You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-machines/trusted-launch-faq.md
+23Lines changed: 23 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -390,6 +390,29 @@ VM Guest State (VMGS) is specific to Trusted Launch VMs. It's a blob managed by
390
390
391
391
In a Secure Boot chain, each step in the boot process checks a cryptographic signature of the subsequent steps. For example, the BIOS checks a signature on the loader, and the loader checks signatures on all the kernel objects that it loads, and so on. If any of the objects are compromised, the signature doesn't match and the VM doesn't boot. For more information, see [Secure Boot](/windows-hardware/design/device-experiences/oem-secure-boot).
392
392
393
+
### What should I do when my Trusted Launch VM has deployment failures ?
394
+
This section provides additional details on Trusted Launch deployment failures for you to take proper action to prevent them.
395
+
396
+
```
397
+
Virtual machine <vm name> failed to create from the selected snapshot because the virtual Trusted Platform Module (vTPM) state is locked. To proceed with the VM creation, please select a different snapshot without a locked vTPM state. For more assistance, please refer to “Troubleshooting locked vTPM state” in FAQ page at https://aka.ms/TrustedLaunch-FAQ.
398
+
```
399
+
This deployment error happens when the snapshot or restore point provided is inaccessible or unusable for the following reasons:
400
+
1. Corrupt virtual machine guest state (VMGS)
401
+
2. vTPM in a locked state
402
+
3. One or more critical vTPM indices are in an invalid state.
403
+
404
+
The above can happen if a user or workload running on the virtual machine sets the lock on vTPM or modifies critical vTPM indices that leaves the vTPM in an invalid state.
405
+
406
+
Retrying with the same snapshot/restore point will result in the same failure.
407
+
408
+
To resolve this:
409
+
410
+
1. On the source Trusted Launch VM where the snapshot or restore point was generated, the vTPM errors must be rectified.
411
+
a. If the vTPM state was modified by a workload on the virtual machine, you need to use the same to check the error states and bring the vTPM to a non-error state.
412
+
b. If TPM tools were used to modify the vTPM state, then you should use the same tools to check the error states and bring the vTPM to a non-error state.
413
+
414
+
Once the snapshot or restore point is free from these errors, you can use this to create a new Trusted Launch VM.
415
+
393
416
### Why is the Trusted Launch VM not booting correctly?
394
417
395
418
If unsigned components are detected from the UEFI (guest firmware), bootloader, OS, or boot drivers, a Trusted Launch VM won't boot. The [Secure Boot](/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-settings-for-hyper-v#secure-boot-setting-in-hyper-v-manager) setting in the Trusted Launch VM fails to boot if unsigned or untrusted boot components are encountered during the boot process and reports as a Secure Boot failure.
0 commit comments