Fusion

 View Only

 Fusion on m1 mac, windows 11 arm pro, work account join issues

stainless steelrat's profile image
stainless steelrat posted Jul 18, 2025 03:54 PM

So I have been hanging out in the fusion forum for a while. (@technogeezer suggested I post here) I've supported large esxi installs over the years.... 

I have a brand new freshly built windows 11 arm pro, that is on currently fusion 13.6.4 (it was on 13.6.3) on my macbook pro running Sonoma 14.7.6. 

I build this vm to help me connect to a work 365 instance. I have company portal (intune) installed already, and authenticates ok. When I go to setup the actual work account in windows 11 arm pro (latest july patches)... it just errors out. I can't figure out if it's a setting issue, or if it's just not completely recognizing the tpm in fusion. 

I have the vm guest encrypting with the tpm, windows sees the tpm.... and I can use a "pin" for windows hello to sign in. The work account attempts to connect, and forces me to 2fa on my phone through the ms authenticator app....  but then proceeds to give me this error: 


This is the error message from the eventvwr: 


The sid referenced in the error refers to my user account. It's a personal ms account. 

The instruction when I've been googling keep talking about trying to re-enabled windows hello for business, which I've done multiple ways. The tpm shows that it's ok, and version 2+ 

So has anybody gotten work account to work through fusion + win11 arm? 

EDIT: I got it to work by doing an entra id style join..... but that is not ideal. I would prefer to have it setup without it being a "full corporate" device. The minute I disjoined, the old behaviour returned. So either its related to my user account that's trying to do the join.... or something else really weird.

Thanks.

Jason McClellan's profile image
Community Manager Jason McClellan posted Jul 18, 2025 04:04 PM

@  -  the Water Cooler is not the appropriate place for this post.  I will check with @Julia Klaus to see if we can get someone from product to engage.  Thx Jason McClellan, Platform Admin

Julia Klaus's profile image
Broadcom Employee Julia Klaus posted Jul 18, 2025 04:44 PM

Thank You  for the detailed report, it's really helpful.

We're currently working to get someone from Engineering involved who can take a closer look. Appreciate your patience in the meantime.

— Julia

stainless steelrat's profile image
stainless steelrat posted Jul 18, 2025 05:11 PM

@Julia Klaus, @Jason McClellan... Thank you both for jumping on this.... I know it's a weird one. @Technogeezer was the one who pointed me here, suggesting I would get better support, which i have. I appreciate it.

Technogeezer's profile image
External Moderator Technogeezer posted Jul 21, 2025 09:21 PM

yeah, I goofed on that one...

I totally misunderstood what @stainless steelrat was trying to do and thought it was a Broadcom related account issue... 

Thanks for pointing him in the right direction @Julia Klaus and @Jason McClellan

stainless steelrat's profile image
stainless steelrat posted Jul 25, 2025 10:07 AM

@Jason McClellan, @Julia Klaus 

The vm guest that I had working last week with an entra join stopped working likely because of session timeout enforcement settings in our tenant. As a result I built myself another testing vm to see if a change in build process would give me any difference.  

Unfortunately, it has not. However I have been able to determine a few more things in the process. Using chatgpt to help me go through the error messages and other "warning" that I was finding.... 

The basic jist of the likely root cause is around the fact that the v-tpm does not pass the requirements for the attestation part of the entra/intune join. There is a v-tpm certificate as part of the process which is being rejected: 

So, I am presently working on trying to see if I can work around or "exclude" the enrollment restrictions, to see if I can get it to join properly.

That said, what I would like to request, would be if you could research adding the v-tpm certification process as part of your development pipeline. I have found as part of my research lots of people who would like to leverage "vm" to help with testing of autopilot and other intune features.

Thank you for your quick answer before, it is appreciated. I'm putting in my findings into this thread, so others who may be searching will find this info....