Essential technical steps for refreshing the Secure Boot trust database while keeping TPM-bound guest state intact.

TargetOracle VirtualBox Windows 10/11 guests using UEFI Secure Boot and TPM 2.0.
GoalRefresh Microsoft Secure Boot trust material in the VM UEFI NVRAM store, then verify the 2023 certificates from inside Windows.
Do not confuseSecure Boot keys live in the VM UEFI variable store / .nvram file. TPM state is separate; do not clear or change the vTPM unless that is a planned recovery action.
Quick process recap: keep the vTPM stable, back up the VM including .nvram, reset or re-enroll the Secure Boot keys, boot Windows, then verify with PowerShell.

Prerequisites

  • Upgrade the host to a current VirtualBox 7.2.x build that includes Secure Boot certificate-update fixes; confirm with VBoxManage –version.
  • Power off the guest cleanly. Do not perform this maintenance from a saved-state VM.
  • Create a snapshot or offline backup of the full VM folder, including the .nvram file.
  • Record custom Secure Boot keys, Linux shim/MOK enrollments, or non-default bootloaders before resetting defaults.
  • Keep TPM type unchanged, normally TPM 2.0 for Windows 11 guests.
VBoxManage –version
VBoxManage showvminfo “<vm-name>” –machinereadable

Preferred GUI procedure

  1. Open VM settings. In VirtualBox Manager, select the powered-off VM and open Settings.
  2. Confirm firmware and TPM. Go to System > Motherboard. Confirm EFI/UEFI is enabled and TPM Version is the expected value, usually 2.0 for Windows 11.
  3. Enable Secure Boot. Select the Secure Boot checkbox if it is not already selected. If Reset… is disabled, enabling Secure Boot can make it available.
  4. Reset Secure Boot keys. Click Reset… to load VirtualBox default Secure Boot certificates into the VM UEFI variable store.
  5. Boot and settle Windows. Start the VM, let pending Windows updates complete, then reboot once more before verification.
This restores the default Secure Boot trust database. It should not require wiping or replacing the virtual TPM.

CLI procedure for automation or recovery

Use VBoxManage when you need repeatability or when the GUI cannot reach the required state. Test on a clone first; modifynvram is an expert-level command and a wrong NVRAM edit can make the VM unbootable.

Inspect current NVRAM

VBoxManage modifynvram “<vm-name>” listvars
VBoxManage modifynvram “<vm-name>” queryvar –name db –filename db.bin

Re-enroll defaults and enable Secure Boot

VBoxManage modifynvram “<vm-name>” enrollmssignatures
VBoxManage modifynvram “<vm-name>” enrollorclpk
VBoxManage modifynvram “<vm-name>” secureboot –enable

Only if the variable store is unrecoverable

VBoxManage modifynvram “<vm-name>” inituefivarstore
VBoxManage modifynvram “<vm-name>” enrollmssignatures
VBoxManage modifynvram “<vm-name>” enrollorclpk
VBoxManage modifynvram “<vm-name>” secureboot –enable
Caution: inituefivarstore discards the existing UEFI variable store. Use it only after preserving the .nvram file and expect to recreate custom boot entries or custom trust material.

For new VMs or missing TPM configuration only

VBoxManage modifyvm “<vm-name>” –firmware efi –tpm-type 2.0

Verify inside Windows

Run these from an elevated PowerShell prompt after Windows has booted and completed pending updates.

Confirm-SecureBootUEFI
Get-SecureBootUEFI -Name db -Decoded | Select-String -Pattern ‘Windows UEFI CA 2023′,’Microsoft UEFI CA 2023’
Get-Tpm

Fallback when -Decoded is unavailable:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’
Expected result: Secure Boot is enabled and the Windows UEFI CA 2023 certificate is present in db. If it is missing, apply Windows updates, reboot twice, and confirm the host VirtualBox build includes the Secure Boot certificate-update fixes.

Troubleshooting essentials

SymptomAction
Reset… disabledEnable Secure Boot first and confirm the VM is using UEFI, not legacy BIOS.
VM only boots with Secure Boot offBoot once to recover access, patch Windows and VirtualBox, then reset keys and re-enable Secure Boot.
2023 certificate still missingApply Windows monthly updates, reboot twice, and verify with Get-SecureBootUEFI -Decoded where available.
Linux or custom boot chain failsRe-enroll custom MOK/platform keys or use a custom-key flow instead of the default reset.
.nvram was deleted/resetTreat as emergency repair only. Once booted, reset Secure Boot keys and re-enable Secure Boot immediately.

Closeout

  • Record the VM name, VirtualBox version, verification output, and whether any custom keys or MOK entries were re-enrolled.

Keep the backup until the guest has survived at least one normal shutdown/start cycle with Secure Boot enabled.