[SOLVED] Can't enable secure boot on windows VM, option greyed out

[whatishappening]

I'm trying to enable secure boot on a windows VM in preparation of the dreaded upgrade to Win11. However for some reason the option is greyed out in the VM bios (see screenshot). Not sure why or what needs to be changed. Config below if that helps.

agent: 1
args: -cpu 'host,+kvm_pv_unhalt,+kvm_pv_eoi,hv_vendor_id=NV43FIX,kvm=off'
balloon: 1024
bios: ovmf
boot: order=scsi0;ide2
cores: 16
cpu: host,hidden=1
cpuunits: 200
description: scsi1%3A VM-Storage%3Avm-102-disk-1,backup=0,iothread=1,size=1000G
efidisk0: VM-Storage:vm-108-disk-0,size=1M
hostpci0: 0000:05:00,pcie=1,x-vga=1
ide2: none,media=cdrom
machine: pc-q35-9.0
memory: 32768
name: BlueIris
net0: virtio=B2:A1:A6:E6:E7:A7,bridge=vmbr0,firewall=1,queues=16,tag=10
numa: 0
onboot: 1
ostype: win10
protection: 1
scsi0: VM-Storage:vm-108-disk-1,cache=writeback,discard=on,iothread=1,size=200G
scsi1: VM-Storage:vm-108-disk-4,backup=0,cache=writeback,discard=on,iothread=1,size=1000G
scsi2: VM-Storage:vm-108-disk-2,cache=writeback,discard=on,iothread=1,size=100G
scsihw: virtio-scsi-single
smbios1: uuid=43c0867d-1f21-43ee-a0eb-55db3f1a355d
sockets: 1
startup: order=1
tablet: 1
tags: windows
tpmstate0: VM-Storage:vm-108-disk-3,size=4M,version=v2.0
vmgenid: dfcf9182-a8a6-4396-8411-4f590ef3aae3

 

[fba]

Did you tick the checkbox to pre-enroll keys when creating the machine?
If not, then the keys for secure boot are missing and therefor it cant be enabled. It is possible to provide the keys later on with using Secure Boot Mode/Custom.

 

[whatishappening]

Did you tick the checkbox to pre-enroll keys when creating the machine?
If not, then the keys for secure boot are missing and therefor it cant be enabled. It is possible to provide the keys later on with using Secure Boot Mode/Custom.

Probably not, this VM is very old at this point and I didn't anticipate the need for secure boot and a TPM at the time of creation. Do you have an information or a guide on manual enrolling of keys? Any downside to doing it in this way?

 

[bbgeek17]

Do you have an information or a guide on manual enrolling of keys?

there are a few guides on the Internet, i.e. https://bobcares.com/blog/add-tpm-proxmox/
Of course, there is official documentation: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_tpm

Any downside to doing it in this way?

I would make a clone of your Windows VM as a precaution.

Cheers

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[whatishappening]

there are a few guides on the Internet, i.e. https://bobcares.com/blog/add-tpm-proxmox/
Of course, there is official documentation: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_tpm


I would make a clone of your Windows VM as a precaution.

Cheers

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

These look like guides for adding a TPM, I have a TPM attached to the VM already that part seemed to work, but secure boot isn't enabled.

 

[whatishappening]

OK the solution is way easier than I thought. Just power down, delete EFI disk, recreate it with pre-enrolled keys checked, then boot the VM.

If you want to start using Secure Boot in an existing VM (that still usesa 2m efidisk), you need to recreate the efidisk. To do so, delete the old one(qm set <vmid> -delete efidisk0) and add a new one as described above. Thiswill reset any custom configurations you have made in the OVMF menu!

Finally found this in the manual under "10.2.11. BIOS and UEF" section.