section did not appear in the UEFI Device Manager section, which I had in my Win 11 VM on a MacOS Ventura host (currently in version 13.5) and with VirtualBox version 7.0.10 (158379). I will tell you the steps:

I decided to remove Bitlocker in Win 11 (both C: drive and E: drive (this drive appears as this VM created it from the beginning when it was in Win 7 version)), but it still had the same problems.

So I decided to replace the .nvram file, I copied the .nvram file from another fresh Win 11 VM I created (the original one I gave it the extension .nvram.bk) and put it in the corresponding directory of the problematic Win 11 VM, setting the same parameters configuration on both VMs previously. When I booted it and entered the UEFI, I could already see the TCG2 option, also at the Win 11 OS level the system already recognized TPM again. For now I have not reactivated Bitlocker but I need it, so I will reactivate it and report on its evolution.

On the other hand, having another Win 11 VM on Win 10 host with Bitlocker enabled and after an update, I reproduced the same problem that kyuz0 mentioned "At the first Windows update, something nasty happens to this configuration and when I reboot the computer I'm asked to insert the Bitlocker recovery key", and this at every reboot.

comment:8 by Klaus Espenlaub, 6 months ago

Lots of screenshots but no trace of a VBox.log file... on ticket creation it is pointed out that providing it is important. It contains a lot of useful detail about your system, the VM and so on.

comment:9 by chooseme, 5 months ago

VBox.log provided in forum. Can also provide corrupted nvram.

comment:10 by chooseme, 5 months ago

Futher investigation from forum is pointing out to permall file inside nvram archive.

comment:11 by chooseme, 2 months ago

I now belive that the tpm file loads fine, the file seemed fine even to creator of libtpms. The problem have to be with nvram file EFI portion. There is even problem to change settings, like enabling and disabling "Secure boot". Propably the tpm loads fine but is not being used by EFI thats why there is no menu option. I see alot more people with that problem sadly and with Win11 using TPM as default, it will get worse with time.

Note: See TracTickets for help on using tickets.

© 2023 Oracle
ContactPrivacy policyTerms of Use