Sam Varshavchik writes:
Ed Greshko writes:
> On 20/09/2021 00:08, Sam Varshavchik wrote:
>> Is anyone else getting this error in the "Security processor
>> troubleshooting" (21H1, with all updates installed)?
>
> It has been nearly 2 months since I worked on this. But, yes, that is what I
> was seeing. No matter what I did
> I could not get passed that issue. I gave up and moved on to installing
> Win11.
I think I figured it out. That message has nothing to do with the TPM chip
per se, real or emulated. In "Security Processor" there was a similar, vague
message, but with a "more information" link. That goes to a web page, which
is full of Microsoftese. Rather than describing what it wants in clear
technical terms, it meanders on topics like "basic security requirements",
"enhanced security requirements", and similar handwaving. I reread that five
times, then I figured out that it wants UEFI+Secure Boot, to make this
warning message go away.
All the Win11 press was about the TPM 2.0 requirement, there was no mention
of a UEFI+Secure Boot requirement for upgrading, but I wouldn't want to draw
any conclusions.
I tried to give one more college try with another, licensed, VM. I found
very useful reading material here:
https://ogris.de/howtos/windows-uefi-
virtio.html
So, I took my other, licensed, Windows 10 VM and tried the same thing I did
with the other one, except that this time I also converted the raw disk
image to qcow2. Afterwards, like before, I created a new VM from scratch,
pointed it to the new disk image and manually added TPM 2.0 hardware. The
new VM booted fine.
This looked promising. I shut it down, created a qcow2 snapshot, booted the
VM, ran mbr2gpt, as described there, to convert the MBR to GPT. mbr2gpt
first claimed that it succeeded, but also complained something about
ReAgent.xml, and told me that I need to enable EFI in my firmware, when I
reboot. So I shut down the VM, creating another VM, this time selecting the
secboot EFI firmware.
Windows did boot, but came up in 640x480 mode with basic drivers,
unactivated, and refused to activate, wanting me to pay for a license.
The explanation it gave me: new hardware. This was a retail license, though,
which should be transferable.
I cut the experiment short, shut down the EFI VM, restored the qcow2
snapshot, and went back to the BIOS VM. It came up fine.
I see two possible reasons: 1) It's been documented how Windows unactivates
after what it considers to be too many hardware changes, or maybe 2) it is
necessary to update to EFI first, then add a TPM module. The new EFI VM has
its own separate TPM module, so Windows doesn't find the same TPM chip it
already saw, so it does not activate.
It's unclear if Win11 requires just a TPM chip, or TPM+secure boot. I don't
recall anyone mentioning a secure boot requirement, just TPM, which does
seem to work, by creating a new VM.
In a couple of months, if neither one of my VMs offer a Win11 upgrade I'll
try to switching to an EFI VM, and copy swtpm's data to the new VM's swtpm,
before the first boot, and see what happens…