Secure Boot Support for Windows 11

  • Testers

    I realize this was only just announced today, but windows 11 is coming as early as this year and it now (allegedly) requires secure boot and tpm to be enabled to be installed (see also

    There’s been past discussion about getting secure boot supported for fog, but it looks like the time soon comes where we have to do it (which seems to be a theme with a lot of things in tech recently and in the coming year)

    So I just wanted to open up a new thread to get the discussion going to see what needs to be done.

  • @jj-fullmer said in Secure Boot Support for Windows 11:
    “As long as your CPU supports TPM 1.2 you can do a clean install of windows 11, you just can’t in-place upgrade (without a registry change).”

    Is it possible to share the registry change? Unless something even better has changed, I am thinking of in-place windows 10 21H2 to 11 in a dual-boot ubuntu environment. I figure this would stop me from having to reinstall Ubuntu (or grub repair).

  • Testers

    @jj-fullmer I haven’t done a full thorough fog windows 11 test. But it seems that some of the cpu and bios security “requirements” aren’t hard requirements. As long as your cpu supports TPM 1.2 you can do a clean install of windows 11, you just can’t in place upgrade (without a registry change).

    I am also posting this on a computer with windows 11 on it, with an i7-6700. I didn’t use fog, and secure boot got enabled by the windows 11 installer (it might have already been enabled, I didn’t double check sadly). However I just disabled secure boot and could still boot.

    So the concerns about a secure boot requirement may be unfounded. This is my home computer and I don’t have a fog server at home, but I’ll come back here once I get a chance to test creating and deploying a windows 11 image to see if there are any issues with secure boot. If anyone wants to test this out @testers before I get some time, you can download a windows 11 iso here

  • I’ve just tried an Insider build from the Dev channel, Secure Boot was not required - though is supported by this hardware (Intel NUC). MS are saying that the requirement is actually a TPM - they’re saying ‘Secure Boot Capable’ because that’s more consumer-friendly than talking about TPMs.

    The image type in FOG can be set to Windows 10, and I was able to capture and deploy

  • I installed the leaked dev version 21996/21996.1 on bare metal and in a VM. Secure Boot didn’t have to be enabled . UEFI and TPM (which requires CSM to be disabled) had to be. Secure Boot - the option only had to be present.

    After more testing. I found I could install it in a VM as Legacy. I guess MS laxed on the VM requirements?

    I also found on metal, I could disable TPM and enable CSM which should make secure boot completely unavailable. Then I deploy a sysprep-ed Win 11OOBE UEFI image on it without any problems.

    I will try pure legacy on metal next…

    This was with that leaked dev build so who knows if it was modified or what not and how close it is to the actual dev build release or the final release.

  • Testers

    According to the official page from microsoft it just says “secure boot capable” I guess we’ll just have to wait till it’s released to insiders to get some real world information.