Skip to content

How to run Windows 11 in GNOME Boxes (with UEFI and TPM2 emulation)

Windows 11 significantly raised its hardware requirements compared to Windows 10. Among the changes, it requires more RAM and storage space. It also requires a Trusted Platform Module (TPM) version 2.0 and a UEFI boot environment.

GNOME Boxes doesn’t yet support TPM and UEFI environments. However, the underlying virtualization technology supports it. You just need to tweak a few configuration options along the way. Read the instructions carefully!

Install GNOME Boxes and its prerequisites

Start by installing GNOME Boxes from your Linux distribution’s package repository. You cannot use the Flatpak/Flathub version as it doesn’t currently support emulating a TPM. The package is called gnome-boxes everywhere. You need version 40 or newer!

Install the TianoCore Open Virtual Machine Firmware (OVMF) from your package repository. This will let your VM boot as a modern secure boot-enabled UEFI system instead of a legacy BIOS system. The package is called edk2-ovmf in Fedora Linux 34 and ovmf Ubuntu 22.

Install the swtpm emulator (software TPM (SWTPM)) from your package repository. The package is called swtpm-tools in both Fedora Linux 34 and Ubuntu 22 (it’s found in the Universe repository). As yout normal user (not root), run the SWTPM set up command in a terminal:

swtpm_setup --create-config-files skip-if-exist

Installing Windows 11 in GNOME Boxes

Start GNOME Boxes and click on the New button (top left) to create a new VM. The dialog can look a bit overwhelming, but it’s only asking you for one thing: an installation disk image file (“ISO”).

Select the Windows 11 ISO file you’ve downloaded from Microsoft. Do not trust ISO files from sources other than the official website of the software vendor. GNOME Boxes will list it at the top of the dialog (likely misidentified as Windows 10) if it’s stored in your Downloads folder. You can also use the select disk image option at the bottom of the dialog.

Do not accept the Express Installation option. Express installs are only available for some operating systems (OS) and don’t yet work with Windows 11. This option is shown because current versions of Boxes misidentify Windows 11 as Windows 10. Instead, click on the Next button in the top right corner.

On the next screen, assign the Windows guest system at least 8 GB of RAM and 124 GB of disk space. The virtual hard disk image won’t consume all that space right away, but grows dynamically as it gets used.

Click the Create button and wait. The Windows installer should boot up inside the VM and prompt you to select your preferred language and locale. Do not proceed with the installation! The VM is running in legacy BIOS mode and without a TPM. We need to correct that before proceeding.

At this point, you’ll need to make a few manual changes to the VM configuration before we jump back into the Windows Installer. Make sure to follow the instructions carefully.

Right-click on the VM and select Properties. Go to the Advanced tab and click on the Edit Config button (it may be called Edit XML in older versions). Scroll down to the line that says . Scan the lines until it says for any mentions of a TPM. Skip this step if you find any. To enable the TPM emulator, insert a blank line after and paste the following snippet:

<tpm model="tpm-crb">
  <backend type="emulator" version="2.0"/>
</tpm>

Scroll down to the line that says . Verify that the type element matches the below (the numbers in the machine attribute may differ). If it doesn’t match then you probably haven’t enabled virtualization in your BIOS. Fix that first, delete the VM, and try again.

<type arch="x86_64" machine="pc-q35-6.1">hvm</type>

Locate the newly installed OVMF secure boot firmware image file on your system. The file is called OVMF_CODE.secboot.fd, but the installation path is different between Linux distributions. It’s located in /usr/share/edk2/ovmf/ in Fedora Linux 34 and in /usr/share/OVMF/ in Ubuntu 22.

Scan the lines until it says for any mentions of a loader. Skip this step if you find any. Insert a blank line after the type element, and paste the following (supply the correct full path from the previous step):

<loader readonly="yes" type="pflash">/PATH-HERE/OVMF_CODE.secboot.fd</loader>

Click the Apply button to save the changes.

Quit and restart GNOME Boxes again.

Double-click on the VM in Boxes to start it and resume the installation. Complete the Windows 11 installation by following the prompts.

Post-installation

Once you’ve installed Windows 11, you can just use it as-is in GNOME Boxes. However, you’ll be stuck with low performance, 800×600 px screen resolution, and no clipboard integration. Let’s get those sorted out in order.

You can increase the performance of most I/O operations by installing the VirtIO guest agent and driver set. Inside the VM, download and install VirtIO guest addons (look for virtio-win-gt-x64.msi). Restart the VM afterward.

You have two options for higher screen resolutions and clipboard integration. You can either continue to use GNOME Boxes or switch to GNOME Connections. Connections is a version of Boxes that focuses on accessing remote desktops instead of VMs. The two apps look and feel very similar.

You can use Connections to connect to the VM using the Remote Desktop Protocol (RDP). This is the most performant and reliable option. However, it requires a license for Windows 11 Professional or Enterprise. Windows 11 Home doesn’t include the required RDP server component.

You can enable the RDP server from the Windows Settings app: System: Remote Desktop: Remote Desktop. After enabling a network service, take a moment to double-check your network firewalls and make sure that you have a strong and unique password. You may have exposed the service on the public internet. Note that networking into the VM also requires more configuration and is out of scope for this article.

Your other option is to keep using GNOME Boxes with a graphics driver optimized for use within VMs, and optionally the SPICE guest agent. To enable greater screen resolutions, you need to download and install the newest version of the QXL-WDDM-DoD driver (look for the newest date, then QxlWddmDod_x64.msi). The download link may lead to a page that looks like gobbledygook. If this happens: Go back, right-click, and select Save As. The QXL-WDDM-DoD driver works in Windows 11 but doesn’t officially support the OS.

Optionally, you can enable auto-resizing/adaptive screen resizing and clipboard integration by downloading and installing the SPICE guest agent (look for the newest date, then spice-vdagent-x64.msi). Restart the VM afterward. Known issues

The SPICE display server can sometimes stop working under heavy processor loads. You need to restart the VM to get it back up and running. This isn’t an issue when using RDP.

Online snapshots don’t work with UEFI-based systems. You need to power off the VM before you can create a snapshot.