Back to Blog
·4 min read

Enable Secure Boot in a Windows 11 VM on Unraid (OVMF TPM, Q35)

A clear, repeatable checklist for turning on Secure Boot for a Windows 11 VM on Unraid v7.2.3 using Q35 + OVMF TPM by enrolling Microsoft UEFI certificates into OVMF.

UnraidWindows 11VirtualizationSecure BootOVMFQEMU

If you’re running Unraid v7.2.3 and your Windows 11 VM says Secure Boot is off (and you need it on for things like Intune / company access), here’s the missing piece:

Unraid’s OVMF TPM BIOS is Secure Boot capable, but Secure Boot is not enabled by default. To enable it, you need to enroll Microsoft’s signing certificates (plus your own Platform Key) into the VM’s UEFI firmware.

This post is the “do this, then this” version I wish I’d found instead of wading through confusing forum threads.

VM settings (important)

In Unraid’s VM settings:

  • Machine type: Q35
  • BIOS: OVMF TPM

If you’re not using these, stop and fix that first.

What we’re going to enroll

You’ll enroll 3 “buckets” of keys:

  • PK (Platform Key) — you generate this
  • KEK (Key Exchange Key) — Microsoft
  • DB (Signature Database) — Microsoft (2 certs)

Once enrolled, these live in the VM’s OVMF_VARS and persist across reboots.

Prerequisites

  • A Windows 11 VM that already boots with OVMF TPM
  • SSH access to Unraid
  • VNC access to the VM console (so you can enter OVMF setup)

Step 1 — Generate your Platform Key (PK)

SSH into your Unraid server and run:

# Generate the key pair (certificate valid for ~980 years)
openssl req -newkey rsa:2048 -nodes -keyout PKpriv.key -x509 -days 358000 -out PKtestDER.crt -subj "/CN=My PK"

# Convert to DER format (what OVMF wants)
openssl x509 -in PKtestDER.crt -outform der -out PKtestDER.der

Keep PKpriv.key safe. If you ever want to re-sign or rotate Secure Boot keys later, you’ll want it.

Step 2 — Download Microsoft’s UEFI certificates

From the same directory:

curl -L -o MicCorKEKCA2011_2011-06-24.crt "https://go.microsoft.com/fwlink/?LinkId=321185"
curl -L -o MicWinProPCA2011_2011-10-19.crt "https://go.microsoft.com/fwlink/?LinkId=321192"
curl -L -o MicCorUEFCA2011_2011-06-27.crt "https://go.microsoft.com/fwlink/?LinkId=321194"

Note: wget sometimes gets 403 Forbidden from Microsoft’s CDN; curl -L is reliable.

Step 3 — Put the certs on a small FAT32 disk image

OVMF’s UI can enroll certificates from a filesystem. The simplest way is to attach a tiny virtual disk to the VM.

mkdir -p /mnt/user/isos/secureboot
cd /mnt/user/isos/secureboot

# Copy/Move the files into this folder if needed.
# You should have:
# - PKtestDER.der
# - MicCorKEKCA2011_2011-06-24.crt
# - MicWinProPCA2011_2011-10-19.crt
# - MicCorUEFCA2011_2011-06-27.crt

# Create and format a small FAT32 virtual disk
qemu-img create -f raw certs.img 2G
mkfs.vfat -s 16 -F 32 certs.img

# Mount it and copy the certs
mkdir -p /tmp/certmount
mount certs.img /tmp/certmount
cp PKtestDER.der MicCorKEKCA2011_2011-06-24.crt MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt /tmp/certmount/
umount /tmp/certmount

You should now have certs.img at:

/mnt/user/isos/secureboot/certs.img

Step 4 — Attach the cert disk to your VM

Edit your VM XML and add this inside the <devices> block:

<disk type='file' device='disk'>
  <driver name='qemu' type='raw' cache='writeback'/>
  <source file='/mnt/user/isos/secureboot/certs.img'/>
  <target dev='hdc' bus='sata'/>
  <address type='drive' controller='0' bus='0' target='0' unit='2'/>
</disk>

Step 5 — Enroll the certificates in OVMF

  1. Start the VM and immediately spam ESC in the VNC console to enter UEFI setup.
    • If you can’t catch it: temporarily detach the Windows vDisk so it drops to the UEFI shell, type exit, and then hit ESC on the reboot.
  2. Go to: Device Manager → Secure Boot Configuration
  3. Change Secure Boot Mode from Standard Mode to Custom Mode
  4. Enter Custom Secure Boot Options
  5. Enroll the keys in this order (each time: select the file → Commit Changes):

| Menu Path | File to Select | |---|---| | PK Options → Enroll PK → Enroll PK Using File | PKtestDER.der | | KEK Options → Enroll KEK → Enroll KEK Using File | MicCorKEKCA2011_2011-06-24.crt | | DB Options → Enroll Signature → Enroll Signature Using File | MicWinProPCA2011_2011-10-19.crt | | DB Options → Enroll Signature → Enroll Signature Using File | MicCorUEFCA2011_2011-06-27.crt |

  1. Press F10 to save and shut down the VM.

Step 6 — Clean up and verify

  1. Remove the cert disk from the VM (undo the XML change, or remove the extra vDisk in the Unraid UI)
  2. Boot Windows normally
  3. Run msinfo32 → confirm Secure Boot State: On

Notes / gotchas

  • The keys are stored in the VM’s OVMF_VARS file. If Unraid resets/recreates it, you’ll need to re-enroll.
  • Treat PKpriv.key like a real private key: back it up securely.

Reference

  • Unraid forum thread: https://forums.unraid.net/topic/128595-secure-boot-off-in-ovmf-tpm-bios-windows-11/
  • Credit to ghost82 for the original walkthrough that this post condenses.
← Back to all posts