Changing Secure Boot
Changing Secure Boot
I have a Windows 10 UEFI VM. However, it won't let me enable secure boot to upgrade to Windows 11. I don't know much about secure boot, but is there a way to change this setting? I can't find it in VBoxManage either.
Thanks!
Thanks!
-
- Posts: 428
- Joined: 2. May 2010, 14:19
- Primary OS: Fedora other
- VBox Version: PUEL
- Guest OSses: Windows, Linux, other Unixes
- Location: Artem S. Tashkinov
- Contact:
Re: Changing Secure Boot
Please try this:
1. Change the OS type to Windows 11.
2. Exit VirtualBox and add this to <Hardware></Hardware>:
1. Change the OS type to Windows 11.
2. Exit VirtualBox and add this to <Hardware></Hardware>:
<TrustedPlatformModule type="v2_0" location=""/>(could be done using VBoxManage but I'm not sure about options).
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: Changing Secure Boot
Please note that doing Birdie's suggestion is manually editing the VM's .vbox file, which can be done but requires all Virtualbox processes to be shut down, or the edit won't stick; note the warning against manual editing at the beginning of the .vbox file.
Reboot the host so no Virtualbox processes are running.
Make a copy of the VM's .vbox file for backup purposes.
Then open the VM's .vbox file in a text editor.
Add Birdie's suggested tweak.
Reboot the host so no Virtualbox processes are running.
Make a copy of the VM's .vbox file for backup purposes.
Then open the VM's .vbox file in a text editor.
Add Birdie's suggested tweak.
Re: Changing Secure Boot
No no no, TPM is completely separate from SecureBoot. For secure boot to get enabled one has to enroll a so called platform key for the UEFI firmware which can be done with VBoxManage (check VBoxManage modifyvnram, specifically the enrollorclpk or enrollpk sub commands there). You could also do this from within the UEFI boot manager (press ESC during boot).
For enabling the TPM you can just use VBoxManage as well, see
Usually you want the 2.0 TPM typ.
For enabling the TPM you can just use VBoxManage as well, see
Code: Select all
VBoxManage modifyvm <VM nam> [--tpm-type= none | 1.2 | 2.0 | host | swtpm ]
-
- Posts: 428
- Joined: 2. May 2010, 14:19
- Primary OS: Fedora other
- VBox Version: PUEL
- Guest OSses: Windows, Linux, other Unixes
- Location: Artem S. Tashkinov
- Contact:
Re: Changing Secure Boot
Would be great if you added those options/features to UI. They don't look nearly difficult to implement.aeichner wrote:No no no, TPM is completely separate from SecureBoot. For secure boot to get enabled one has to enroll a so called platform key for the UEFI firmware which can be done with VBoxManage (check VBoxManage modifyvnram, specifically the enrollorclpk or enrollpk sub commands there). You could also do this from within the UEFI boot manager (press ESC during boot).
For enabling the TPM you can just use VBoxManage as well, seeUsually you want the 2.0 TPM typ.Code: Select all
VBoxManage modifyvm <VM nam> [--tpm-type= none | 1.2 | 2.0 | host | swtpm ]
If you don't, people will be pestering you in these forums all the time. We are not talking about some obscure changes, like changing CPU IDs or anything like that.
Re: Changing Secure Boot
Remember that Windows 11 just insists that Secure Boot has to be supported. Not that it has to be enabled. For upgrading you can ignore the key enrolling etc. stuff.
The only VM config change which should be necessary is enabling the TPM (which also won't be used unless you're setting up Bitkeeper etc etc.). Which is done with
And yes, so many things should be done, and each day has just 24 hours...
The only VM config change which should be necessary is enabling the TPM (which also won't be used unless you're setting up Bitkeeper etc etc.). Which is done with
Code: Select all
VBoxManage modifyvm "vmname" --tpm-type 2.0
Re: Changing Secure Boot
Thank you, this is the question that was asked! However, I already tried from the boot manager and it simply doesn't give me the option to change the setting on an older VM. If I create a new Windows 11 VM, secure boot is enabled and I can disable it, but on this older VM it is disabled and I cannot change it.aeichner wrote:No no no, TPM is completely separate from SecureBoot. For secure boot to get enabled one has to enroll a so called platform key for the UEFI firmware which can be done with VBoxManage (check VBoxManage modifyvnram, specifically the enrollorclpk or enrollpk sub commands there). You could also do this from within the UEFI boot manager (press ESC during boot).
For enabling the TPM you can just use VBoxManage as well, seeUsually you want the 2.0 TPM typ.Code: Select all
VBoxManage modifyvm <VM nam> [--tpm-type= none | 1.2 | 2.0 | host | swtpm ]
VBoxManage modifyvnram enrollorclpk worked to enable secure boot and to now allows me to change the settings. Thanks! However, when I enable it the VM won't boot. Is there a way to adjust a VM to boot after changing secure boot?
Re: Changing Secure Boot
The PK is important for secure boot, but by itself it doesn't buy you anything. What matters more (and should get Windows to boot) is because those are required to verify Microsoft's code signatures.
Code: Select all
VBoxManage modifynvram "vmname" enrollmssignatures
Re: Changing Secure Boot
That did it! Thanks. Don't use Windows much anyway, but I want to help test.klaus wrote:The PK is important for secure boot, but by itself it doesn't buy you anything. What matters more (and should get Windows to boot) isbecause those are required to verify Microsoft's code signatures.Code: Select all
VBoxManage modifynvram "vmname" enrollmssignatures
Re: Changing Secure Boot
For those that may share the problem, here is the short answer (for me):
Windows 10 must already be UEFI.
Disk partition style needs to be GPT not MBR. UEFI likely already has it that way. Windows can convert MBR->GPT if necessary (google it)
Make sure you set the OS to Windows 11 in the VM settings!
VBoxManage modifynvram <VM name> enrollorclpk
VBoxManage modifynvram <VM name> enrollmssignatures
All I needed in the end was the last two commands.
Windows 10 must already be UEFI.
Disk partition style needs to be GPT not MBR. UEFI likely already has it that way. Windows can convert MBR->GPT if necessary (google it)
Make sure you set the OS to Windows 11 in the VM settings!
VBoxManage modifynvram <VM name> enrollorclpk
VBoxManage modifynvram <VM name> enrollmssignatures
All I needed in the end was the last two commands.