Windows 11 Guest on Linux Host - Broken TPM support after update (Azure enrolment)

[kyuz0]

Hi,

I'm looking for help troubleshooting an issue that's making it impossible to run Windows 11 VMs on Linux guests, due to the TPM breaking at the first Windows Update after the VM is enrolled into Azure AD.

Vbox version: 7.0.8.

I do not have enough information yet, but I have the high level summary and I'm looking for guidance of what additional information I can gather and what additional tests I can run to figure out what's breaking.

Summary:
- I install Windows 11 on a Linux Host, TPM v2 and Secure Boot enabled
- I install the guest additions and all the Windows updates
- All works fine
- I enrol the device in company Azure AD / Intune
- Reset the device so that I can join company Intune/AD
- All works fine, policies are applied, device joined to AD, Bitlocker enabled
- This works and survives multiple reboots of the VM and host

Issue:
- At the first Windows update, something nasty happens to this configuration and when I reboot the computer I'm asked to insert the Bitlocker recovery key
- After doing so, I can login but the device can't recognise the TPM any more ("Your computer Trusted Platform Module (TPM) has malfunctioned") - totally nuked. Which means it fails forever logins into company resources, Office365 and Bitlocker

What I tried:
- Removing and re-installing the guest additions - no effect
- From the Windows device manager, removing and reinstalling the TPM driver, no cookie, the thing still complains that there's an issue with the TPM and will refuse to work.

I'm out of options here, I can confirm that something destroys the Virtual TPM, it even disappears from the UEFI boot menu configuration options of the VM in spite of being still enabled in the VirtualBox VM configuration.

[fth0]

I believe there's not enough experience with the VirtualBox 7.0 TPM support in the VirtualBox forums yet (see TCG2 Configuration not appear on Win 11 guest (VirtualBox 7.0.9r157775) for another user with a similar issue). I'd suggest to create a ticket in the Bugtracker.

[kyuz0]

I have an update on this. VirtualBox stores the BIOS/UEFI settings in a .nvram file in the machine folder. When the TPM gets corrupted, it is possible to restore it to a working order by replacing the current .nvram file with a snapshot (you'll find that in the Snapshot folder if you took a working snapshot of the system when the TPM worked). This approach allows you to restore the VM to a working state without having to restore the disk back to a previous snapshot.

It still remains to be determined what exactly is getting broken in the BIOS/UEFI of the machine and what is causing it to be broken. I suspect the Windows driver might make some API calls to the TPM that are not handled correctly in the VBox implementation, causing the TPM to become broken.

[scottgus1]

That's good information, kyuz0! It should go in your Bugtracker ticket.

[kyuz0]

Thanks, already there!

[TrisL]

I think I just ran into this exact same problem, exactly the same as you describe OP.

Did you ever get around this, a workaround or fix or anything?

[Chooseme]

I think I just ran into this exact same problem, exactly the same as you describe OP.

Did you ever get around this, a workaround or fix or anything?

https://www.virtualbox.org/ticket/21741