I’m running TrueNAS SCALE 25.10-RC (“Goldeye”) on my primary server and have a Windows 11 VM with an RTX 4070 SUPER passed through for gaming and remote streaming via Sunshine.
TPM 2.0 has been enabled in the VM since its creation (verified in the UI), but Windows continues to prompt me to reset my Hello PIN after every reboot or hardware change. It looks like the TPM state isn’t persisting between boots.
What I’ve verified so far:
• ls -lh /mnt//vm//tpm* → returns nothing — no TPM state file or directory exists anywhere under my pools.
• The Windows disk lives on /dev/zvol/taltos/vm/windows11-ax325q.
• When I try to create a TPM manually via CLI, this fails:
midclt call vm.device.create ‘{“vm”:3,“dtype”:“TPM”,“attributes”:{“version”:“2.0”}}’
→ [EINVAL] vm_device_create.attributes.dtype: Field required
• Running:
midclt call core.get_schema vm.device.create
→ Method does not exist.
It appears that the internal API schema changed in 25.10, and as a result, the older docs and forum examples that reference dtype or core.get_schema are no longer applicable.
Question:
What’s the correct command or procedure to create a persistent TPM 2.0 device on modern TrueNAS SCALE builds (Goldeye / 25.10+), so Windows stops regenerating the TPM on each boot and retains its Hello PIN?
Any updated JSON syntax or midclt examples that work with the latest API would be greatly appreciated.
I ran both searches to confirm where (or if) the TPM state was being saved:
find /mnt -type f -name "*tpm*" 2>/dev/null | grep vm
find /mnt -type d -name "tpm" 2>/dev/null | grep vm
Neither command returned any results, so it looks like there’s no TPM state file or directory being created anywhere under my pools — even though the “Enable TPM” box is checked in the VM configuration.
I also verified that vm.device.create doesn’t support TPM as a device type on this build. Every attempt returns: [EINVAL] vm_device_create.attributes: Input tag 'TPM' found using 'dtype' does not match any of the expected tags: 'CDROM', 'DISPLAY', 'NIC', 'PCI', 'RAW', 'DISK', 'USB'
That means the backend doesn’t yet expose TPM as a valid dtype, so it can’t be added or managed via midclt. The GUI option enables TPM for the running VM, but it seems the state isn’t persisting across boots — which would explain the Windows Hello PIN resets.
It’s starting to look like this might be a regression or incomplete feature in the 25.10 “Goldeye” RC builds.
If anyone else on this version has a working persistent TPM, I’d love to compare directory paths or confirm whether the .tpm file appears under their VM dataset.
