Currently I can't join my company mdm on a windows 11 guest on my Mac Studio ( Apple Silicon ). The support and activation of secure boot is required. Is there a way to activate Secure boot, if not, is it on your roadmap ? Parallels has it ![]()
@itris666 wrote:Currently I can't join my company mdm on a windows 11 guest on my Mac Studio ( Apple Silicon ). The support and activation of secure boot is required. Is there a way to activate Secure boot, if not, is it on your roadmap ? Parallels has it
Fusion 13 has support for UEFI Secure Boot. You did check the documentation, didn't you?
Make sure you have enabled it in the VM. You'll find a prompt to enable it when you first create a Windows 11 ARM VM, and it can be modified in the Advanced settings for an existing VM if you didn't select it at initial VM creation time:
You can also use the following technique, then you are not TPM and secure boot depended.
Use Windows 11 without TPM and have the advantage of cloning and linking.
Sadly it doesn't when run on apple silicon. (Sorry for the French but the secure boot options are missing ).
@mark-reijerkerk wrote:You can also use the following technique, then you are not TPM and secure boot depended.
Use Windows 11 without TPM and have the advantage of cloning and linking.
While I appreciate that there's sometimes a need to do this, most folks shouldn't have to resort to this. Fusion 13 has full support for a virtualized TPM device and Secure Boot. Both Windows 11 x64 and ARM install fine without it having to hack the registry. to disable TPM and Secure Boot Yes, you don't get inked clones, but most ordinary users won't need to do this.
I'm all for running Windows 11 as Microsoft intended when the virtual hardware supports it.
The screen shot I posted was from a Windows 11 ARM VM running on Fusion 13 Pro on an Apple Silicon Mac.
Are you running Fusion 13 Player or Pro?
It appears you may have the VM running. If you shut it down, do the options re-appear?
On the General screen, what is the guest operating system set to?
Could you post a copy of both the VM's .vmx file and the file vmware.log?
I hear your opinion but in a lab environment it is a neat way to test software in different configurations but always with the same base (the unsecured VM)
@mark-reijerkerk wrote:
I hear your opinion but in a lab environment it is a neat way to test software in different configurations but always with the same base (the unsecured VM)
That's all well and good, but the OP is complaining about not being able to get added to his corporate domain... so I'm pretty sure their IT dept would bring the hammer down if circumventing the requirements!
Well for safety I would not too, but is VM Workstation really ment to offer a secure environment? VMware, imo, did build in the TPM and secure boot to solve the issue that VM-Workstation could not run Windows without the solution provided. It is emulating a TPM, it is not the real hardware deal. That makes it already less secure.
Never mind, I think I may have found what's going on.
Fusion 13 Player does not display the firmware type or the option to enable/disable UEFI Secure Boot in the Advanced panel of the VM's Settings. It will prompt for UEFI Secure Boot only when you are creating a new Windows 11 ARM VM.
Fusion 13 Pro does display the firmware type and the option to enable or disable UEFI Secure Boot in the GUI.
This leads to the situation where if you didn't create the VM with Secure Boot enabled, the GUI doesn't have a way to change that.
However, a manual edit to the VM's .vmx file will allow you to enable Secure Boot for an existing VM in Fusion 13 Player if you didn't select it at initial creation time:
uefi.secureBoot.enabled = "TRUE"
Now when you start the VM, Secure Boot should be enabled.
Ah ok, I indeed have a player version.
My .vmx is currently encrypted. I will try to recreate a vm, making sure I check the secure boot option.
No need to create a new one.
You won't be able to edit the .vmx file if Fusion is shut down - it'll be encrypted. The procedure I posted will allow you to edit the file for an existing VM while the Fusion GUI is running and has unlocked the VM, but the VM is not running.
Could you please try the steps "Check Secure Boot status" in this page in your VM to see is secure boot is indeed working :
https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-secure-boot-windows
@itris666 I do have to thank you for asking this question. It's prompting me to include a section in the next version of the unofficial Companion guide warning of this situation. The Companion guide already recommends enabling Secure Boot during Windows 11 ARM VM configuration. Your question highlights a need to document the procedure for a Fusion Player user that didn't completely follow the recommendations. Especially since it's relatively straightforward to recover from.
@Technogeezer You may also add that you users can use a usb to ethernet adapter connected to the VM to pass the Windows 22h2 installation which require internet connection before the net driver can actually be installed.
Both of these tests were run under Fusion 13 Player on an M1 Mac mini running macOS 13.3.1:
For a Windows 11 ARM VM that I did not originally enable Secure Boot during initial VM creation, I ran msinfo32 as directed in your linked article:
After applying the procedure to add the Secure Boot parameter to the .vmx file. msinfo32 returns:
Even with VMWare Fusion and the VM parameters window open. The vmx is still encrypted. I've deleted the TMP module and am un encrypting the VM.
>> You may also add that you users can use a usb to ethernet adapter connected to the VM to pass the Windows 22h2 installation which require internet connection before the net driver can actually be installed.
Actually you don't need to do that.
The Unofficial VMware Fusion for Apple Silicon Companion Guide has a procedure that installs the VMware virtual NIC driver immediately after Windows boots from the virtual hard disk for the first time and before setup looks for it.
I could verify that indeed I got secure boot activated in a new vm. I wonder why I didn't checked that **bleep** checkbox the first time ![]()
I did forget a step to close any parameters window of the VM before selecting it for editing. I'll fix that above.
If you've followed the procedure above, you will see some parameters in a "unencrypted" vmx file that look like they're encrypted. But the entire VMX file is not encrypted - you'll see most of "regular" parameters. Add the parameter as instructed and leave the other entries alone.
