Win11 guest - hard lock, secureboot now corrupt and cannot enable

Discussions related to using VirtualBox on Linux hosts.
Post Reply
TrisL
Posts: 2
Joined: 14. Feb 2024, 02:47

Win11 guest - hard lock, secureboot now corrupt and cannot enable

Post by TrisL »

Hi team,

Running VB 7.0.14 r161095 on Linux Mint, everything has been working fine.

It is a hard requirement that the win11 guest needs UEFI+Secure Boot for TPM functionality so I can do work.

Attempted to USB passthrough a mic, this hardlocked the VM. Rebooting the VM took me to the bitlocker recovery page.

Inputted the recovery key, machine goes to boot, but then reboots back to the bitlocker recovery page.

Found on here that nvram file can get corrupted, rename to .bak, which creates a new nvram file, but every time I reboot the VM the option for 'secure boot' gets unticked. Boots into windows fine, but I can't do anything work-wise as my org. requires TPM.

Clicked 'reset keys', machine won't even boot with 'access denied to harddisk'. Rebooting a few times enables the machine to boot to windows, but secure boot is turned off each time the machine boots.

Restoring bootable nvram results in same thing - bootable machine, secure boot disabled.

So currently I am stuck with a machine that boots fine, without secure boot or TPM, which means I can't do any work on it as it doesn't meet my orgs. compliance requirement.

Anything I can try or thoughts? I can run through a new install etc. which is incredibly frustrating but will work I guess, but I am more concerned about what happened in the first place and how to ensure it won't happen again...
Attachments
secure-boot.png
secure-boot.png (52.84 KiB) Viewed 640 times
fth0
Volunteer
Posts: 5677
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Win11 guest - hard lock, secureboot now corrupt and cannot enable

Post by fth0 »

Your description matches the known issue with the nvram file getting corrupted, which you've found already. I don't know of any workaround or solution for that.

You could create a ticket in the Bugtracker. It wouldn't be the first ticket, but perhaps it increases the awareness.
Post Reply