swtpm icon indicating copy to clipboard operation
swtpm copied to clipboard

Published 20 hours ago verified publisher icon stefanberger

Windows 11 Get-TpmSupportedFeature fails triggering failures in system log

Open ncstate-daniel opened this issue 1 month ago • 26 comments

Describe the bug

Windows 11 is able to install just fine with swtpm backing it, and Get-TPM, tpm.msc, etc all show a happy healthy TPM chip, but when the SCCM agent tries to install (and retries over and over), we get a TPM error in the system log that repeats over and over as SCCM continues to try to access the virtual chip. Furthermore, Get-TpmSupportedFeature returns absolutely nothing, which I suspect is at the root of the problem, and each run of it generates an error.

Required: To Reproduce (without these steps your issue may be deleted)

Steps to reproduce the behavior/issue showing all commands on command line, needed XML or JSON (if necessary), etc.:

Note: This is going to be difficult unless you have an SCCM environment to test with. However if my suspicion is correct, we can simply test it by executing Get-TpmSupportedFeature

  1. Install a fresh Windows 11 machine under, in this case, ovirt under Rocky Linux 9 (including the expected os drivers for virtio and whatnot)
  2. Connect to your new Windows 11 machine and run Get-TpmSupportedFeature in powershell (it should return absolutely nothing, may even pause)
  3. Open Event Viewer and go to the System log (you should see a system error for TPM, attached details below)
  4. Repeat the powershell command multiple times and watch it generate new System logs

Expected behavior

It should return:

PS C:\Users\daniel.admin> get-tpmsupportedfeature
key attestation

Desktop (please complete the following information):

  • OS: Windows 11
  • Version 23H2

Versions of relevant components

  • swtpm: 0.7.3, 0.8.0, 0.8.2 (tried all three)
  • libtpms: 0.9.1
  • openssl: 3.0.7
  • gnutls: 3.8.3
  • ovirt: 4.5.6
  • Host OS: Rocky Linux 9

Log files swtpmlog.txt Please note I see zero errors from the host OS perspective... just from within Windows itself.

Event Viewer log entry reads: The initialization of the Trusted Platform Module (TPM) failed. The TPM may be in failure mode. To allow diagnosis, contact the TPM manufacturer with the attached information. With the following details: swtpmwinevent.txt

Additional context As far as I can tell, SCCM tries to access the TPM's features, finds nothing, and croaks out during initialization. It then retries immediately, failing over and over and over. A temporary workaround I have is to install the OS with the TPM assigned, then once it's installed 'rip out' the TPM in ovirt's configs. After that everything works fine. (Windows doesn't actually NEED the TPM unless you are doing something like bitlocker)

ncstate-daniel avatar May 29 '24 16:05 ncstate-daniel