Changing Secure Boot

bqbauer · Post by **bqbauer** » 2. Sep 2022, 02:10

I have a Windows 10 UEFI VM. However, it won't let me enable secure boot to upgrade to Windows 11. I don't know much about secure boot, but is there a way to change this setting? I can't find it in VBoxManage either.

Thanks!

birdie · Post by **birdie** » 2. Sep 2022, 11:44

Please try this:

1. Change the OS type to Windows 11.
2. Exit VirtualBox and add this to <Hardware></Hardware>:

<TrustedPlatformModule type="v2_0" location=""/>

(could be done using VBoxManage but I'm not sure about options).

Post by **scottgus1** » 2. Sep 2022, 13:42

Please note that doing Birdie's suggestion is manually editing the VM's .vbox file, which can be done but requires all Virtualbox processes to be shut down, or the edit won't stick; note the warning against manual editing at the beginning of the .vbox file.

Reboot the host so no Virtualbox processes are running.
Make a copy of the VM's .vbox file for backup purposes.
Then open the VM's .vbox file in a text editor.
Add Birdie's suggested tweak.

Post by **aeichner** » 2. Sep 2022, 13:56

No no no, TPM is completely separate from SecureBoot. For secure boot to get enabled one has to enroll a so called platform key for the UEFI firmware which can be done with VBoxManage (check VBoxManage modifyvnram, specifically the enrollorclpk or enrollpk sub commands there). You could also do this from within the UEFI boot manager (press ESC during boot).
For enabling the TPM you can just use VBoxManage as well, see

Code: Select all

VBoxManage modifyvm <VM nam> [--tpm-type= none | 1.2 | 2.0 | host | swtpm ]

Usually you want the 2.0 TPM typ.

birdie · Post by **birdie** » 2. Sep 2022, 14:45

aeichner wrote:No no no, TPM is completely separate from SecureBoot. For secure boot to get enabled one has to enroll a so called platform key for the UEFI firmware which can be done with VBoxManage (check VBoxManage modifyvnram, specifically the enrollorclpk or enrollpk sub commands there). You could also do this from within the UEFI boot manager (press ESC during boot).
For enabling the TPM you can just use VBoxManage as well, see
Code: Select all
VBoxManage modifyvm <VM nam> [--tpm-type= none | 1.2 | 2.0 | host | swtpm ]
Usually you want the 2.0 TPM typ.

Would be great if you added those options/features to UI. They don't look nearly difficult to implement.

If you don't, people will be pestering you in these forums all the time. We are not talking about some obscure changes, like changing CPU IDs or anything like that.

Post by **klaus** » 2. Sep 2022, 15:44

Remember that Windows 11 just insists that Secure Boot has to be supported. Not that it has to be enabled. For upgrading you can ignore the key enrolling etc. stuff.

The only VM config change which should be necessary is enabling the TPM (which also won't be used unless you're setting up Bitkeeper etc etc.). Which is done with

Code: Select all

VBoxManage modifyvm "vmname" --tpm-type 2.0

And yes, so many things should be done, and each day has just 24 hours...

bqbauer · Post by **bqbauer** » 2. Sep 2022, 21:54

aeichner wrote:No no no, TPM is completely separate from SecureBoot. For secure boot to get enabled one has to enroll a so called platform key for the UEFI firmware which can be done with VBoxManage (check VBoxManage modifyvnram, specifically the enrollorclpk or enrollpk sub commands there). You could also do this from within the UEFI boot manager (press ESC during boot).
For enabling the TPM you can just use VBoxManage as well, see
Code: Select all
VBoxManage modifyvm <VM nam> [--tpm-type= none | 1.2 | 2.0 | host | swtpm ]
Usually you want the 2.0 TPM typ.

Thank you, this is the question that was asked! However, I already tried from the boot manager and it simply doesn't give me the option to change the setting on an older VM. If I create a new Windows 11 VM, secure boot is enabled and I can disable it, but on this older VM it is disabled and I cannot change it.

VBoxManage modifyvnram enrollorclpk worked to enable secure boot and to now allows me to change the settings. Thanks! However, when I enable it the VM won't boot. Is there a way to adjust a VM to boot after changing secure boot?

Post by **klaus** » 2. Sep 2022, 22:20

The PK is important for secure boot, but by itself it doesn't buy you anything. What matters more (and should get Windows to boot) is

Code: Select all

VBoxManage modifynvram "vmname" enrollmssignatures

because those are required to verify Microsoft's code signatures.

bqbauer · Post by **bqbauer** » 2. Sep 2022, 22:24

klaus wrote:The PK is important for secure boot, but by itself it doesn't buy you anything. What matters more (and should get Windows to boot) is
Code: Select all
VBoxManage modifynvram "vmname" enrollmssignatures
because those are required to verify Microsoft's code signatures.

That did it! Thanks. Don't use Windows much anyway, but I want to help test.

bqbauer · Post by **bqbauer** » 2. Sep 2022, 22:37

For those that may share the problem, here is the short answer (for me):

Windows 10 must already be UEFI.
Disk partition style needs to be GPT not MBR. UEFI likely already has it that way. Windows can convert MBR->GPT if necessary (google it)
Make sure you set the OS to Windows 11 in the VM settings!
VBoxManage modifynvram <VM name> enrollorclpk
VBoxManage modifynvram <VM name> enrollmssignatures

All I needed in the end was the last two commands.

virtualbox.org

Changing Secure Boot

Changing Secure Boot

Re: Changing Secure Boot

Re: Changing Secure Boot

Re: Changing Secure Boot

Re: Changing Secure Boot

Re: Changing Secure Boot

Re: Changing Secure Boot

Re: Changing Secure Boot

Re: Changing Secure Boot

Re: Changing Secure Boot