Windows 11 discussion - fully supported by VirtualBox 7.0

Discussions about using Windows guests in VirtualBox.
birdie
Posts: 428
Joined: 2. May 2010, 14:19
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: Windows, Linux, other Unixes
Location: Artem S. Tashkinov
Contact:

Re: Windows 11 compatibility is being worked on

Post by birdie »

aeichner wrote:UEFI Secure Boot support is available in the test builds as well and if you have selected the Windows 11 guest OS type when creating the VM (selecting it afterwards will not apply the necessary defaults) it should have Secure Boot enabled automatically.
How did you enable Secure Boot in VirtualBox? Could you give a quick overview please?

Will malware running e.g. on my system be able to patch VirtualBox binaries at runtime or on the disk in order to render Secure Boot in my guest OSes useless? I.e. the VM will be able to run any code despite pretending that Secure Boot is enabled?
w0w
Posts: 1
Joined: 29. Oct 2021, 12:32

Re: Windows 11 discussion - fully supported by VirtualBox 7.0

Post by w0w »

Some feedback... :D
Hardware is AMD 3970x on TRX40 board with 256GB memory installed.
VirtualBox is 6.1.97 r147788
VM settings are default with "Windows 11 x64" profile selected, tried also some options like disabling sound and usb
Host is Windows 11 Pro 22000.282
Guest is Windows 11 22000.258
VM is crashing periodically on start or reboot with MCE. (Attached 2 different Vbox.log, not sure is it saved there)
When VirtualBox Guest Additions (same version as VirtualBox itself) are installed the windows is going to Automatic Repair mode and never repairs anything.
Also, every time, when I try to take snapshot I get an error

Code: Select all

SSM: Failed to save the VM state to 'D:\Vms\win11\Snapshots\2021-10-29T10-06-46-964453900Z.sav' (file deleted): VERR_SSM_FIELD_COMPLEX
Attachments
VBoxloop.zip
Looped MCE on boot. After attepmting to Reset This PC option from windows boot manager
(116.57 KiB) Downloaded 19 times
VBox2.zip
MCE on reboot
(84.82 KiB) Downloaded 20 times
VBox.zip
should be with MCE on boot
(83.47 KiB) Downloaded 19 times
aeichner
Oracle Corporation
Posts: 193
Joined: 31. Aug 2007, 19:12

Re: Windows 11 compatibility is being worked on

Post by aeichner »

birdie wrote:
aeichner wrote:UEFI Secure Boot support is available in the test builds as well and if you have selected the Windows 11 guest OS type when creating the VM (selecting it afterwards will not apply the necessary defaults) it should have Secure Boot enabled automatically.
How did you enable Secure Boot in VirtualBox? Could you give a quick overview please?

Will malware running e.g. on my system be able to patch VirtualBox binaries at runtime or on the disk in order to render Secure Boot in my guest OSes useless? I.e. the VM will be able to run any code despite pretending that Secure Boot is enabled?
Basically Secure Boot was enabled by enabling the necessary bits when compiling the EDKII UEFI firmware and adding code to enroll the necessary certificates and UEFI variables (like PK, db, dbx, etc.) in the UEFI's NVRAM file when the VM is created. The protection is the same from the guest point of view as with a real system, i.e. unsigned or tampered with EFI binaries, bootloaders, etc. will refuse to be executed by the core firmware if the signature can't be verified.
If there is some malware on the host running and it has the ability to write to your VM configs it can just disable secure boot inside the guest by tampering with the NVRAM (or call VBoxManage/the Main API) or modify the signature databases in order to patch anything it likes inside the disk image. If the malware on the host has the ability to overwrite VirtualBox binaries (or even patch them during runtime) it is game over anyways, nothing can protect your guest then because the code to verify signatures can then be patched to always succeed...
Always keep in mind that Secure Boot only provides some level of protection (same limitations as with physical systems) from Malware running inside the guest, never when your host is compromised.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 11 discussion - fully supported by VirtualBox 7.0

Post by Oracleiscool »

@aeichner;

I think we are coming to a dropping off point with Windows. I think it is all version-related. Maybe different versions of VirtualBox based on Windows Version(s)?

They are all going to cloud-level interaction (or seem to be) and the controls we have to turn on or off settings in the field are starting to exclude features that look for these settings to be "on" (or they will silently change the state as in Hyper-V for Windows Home Security) or they will not work (like password-less MS main accounts, Windows Hello PIN, etc.)

I know we can log and fix problems here in the forum(s) as they move the goal post to "zero trust" platforms, but at some point, they will lock down the OS from any outside platform, or the system developers (like you and yours) will just get tired of having to move targets around to meet the newer system settings.

Or a piece of hardware (like a proprietary chipset (not TPM) device already being discussed) that will lock the device to protect the typical (not aware) consumer (Home and S Users).

I know first hand from work experience how disappointing it is to work for months (back in 1979) inputting data as an IT tech, just to have the IT pro come to the floor and tell us we missed a line of input code (80 Character Format) and we need to rewind the tapes and start over. Such as downer for the crew, as we only had a handful of people that could be trusted (maybe 30%) of our workforce that could actually run a keyboard properly (and that is not a typing skill, it is all motor!).

Could it be that this is best handled with a "real" Windows Version (Pro or Higher) in the future? I just hate seeing this whole thing develop as it is, and out of a great amount of concern and respect for you and the Oracle Team as they grapple with these dynamic changes.

As a close, this is a good thing for Windows as an OS, and I welcome a more secure OS environment as long as they can give us a proper ring of trust. I know VMWare has that in large part, just hoping we will get included. :?
abbleeker
Posts: 13
Joined: 4. Oct 2021, 19:19

Re: Windows 11 discussion - fully supported by VirtualBox 7.0

Post by abbleeker »

The current development snapshots of 6.1.97 (test builds for VB 7.0) support both Secure Boot, and TPM 2.0. At the moment, all you have to do (and can do actually) is select guest version Windows 11 (64-bit) when creating a new VM. Changing the version of an older VM from Windows 10 to Windows 11 doesn't work, when the VM has been created as Windows 10 you'll need to create a new Windows 11 VM. Such a configuration satisfies the requirement checks performed by the retail version of Windows 11, and completes a clean installation, which shows that Secure Boot is supported, and the TPM is recognised as a 2.0 device. However, after checking that Windows 11 was installed, and working as intended, I decided to install the Guest Additions, but after prompting to reboot the VM, it was unable to boot, and failed every time to repair the boot disk. I had to enter the BIOS and switch Secure Boot off to regain access to the VM. That may well be fixed by a later version of the GA.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 11 discussion - fully supported by VirtualBox 7.0

Post by Oracleiscool »

@abbleeker;

Yes I remember that you had some experiences in this area from previous posts.

I am just trying to get a feel for the climate of the Oracle System Team. I noticed in previous postings about the newer VB 7.0 and 6.1.XX beta test versions all that you said, but also took note that they never mentioned the guest additions :? Maybe they are still working on them?

For sure MS is still working on Windows 11. They still have an open ticket with Oracle for VirtualBox. And MS has still not yet stood up an official Tier 3 support for Windows 11. :shock:

I just wonder when it will happen that the three (TPM, Secure Boot, CPU Type) will all have to be on and valid (either as a host or guest) for Windows 11 to be satisfied that it can let all the new features or security devices run on the OS? Or just stop updating the OS with that Nasty Red Circle X they like so much.

Remember, we were saying just last month that surely Windows 11 would not make this TPM thing such a big deal! Or secure boot either. Well, we see what happened there.... and they (MS) are still tight-lipped about the future.

The most sad part of this are the people who are trying to get Windows 11 working by itself, and not understanding the MS Accounts, or how a bad reinstall (A Wipe and Reinstall) can destroy your password UAC and Windows Hello, and wipe all your passwords. Let's don't even talk about Bitlocker. Or OneDrive :(
birdie
Posts: 428
Joined: 2. May 2010, 14:19
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: Windows, Linux, other Unixes
Location: Artem S. Tashkinov
Contact:

Re: Windows 11 compatibility is being worked on

Post by birdie »

aeichner wrote:
birdie wrote:
aeichner wrote:UEFI Secure Boot support is available in the test builds as well and if you have selected the Windows 11 guest OS type when creating the VM (selecting it afterwards will not apply the necessary defaults) it should have Secure Boot enabled automatically.
How did you enable Secure Boot in VirtualBox? Could you give a quick overview please?

Will malware running e.g. on my system be able to patch VirtualBox binaries at runtime or on the disk in order to render Secure Boot in my guest OSes useless? I.e. the VM will be able to run any code despite pretending that Secure Boot is enabled?
Basically Secure Boot was enabled by enabling the necessary bits when compiling the EDKII UEFI firmware and adding code to enroll the necessary certificates and UEFI variables (like PK, db, dbx, etc.) in the UEFI's NVRAM file when the VM is created. The protection is the same from the guest point of view as with a real system, i.e. unsigned or tampered with EFI binaries, bootloaders, etc. will refuse to be executed by the core firmware if the signature can't be verified.
If there is some malware on the host running and it has the ability to write to your VM configs it can just disable secure boot inside the guest by tampering with the NVRAM (or call VBoxManage/the Main API) or modify the signature databases in order to patch anything it likes inside the disk image. If the malware on the host has the ability to overwrite VirtualBox binaries (or even patch them during runtime) it is game over anyways, nothing can protect your guest then because the code to verify signatures can then be patched to always succeed...
Always keep in mind that Secure Boot only provides some level of protection (same limitations as with physical systems) from Malware running inside the guest, never when your host is compromised.
Thank you very much!
AndyCot
Posts: 296
Joined: 29. Feb 2020, 03:04

Re: Windows 11 discussion - fully supported by VirtualBox 7.0

Post by AndyCot »

Today I used VB VirtualBox-6.1.97-148372-Win.exe on Windows 10 with Hyper-V disabled to install and run Windows 11 (x64 RTM/GOLD iso Version 21H2 22000.194 from MS) using the attached batch file that :
1) Configures VB machine settings
2) Uses VB unattended install method to install windows 11

I had to work around / manually do the following:
1) When VB booted into the EFI command prompt I types "exit" and then in the EFI bios selected the ISO to run
2) After Windows installed it did not reboot and showed a complete blue screen. I had to shutdown the machine
3) On the restart Windows finished installing using the Window's GUI,BUT the mouse did not work.
4) I did an ACPI shutdown and restarted and not I have a working Windows 11 RTM/Gold to play with.

Hopefully this is helpful for someone. The batch file includes commented out lines for the TPM, when the 6.1.97 series supports it or someone documents how to get it working and I find it.
Attachments
VirtualBox_Unattended_Win11_Install.bat.txt
VB batch file
(3.57 KiB) Downloaded 121 times
Alberto789
Posts: 9
Joined: 17. Dec 2021, 18:09

Re: Windows 11 discussion - fully supported by VirtualBox 7.0

Post by Alberto789 »

Hi, I use Linux version of development version (actually snapshot 148976) , and since some releases, impossible to install guest addition in W11 VM machine. Error code VBOX_E_NOT_SUPPORTED 0x80BB0009 , component GestSessionWrap, interface IGestSession {3e14c189-4a75-437e-b0bb-7e7c90d0df2a}
Don't know if related, but internal build revision of guest addition didn't match (version 148968) .. same version as separated download that don't match in version.
How to install guest addition correctly ?
Alberto789
Posts: 9
Joined: 17. Dec 2021, 18:09

Re: Windows 11 discussion - fully supported by VirtualBox 7.0

Post by Alberto789 »

Taken fresh build 149426 on Linux host, the Virtualbox Guest Addition fails still on install on my W11 guest with error.
Something to debug this ?
abbleeker
Posts: 13
Joined: 4. Oct 2021, 19:19

Re: Windows 11 discussion - fully supported by VirtualBox 7.0

Post by abbleeker »

I'm running a Linux host, and I actually can install VGA on the Windows 11 client, but it refuses to reboot, and it only offers to fix an error. This always fails, and the only option is to shut it down. To make it boot Windows 11 successfully, I have to disable Secure Boot in the BIOS. After that it boots without issues every time.
AndyCot
Posts: 296
Joined: 29. Feb 2020, 03:04

Re: Windows 11 discussion - fully supported by VirtualBox 7.0

Post by AndyCot »

Please supply logs so they can be looked at by mods.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Windows 11 discussion - fully supported by VirtualBox 7.0

Post by scottgus1 »

For further me-too-ers, please start a new topic with your particular question and data needed to help us find the answer: Minimum Info Needed for Assistance
Locked