Skip to content

[Bug]: Emulated TPM does not include Endorsement Key (EK) certificate for Windows 11 VM #497

New issue
New issue
Open
Open
[Bug]: Emulated TPM does not include Endorsement Key (EK) certificate for Windows 11 VM#497
Labels
bugSomething isn't working
@orangegoat1

Description

@orangegoat1
orangegoat1
opened on Jan 23, 2026

Version

7.2.4

Host OS Type

Windows

Host OS name + version

Windows 11 Pro Built 26200

Host Architecture

x86

Guest OS Type

Windows

Guest Architecture

x86

Guest OS name + version

Windows 11 Pro Build 26200

Component

EFI

What happened?

The windows 11 Pro virtual machines have both TPM 2.0 and Secure boot active and I have this error on all 4 virtual windows 11 pro machines.

Windows System Event Log reports that the TPM-WMI failed Pre-attestation Event ID: 1040 "Pre-attestation health checks confirm a critical component has failed, and the device is not expected to pass attestation."
The log event just prior to the above event shows that the EkCertIsAvailable value is "False". Event ID:
Pre-attestation health check detailed information: {"Version":1,"HealthStatus":"Cannot be attested","Required":[{"Field":"TpmPresent","Value":true,"DesiredValue":true},{"Field":"TpmMeetsMinimumVersion","Value":true,"DesiredValue":true},{"Field":"TpmIsResponsive","Value":true,"DesiredValue":true},{"Field":"EkCertIsAvailable","Value":false,"DesiredValue":true},{"Field":"TcgLogFound","Value":true,"DesiredValue":true}],"Expected":[{"Field":"PcrsMatchTcgLog","Value":true,"DesiredValue":true}],"Informational":[{"Field":"SecureBootEnabled","ValueFromComputer":true,"ValueFromTcgLog":true,"DesiredValue":true,"TcgValueIsVerifiable":true},{"Field":"VirtualSecureMemory","ValueFromComputer":false,"ValueFromTcgLog":false,"DesiredValue":true,"TcgValueIsVerifiable":true},{"Field":"SecureCorePCCompliant","ValueFromComputer":false,"ValueFromTcgLog":false,"DesiredValue":true,"TcgValueIsVerifiable":true}{"Field":"BootTcgLogFoundInFileSystem","Value":true,"DesiredValue":true},{"Field":"CurrentTcgLogFoundInFileSystem","Value":true,"DesiredValue":true}]}

Running Powershell command "Get-TpmEndorsementKeyInfo" produces the results

IsPresent : True
PublicKey : System.Security.Cryptography.AsnEncodedData
PublicKeyHash :
ManufacturerCertificates : {}
AdditionalCertificates : {}

That shows that the TMP Endorsement Key is missing.

The host TMP and Secure boot are both active and working fine and running the Powershell command
"Get-TpmEndorsementKeyInfo" provides the following information.

IsPresent : True
PublicKey : System.Security.Cryptography.AsnEncodedData
PublicKeyHash :
ManufacturerCertificates : {[Subject]
TPMVersion=id:02BC0013, TPMModel=MTP, TPMManufacturer=id:494E5443

                       [Issuer]
                         CN=ODCA 2 CSME MTP PCH SVN 01 PTT   CA

                       [Serial Number]
                          9999999999999999999999999999999999

                       [Not Before]
                         6/5/2024 8:00:00 PM

                       [Not After]
                         12/31/2049 6:59:59 PM

                       [Thumbprint]
                         999999999999999999999999999999999999
                       }

AdditionalCertificates : {}

Which shows the TMP Endorsement Keys is present.
PS: I change the Serial Number and the Thumbprint to all "9"'s to hide my physical keys.

How can we reproduce this?

test.nvram.txt
test.vbox.txt

Did you upload all of your necessary log files, screenshots, etc.?

  • Yes, I've uploaded all pertinent files to this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions