Essential technical steps for refreshing the Secure Boot trust database while keeping TPM-bound guest state intact.
| Target | Oracle VirtualBox Windows 10/11 guests using UEFI Secure Boot and TPM 2.0. |
| Goal | Refresh Microsoft Secure Boot trust material in the VM UEFI NVRAM store, then verify the 2023 certificates from inside Windows. |
| Do not confuse | Secure Boot keys live in the VM UEFI variable store / .nvram file. TPM state is separate; do not clear or change the vTPM unless that is a planned recovery action. |
| Quick process recap: keep the vTPM stable, back up the VM including .nvram, reset or re-enroll the Secure Boot keys, boot Windows, then verify with PowerShell. |
Prerequisites
- Upgrade the host to a current VirtualBox 7.2.x build that includes Secure Boot certificate-update fixes; confirm with VBoxManage –version.
- Power off the guest cleanly. Do not perform this maintenance from a saved-state VM.
- Create a snapshot or offline backup of the full VM folder, including the .nvram file.
- Record custom Secure Boot keys, Linux shim/MOK enrollments, or non-default bootloaders before resetting defaults.
- Keep TPM type unchanged, normally TPM 2.0 for Windows 11 guests.
| VBoxManage –version VBoxManage showvminfo “<vm-name>” –machinereadable |
Preferred GUI procedure
- Open VM settings. In VirtualBox Manager, select the powered-off VM and open Settings.
- Confirm firmware and TPM. Go to System > Motherboard. Confirm EFI/UEFI is enabled and TPM Version is the expected value, usually 2.0 for Windows 11.
- Enable Secure Boot. Select the Secure Boot checkbox if it is not already selected. If Reset… is disabled, enabling Secure Boot can make it available.
- Reset Secure Boot keys. Click Reset… to load VirtualBox default Secure Boot certificates into the VM UEFI variable store.
- Boot and settle Windows. Start the VM, let pending Windows updates complete, then reboot once more before verification.
| This restores the default Secure Boot trust database. It should not require wiping or replacing the virtual TPM. |
CLI procedure for automation or recovery
Use VBoxManage when you need repeatability or when the GUI cannot reach the required state. Test on a clone first; modifynvram is an expert-level command and a wrong NVRAM edit can make the VM unbootable.
Inspect current NVRAM
| VBoxManage modifynvram “<vm-name>” listvars VBoxManage modifynvram “<vm-name>” queryvar –name db –filename db.bin |
Re-enroll defaults and enable Secure Boot
| VBoxManage modifynvram “<vm-name>” enrollmssignatures VBoxManage modifynvram “<vm-name>” enrollorclpk VBoxManage modifynvram “<vm-name>” secureboot –enable |
Only if the variable store is unrecoverable
| VBoxManage modifynvram “<vm-name>” inituefivarstore VBoxManage modifynvram “<vm-name>” enrollmssignatures VBoxManage modifynvram “<vm-name>” enrollorclpk VBoxManage modifynvram “<vm-name>” secureboot –enable |
| Caution: inituefivarstore discards the existing UEFI variable store. Use it only after preserving the .nvram file and expect to recreate custom boot entries or custom trust material. |
For new VMs or missing TPM configuration only
| VBoxManage modifyvm “<vm-name>” –firmware efi –tpm-type 2.0 |
Verify inside Windows
Run these from an elevated PowerShell prompt after Windows has booted and completed pending updates.
| Confirm-SecureBootUEFI Get-SecureBootUEFI -Name db -Decoded | Select-String -Pattern ‘Windows UEFI CA 2023′,’Microsoft UEFI CA 2023’ Get-Tpm |
Fallback when -Decoded is unavailable:
| [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’ |
| Expected result: Secure Boot is enabled and the Windows UEFI CA 2023 certificate is present in db. If it is missing, apply Windows updates, reboot twice, and confirm the host VirtualBox build includes the Secure Boot certificate-update fixes. |
Troubleshooting essentials
| Symptom | Action |
| Reset… disabled | Enable Secure Boot first and confirm the VM is using UEFI, not legacy BIOS. |
| VM only boots with Secure Boot off | Boot once to recover access, patch Windows and VirtualBox, then reset keys and re-enable Secure Boot. |
| 2023 certificate still missing | Apply Windows monthly updates, reboot twice, and verify with Get-SecureBootUEFI -Decoded where available. |
| Linux or custom boot chain fails | Re-enroll custom MOK/platform keys or use a custom-key flow instead of the default reset. |
| .nvram was deleted/reset | Treat as emergency repair only. Once booted, reset Secure Boot keys and re-enable Secure Boot immediately. |
Closeout
- Record the VM name, VirtualBox version, verification output, and whether any custom keys or MOK entries were re-enrolled.
Keep the backup until the guest has survived at least one normal shutdown/start cycle with Secure Boot enabled.
