đź…­

How to run Windows 11 in GNOME Boxes (with UEFI and TPM2 emulation)

My old tutorial for installing Windows 10 in GNOME Boxes doesn’t work with Windows 11. Here’s how to install Windows 11 as a virtual machine (VM) inside GNOME Boxes. (Some configuration file changes required.)

Windows 11 significantly raised its hardware requirements compared to Windows 10. Among the changes, it requires more RAM and storage space. It also requires a Trusted Platform Module (TPM) version 2.0 and a UEFI boot environment.

GNOME Boxes doesn’t yet support TPM and UEFI environments. However, the underlying virtualization technology supports it. You just need to tweak a few configuration options along the way. Read the instructions carefully!

Prerequisites

You’ll need to meet the following hardware requirements:

  • Your processor must support hardware emulation, either AMD Virtualization (AMD-V) or Intel Virtualization Technology (VT-x). All but the cheapest processors should support virtualization. Check your BIOS to make sure it’s enabled! (It may be off by default.)
  • The Windows guest system requires at least 8 GB of RAM. Your host system will also require at least 2 GB for itself and the emulation. Your system should have at least 12 GB of RAM.
  • The Windows guest system requires at least 124 GB of storage space. The Windows install doesn’t need all this storage right away, but you’ll run into issues with Windows Update later.

You also need to prepare the following:

  • A Windows 11 installation media file (“ISO”). It can be downloaded for free from Microsoft (about 6 GB). Make sure you download the right edition and installation language.
  • A valid Windows Product Key for OEM/Retail installations (ad: available on Amazon). The Professional edition is preferred (refer to the Post-installation section below). You can skip this during the installation, but you will need to provide a product key within 30 days of the installation.

You should also be familiar with installing software packages from your Linux distribution’s package repository from the terminal. This is the dnf tool on Fedora Linux; and the apt tool on Debian, Ubuntu, and their derivatives.

Install GNOME Boxes and its prerequisites

  1. Start by installing GNOME Boxes from your Linux distribution’s package repository. You cannot use the Flatpak/Flathub version as it doesn’t currently support emulating a TPM. The package is called gnome-boxes everywhere. You need version 40 or newer!
  2. Install the TianoCore Open Virtual Machine Firmware (OVMF) from your package repository. This will let your VM boot as a modern secure boot-enabled UEFI system instead of a legacy BIOS system. The package is called edk2-ovmf in Fedora Linux 34 and ovmf Ubuntu 22.
  3. Install the swtpm emulator (software TPM (SWTPM)) from your package repository. The package is called swtpm-tools in both Fedora Linux 34 and Ubuntu 22 (it’s found in the Universe repository).
  4. As yout normal user (not root), run the SWTPM set up command in a terminal:
swtpm_setup --create-config-files skip-if-exist

You may need to log out and back in again if you’ve launched another VM in the current session. Unsure if this applies to you or just want to stay out of trouble? Just reboot your computer; it’s quick and easy anyway.

Installing Windows 11 in GNOME Boxes

  1. Start GNOME Boxes and click on the New button (top left) to create a new VM. The dialog can look a bit overwhelming, but it’s only asking you for one thing: an installation disk image file (“ISO”).
  2. Select the Windows 11 ISO file you’ve downloaded from Microsoft. Do not trust ISO files from sources other than the official website of the software vendor. GNOME Boxes will list it at the top of the dialog (likely misidentified as Windows 10) if it’s stored in your Downloads folder. You can also use the select disk image option at the bottom of the dialog.
  3. Do not accept the Express Installation option. Express installs are only available for some operating systems (OS) and don’t yet work with Windows 11. This option is shown because current versions of Boxes misidentify Windows 11 as Windows 10. Instead, click on the Next button in the top right corner.
  4. On the next screen, assign the Windows guest system at least 8 GB of RAM and 124 GB of disk space. The virtual hard disk image won’t consume all that space right away, but grows dynamically as it gets used.
  5. Click the Create button and wait. The Windows installer should boot up inside the VM and prompt you to select your preferred language and locale. Do not proceed with the installation! The VM is running in legacy BIOS mode and without a TPM. We need to correct that before proceeding.

The following steps must be followed precisely to fully shut down the VM. Unfortunately, there are a few design flaws in GNOME Boxes when you’re trying to do this in the middle of an OS installation. See GNOME Boxes issue #773. GNOME Boxes may incorrectly show the VM as shutdown while it’s still running if you don’t follow these steps.

  1. Abort the installation by clicking the Close button (top right) of the installer window inside the VM. You’ll get returned to Boxes main view.
  2. Wait 20 seconds. The VM’s preview image will spin continuously.
  3. Right-click on the VM and select Force Shutdown. The preview image will continue to spin.
  4. Quit and restart GNOME Boxes. The preview image should now have stopped spinning and turned into the power symbol (⏻).

Hopefully, you haven’t completely lost faith in GNOME Boxes after following that sequence of steps to fully shut down the VM. GNOME Boxes expect to auto-restart the VM two times as part of the normal installation. We don’t want that, so we end up in buggy and uncharted waters.

At this point, you’ll need to make a few manual changes to the VM configuration before we jump back into the Windows Installer. Make sure to follow the instructions carefully.

  1. Right-click on the VM and select Properties. Go to the Advanced tab and click on the Edit Config button (it may be called Edit XML in older versions).
  2. Scroll down to the line that says <devices>. Scan the lines until it says </devices> for any mentions of a TPM. Skip this step if you find any. To enable the TPM emulator, insert a blank line after <devices> and paste the following snippet:
<tpm model="tpm-crb">
  <backend type="emulator" version="2.0"/>
</tpm>
  1. Scroll down to the line that says <os>. Verify that the type element matches the below (the numbers in the machine attribute may differ). If it doesn’t match then you probably haven’t enabled virtualization in your BIOS. Fix that first, delete the VM, and try again.
<type arch="x86_64" machine="pc-q35-6.1">hvm</type>
  1. Locate the newly installed OVMF secure boot firmware image file on your system. The file is called OVMF_CODE.secboot.fd, but the installation path is different between Linux distributions. It’s located in /usr/share/edk2/ovmf/ in Fedora Linux 34 and in /usr/share/OVMF/ in Ubuntu 22.
  2. Scan the lines until it says </os> for any mentions of a loader. Skip this step if you find any. Insert a blank line after the type element, and paste the following (supply the correct full path from the previous step):
<loader readonly="yes" type="pflash">/PATH-HERE/OVMF_CODE.secboot.fd</loader>
  1. Click the Apply button to save the changes. It may appear like your changes get reverted and you may receive a warning about failing to create a snapshot. You can ignore these problems.
  2. Quit and restart GNOME Boxes again.
  3. Right-click on the VM one last time and select Properties. Go to Devices and Shares: CD/DVD.
  4. Click the Select button and reselect the Windows 11 ISO file. The image was removed automatically when the system was shut down during the aborted installation.
  5. Close the properties dialog.
  6. Double-click on the VM in Boxes to start it and resume the installation. Complete the Windows 11 installation by following the prompts. Here’s a neat trick to install Windows without any bloatware.

Post-installation

Once you’ve installed Windows 11, you can just use it as-is in GNOME Boxes. However, you’ll be stuck with low performance, 800×600 px screen resolution, and no clipboard integration. Let’s get those sorted out in order.

You can increase the performance of most I/O operations by installing the VirtIO guest agent and driver set. Inside the VM, download and install VirtIO guest addons (look for virtio-win-gt-x64.msi). Restart the VM afterward.

You have two options for higher screen resolutions and clipboard integration. You can either continue to use GNOME Boxes or switch to GNOME Connections. Connections is a version of Boxes that focuses on accessing remote desktops instead of VMs. The two apps look and feel very similar.

You can use Connections to connect to the VM using the Remote Desktop Protocol (RDP). This is the most performant and reliable option. However, it requires a license for Windows 11 Professional or Enterprise. Windows 11 Home doesn’t include the required RDP server component.

You can enable the RDP server from the Windows Settings app: System: Remote Desktop: Remote Desktop. After enabling a network service, take a moment to double-check your network firewalls and make sure that you have a strong and unique password. You may have exposed the service on the public internet. Note that networking into the VM also requires more configuration and is out of scope for this article.

Your other option is to keep using GNOME Boxes with a graphics driver optimized for use within VMs, and optionally the SPICE guest agent. To enable greater screen resolutions, you need to download and install the newest version of the QXL-WDDM-DoD driver (look for the newest date, then QxlWddmDod_x64.msi). The download link may lead to a page that looks like gobbledygook. If this happens: Go back, right-click, and select Save As. The QXL-WDDM-DoD driver works in Windows 11 but doesn’t officially support the OS.

Optionally, you can enable auto-resizing/adaptive screen resizing and clipboard integration by downloading and installing the SPICE guest agent (look for the newest date, then spice-vdagent-x64.msi). Restart the VM afterward.

Known issues

The SPICE display server can sometimes stop working under heavy processor loads. You need to restart the VM to get it back up and running. This isn’t an issue when using RDP.

Online snapshots don’t work with UEFI-based systems. You need to power off the VM before you can create a snapshot.