Windows 2025 UEFI/TPM Clone

L

lancewicz

New Member
Dec 1, 2025
3
0
1
Hi Support,

Windows 2025, q35, UEFI, TPM - pure installation. Machine full shutdown. Then clone. After booting clone error.
How to deal with this?
Is this possible to clone machine, have golden image/templates of machines with TPM/UEFI?

br,

Piotr
 

Attachments

  • Zrzut ekranu 2025-12-01 222612.png
    Zrzut ekranu 2025-12-01 222612.png
    19.7 KB · Views: 24
  • Was the VM encrypted using TPM?
  • Bitlocker?
  • Was sysprep also performed before shutdown? (Please take a VM snapshot beforehand).
 
  • Like
Reactions: lancewicz
fireon said:
  • Was the VM encrypted using TPM?
  • Bitlocker?
  • Was sysprep also performed before shutdown? (Please take a VM snapshot beforehand).
Click to expand...
Bitlocker = no
What you mean by VM encrypted using TPM/
Before doing template sysprep was one with generlize and shutdown and then make template was done.
 

Attachments

  • Zrzut ekranu 2026-01-06 002206.png
    Zrzut ekranu 2026-01-06 002206.png
    8.6 KB · Views: 10
If you encounter a TPM copy failure on a virtual machine where you implemented the mitigation for CVE-2023-24932 and cannot determine how to revert it, it is advisable to recreate the image.

This likely pertains to an image where that mitigation was applied. However, this question should be directed to Microsoft, not the Proxmox forum.

STATUS_SECUREBOOT_POLICY_NOT_SIGNED
 
Last edited:
lancewicz said:
Bitlocker = no
What you mean by VM encrypted using TPM/
Before doing template sysprep was one with generlize and shutdown and then make template was done.
Click to expand...
I recently created a golden image of Server 2025 with TPM and Secureboot. It worked as it should after Sysprep. Could you please show us your VM configuration?
Code: 
qm config <vmid>

uzumo said:
If you encounter a TPM copy failure on a virtual machine where you implemented the mitigation for CVE-2023-24932 and cannot determine how to revert it, it is advisable to recreate the image.
Click to expand...
Do you mean just recreating the TPM or the TPM and EFI image? Since nothing is encrypted by default, you can do this safely.
 
fireon said:
I recently created a golden image of Server 2025 with TPM and Secureboot. It worked as it should after Sysprep. Could you please show us your VM configuration?
Code: 
qm config <vmid>


Do you mean just recreating the TPM or the TPM and EFI image? Since nothing is encrypted by default, you can do this safely.
Click to expand...
Config of the template

root@proxmox2:~# qm config 111
agent: 1
balloon: 4096
bios: ovmf
boot: order=sata0;net0
cores: 16
cpu: host
efidisk0: macierz:base-111-disk-0,efitype=4m,ms-cert=2023,pre-enrolled-keys=1,size=4M
machine: pc-q35-10.1
memory: 16384
meta: creation-qemu=10.1.2,ctime=1766747831
name: Win2025Temp
net0: virtio=BC:24:11:D4:C3:D9,bridge=vmbr0,firewall=1
numa: 0
ostype: win11
sata0: macierz:base-111-disk-1,cache=unsafe,size=150G
smbios1: uuid=276f55eb-5608-4275-80e4-105dfc87fca4
sockets: 2
template: 1
tpmstate0: macierz:base-111-disk-2,size=4M,version=v2.0
vmgenid: 01fc456c-8ee7-4427-8180-69873023c51a
 
Last edited:
You must log in or register to reply here.
Top Bottom