Note: Any and all comments/improvements are welcomed.
What is Secure Boot?
Secure Boot is a security standard that helps make sure that a device boots using trusted software. This feature and the underling hardware Trusted Platform Module (TPM) is also required by Windows to enable certain features such as Bit Locker disk encryption.
Secure Boot and Windows 11
Whist this feature has been around since Microsoft Windows 8, it has gained a lot of coverage in the press because initially Microsoft stated that Microsoft Windows 11 would only install on machines that supported and had Secure Boot enabled. Currently it is unknown if Microsoft will eventually require Secure Boot for Windows 11.
It could be said that using Secure Boot with a Virtual Machines is pointless, however, certain corporate environments require features like Bit Locker to be enabled for a machine to be “compliant” and join their corporate network.
Proxmox and Secure Boot / vTPM
Proxmox 7.0-13 now natively supports Secure Boot by using a Virtual Trusted Platform Module (vTPM) service.
This walkthrough details the correct configuration for Windows 11 virtual machines to report all green ticks in the Windows 11 health check.
Verifying Proxmox Version
Make sure you are running at least PVE 7.0-13
Virtual Machine Settings
When you create the virtual machine, on the System page make sure you selected “Add TPM” and that you are using Version “v2.0“
After the machine creation wizard has completed, so you will see an entry for TPM State in the Hardware settings.
Verifying vTPM in Windows
After Windows is booted, opening the MMC and add the TPM Snapin. Microsoft Management Console shows that Windows recognizes a valid TPM!
Installing Windows 11
The Windows 11 PC Health Check may report that you have an unsupported processor and upgrade is not possible from Windows 10 to Windows 11.
Installation directly from a Windows 11 ISO downloaded to the Proxmox host, works correctly and Windows 11 functions normally.