chore: Added video to article Windows 11 on KVM

This commit also break most paragraph to 80 chars length.
This commit is contained in:
Cristian Ditaputratama 2024-09-14 00:27:44 +07:00
parent f83b171781
commit 096b0d2943
Signed by: ditatompel
GPG key ID: 31D3D06D77950979
2 changed files with 164 additions and 48 deletions

View file

@ -23,71 +23,134 @@ authors:
- ditatompel
---
**Microsoft** memperketat keamanan dari **Windows 11** dengan menambahkan [**TPM**](https://support.microsoft.com/en-us/topic/what-is-tpm-705f241d-025d-4470-80c5-4feeb24fa1ee) dan [**Secure-Boot**](https://support.microsoft.com/en-us/windows/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad) sebagai kebutuhan minimal yang harus dipenuhi agar kita dapat menginstall Windows 11 baik itu _bare-metal_ ataupun melalui virtualisasi.
**Microsoft** memperketat keamanan dari **Windows 11** dengan menambahkan
[**TPM**][win_tpm] dan [**Secure-Boot**][win_secure_boot] sebagai kebutuhan
minimal yang harus dipenuhi agar kita dapat menginstall Windows 11 baik itu
_bare-metal_ ataupun melalui virtualisasi.
Artikel ini membahas bagaimana mengaktifkan **TPM** dan **Secure-Boot** untuk Windows 11 di **QEMU** _virtual machine_ (VM).
Artikel ini membahas bagaimana mengaktifkan **TPM** dan **Secure-Boot** untuk
Windows 11 di **QEMU** _virtual machine_ (VM).
## Prerequisites / Prasyarat
Sebelum memulai dan melangkah lebih jauh, Anda perlu memenuhi persyaratan berikut untuk dapat mengikuti langkah-langkah dari artikel ini:
Sebelum memulai dan melangkah lebih jauh, Anda perlu memenuhi persyaratan
berikut untuk dapat mengikuti langkah-langkah dari artikel ini:
- Memiliki ISO Windows 10. Anda dapat mengunduh [ISO Windows 11 _official_](https://www.microsoft.com/en-gb/software-download/windows11) dari situs resmi milik Microsoft.
- Memiliki dan mengunduh [_virtio driver_ untuk Windows 11](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso) yang nantinya digunakan untuk menginstall driver pada _guest machine_ (seperti **Ethernet controller**).
- _Host_ yang sudah dikonfigurasi dan dapat menjalankan KVM dengan baik sebelumnya, termasuk program GUI `virt-manager` (**Virtual Machine Manager**).
- Memiliki ISO Windows 10. Anda dapat mengunduh
[ISO Windows 11 _official_][win11_dl] dari situs resmi milik Microsoft.
- Memiliki dan mengunduh [_virtio driver_ untuk Windows 11][virtio_win_iso]
yang nantinya digunakan untuk menginstall driver pada _guest machine_
(seperti **Ethernet controller**).
- _Host_ yang sudah dikonfigurasi dan dapat
[menjalankan KVM]({{< ref "/tutorials/how-to-install-virt-manager-on-arch-linux" >}})
dengan baik sebelumnya, termasuk program GUI `virt-manager`
(**Virtual Machine Manager**).
Di artikel ini, _KVM host_ saya menggunakan Arch Linux (BTW :joy:), namun langkah-langkah yang diperlukan agar dapat menjalankan Windows 11 menggunakan KVM sebenarnya tidak jauh beda dengan _distro_ Linux lainnya.
Di artikel ini, _KVM host_ saya menggunakan Arch Linux (BTW :joy:), namun
langkah-langkah yang diperlukan agar dapat menjalankan Windows 11 menggunakan
KVM sebenarnya tidak jauh beda dengan _distro_ Linux lainnya.
{{< youtube ik31RsNqMcw >}}
## Install TPM pada Host KVM
Kita perlu menginstall software [swtpm](https://github.com/stefanberger/swtpm) di KVM host supaya KVM host dapat melakukan simulasi TPM.
Kita perlu menginstall software [swtpm][swtpm_gh] di KVM host supaya KVM host
dapat melakukan simulasi TPM.
Karena `swtpm` sudah tersedia di **Arch Linux Community package**, proses installasi cukup dengan menjalankan perintah `pacman -S swtpm`. Jika Anda mengunakan distro lain, carilah informasi cara menginstall `swtpm` di halaman dokumentasi dari distro favorit Anda.
Karena `swtpm` sudah tersedia di **Arch Linux Community package**, proses
installasi cukup dengan menjalankan perintah `pacman -S swtpm`. Jika Anda
mengunakan distro lain, carilah informasi cara menginstall `swtpm` di halaman
dokumentasi dari distro favorit Anda.
Sebagai contoh, jika KVM host Anda menggunakan **Ubuntu**, Anda perlu menambahkan PPA milik [Stefan Berger's PPA repository](https://launchpad.net/~stefanberger/+archive/ubuntu/swtpm) sebelum melakukan installasi mengunakan `apt install swtpm-tools`.
Sebagai contoh, jika KVM host Anda menggunakan **Ubuntu**, Anda perlu
menambahkan PPA milik [Stefan Berger's PPA repository][swtpm_ppa] sebelum
melakukan installasi mengunakan `apt install swtpm-tools`.
Untuk mengecek apakah _swtpm_ sudah berhasil diinstall dan melihat versi yang digunakan, cukup jalankan perintah `swtpm --version`:
Untuk mengecek apakah _swtpm_ sudah berhasil diinstall dan melihat versi yang
digunakan, cukup jalankan perintah `swtpm --version`:
```
```plain
TPM emulator version 0.7.3, Copyright (c) 2014-2021 IBM Corp
```
## Buat Windows 11 di KVM menggunakan _virt-manager_
Buatlah VM baru untuk Windows 11 dari aplikasi / program GUI `virt-manager`, pada bagian **CDROM**, gunakan **Windows 11 ISO** yang sudah didownload dari situs resminya, tentukan alokasi CPU, RAM dan kapasitas penyimpanan sesuai kebutuhan dan kemampuan KVM host Anda. Dan pada bagian akhir _wizard configuration_, centang, tick **_"Costumize configuration before install"_**.
Buatlah VM baru untuk Windows 11 dari aplikasi / program GUI `virt-manager`,
pada bagian **CDROM**, gunakan **Windows 11 ISO** yang sudah didownload dari
situs resminya, tentukan alokasi CPU, RAM dan kapasitas penyimpanan sesuai
kebutuhan dan kemampuan KVM host Anda. Dan pada bagian akhir
_wizard configuration_, centang **_"Costumize configuration before install"_**.
## Konfigurasi virtualiasi hardware Windows 11
Supaya Windows 11 dapat berjalan dengan mulus di KVM, kita perlu membuat beberapa perubahan konfigurasi hardware dari _virt-manager_.
Supaya Windows 11 dapat berjalan dengan mulus di KVM, kita perlu membuat
beberapa perubahan konfigurasi hardware dari _virt-manager_.
- Klik pada bagian **Overview**, ubah opsi **Firmware** ke `UEFI x86_64: /usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd` (atau setidaknya pilih _firmware_ yang mengandung kata **UEFI OVMF_CODE** atau **secboot**).
- Klik pada menu **Add Hardware** dan tambahkan `TPM`. Pastikan opsi `Type` adalah `Emulated`, kemudian ubah opsi `Model` dari `CRB` menjadi `TIS`, dan opsi `Version` menjadi `2.0`.
- Klik pada bagian **Overview**, ubah opsi **Firmware** ke
`UEFI x86_64: /usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd` (atau
pilih _firmware_ yang mengandung kata **UEFI OVMF_CODE** atau **secboot**).
- Klik pada menu **Add Hardware** dan tambahkan `TPM`. Pastikan opsi `Type`
adalah `Emulated`, kemudian ubah opsi `Model` dari `CRB` menjadi `TIS`,
dan opsi `Version` menjadi `2.0`.
![Menu konfigurasi virt-manager](kvm-win11-01-tpm.jpg#center "Menu konfigurasi virt-manager")
- Klik pada bagian **Network interface** dan ubah **Device model** dari `e1000e` menjadi `virtio`.
- Klik pada bagian **Network interface** dan ubah **Device model** dari
`e1000e` menjadi `virtio`.
## Install Windows 11
Jalankan VM dan ikuti proses installasi Windows 11 hingga proses _initial Windows setup_. Pada tahap _initial Windows setup_, Anda akan mendapati bahwa VM Windows Anda tidak dapat terhubung ke internet.
Jalankan VM dan ikuti proses installasi Windows 11 hingga proses
_initial Windows setup_. Pada tahap _initial Windows setup_, Anda akan
mendapati bahwa VM Windows Anda tidak dapat terhubung ke internet.
Hal ini diebabkan karena Windows 11 belum dapat mendeteksi *Network Interface*nya. Sementara, abaikan dulu masalah tersebut karena kita bisa memperbaikinya nanti.
Hal ini diebabkan karena Windows 11 belum dapat mendeteksi
*Network Interface*nya. Sementara, abaikan dulu masalah tersebut karena kita
bisa memperbaikinya nanti.
![Windows 11 install no internet connection](kvm-win11-02-no-network-iface.png#center "Windows 11 install no internet connection")
Klik **_"I don't have internet"_** kemudian **_"Continue with limited setup"_** dan selesaikan _initial setup_ hingga kita berhasil login masuk ke Desktop.
Klik **_"I don't have internet"_** kemudian **_"Continue with limited setup"_**
dan selesaikan _initial setup_ hingga kita berhasil login masuk ke Desktop.
> **Catatan**: Di versi Windows terbaru (yang terakhir saya coba di iso `Win11_23H2_English_x64v2.iso`), tombol **_"I don't have internet"_** tidak tampil.
> **Catatan**: Di versi Windows terbaru (yang terakhir saya coba di iso
> `Win11_23H2_English_x64v2.iso`), tombol **_"I don't have internet"_** tidak tampil.
>
> ![BypassNRO.cmd](kvm-win11-oobe-bypassnro.jpg#center "BypassNRO.cmd")
>
> Untuk menampilkannya, tekan tombol <kbd>SHIFT</kbd> + <kbd>F10</kbd>. untuk menampilkan _command prompt_ dan Ketikan `OOBE\BypassNRO.cmd` lalu tekan <kbd>ENTER</kbd>. Setelah itu komputer akan restart dan tombol **_"I don't have internet"_** akan muncul.
> Untuk menampilkannya, tekan tombol <kbd>SHIFT</kbd> + <kbd>F10</kbd>. Untuk
> menampilkan _command prompt_ dan Ketikan `OOBE\BypassNRO.cmd` lalu tekan
> <kbd>ENTER</kbd>. Setelah itu komputer akan restart dan tombol
> **_"I don't have internet"_** akan muncul.
## Install _virtio driver_ pada VM Windows 11
Setelah proses installasi selesai, matikan dulu VM Windows 11 supaya kita bisa memperbaiki permasalahan pada **_Ethernet Driver_**nya. Kemudian kembali ke konfigurasi VM di `virt-manager`, pilih **SATA CDROM 1**, dan ubah `Source path` dari yang semula adalah **ISO Windows 11** menjadi lokasi tempat **Windows 11 virtio drivers** dengan mengeklik tombol **Browse** dan pilih [Windows 11 virtio drivers](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso) yang sudah Anda download dan simpan di KVM host Anda.
Setelah proses installasi selesai, matikan dulu VM Windows 11 supaya kita bisa
memperbaiki permasalahan pada **_Ethernet Driver_**nya. Kemudian kembali ke
konfigurasi VM di `virt-manager`, pilih **SATA CDROM 1**, dan ubah
`Source path` dari yang semula adalah **ISO Windows 11** menjadi lokasi
tempat **Windows 11 virtio drivers** dengan mengeklik tombol **Browse** dan
pilih [Windows 11 virtio drivers][virtio_win_iso] yang sudah Anda download dan
simpan di KVM host Anda.
Sekarang, nyalakan kembali VM Windows 11. Setelah berhasil login ke Desktop,
klik pada **icon Search dari task bar**, dan masukkan kata kunci
**"Device Manager"**. Anda akan menemukan program dengan nama
**"Device Manager"**, jalankan program tersebut.
Sekarang, nyalakan kembali VM Windows 11. Setelah berhasil login ke Desktop, klik pada **icon Search dari task bar**, dan masukkan kata kunci **"Device Manager"**. Anda akan menemukan program dengan nama **"Device Manager"**, jalankan program tersebut.
![Menu pilihan virtio drivers ISO](kvm-win11-03-virtio-driver.jpg#center "Menu pilihan virtio drivers ISO")
Di program **"Device Manager"**, klik kanan pada **Ethernet adapter** dan pilih **update driver**. Pilih menu **"Browse my computer for drivers"** kemudian pilih **Windows 11 virtio drivers ISO** dari **CDROM**, centang **"Include subfolders"**, klik tombol **"Next"** dan setelah itu seharunya _driver ethernet adapter_ sudah berhasil diinstall. Cek koneksi internet di VM Windows 11 Anda, seharusnya Anda sudah terhubung ke internet dari VM Windows Anda.
Di program **"Device Manager"**, klik kanan pada **Ethernet adapter** dan pilih
**update driver**. Pilih menu **"Browse my computer for drivers"** kemudian
pilih **Windows 11 virtio drivers ISO** dari **CDROM**, centang
**"Include subfolders"**, klik tombol **"Next"** dan setelah itu seharunya
_driver ethernet adapter_ sudah berhasil diinstall. Cek koneksi internet di VM
Windows 11 Anda, seharusnya Anda sudah terhubung ke internet dari VM Windows
Anda.
[win_tpm]: https://support.microsoft.com/en-us/topic/what-is-tpm-705f241d-025d-4470-80c5-4feeb24fa1ee "Apa itu TPM?"
[win_secure_boot]: https://support.microsoft.com/en-us/windows/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad "Windows 11 dan Secure Boot"
[win11_dl]: https://www.microsoft.com/en-gb/software-download/windows11 "Download Windows 11"
[virtio_win_iso]: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso "Windows 11 virtio driver"
[swtpm_gh]: https://github.com/stefanberger/swtpm "swtpm GitHub repository"
[swtpm_ppa]: https://launchpad.net/~stefanberger/+archive/ubuntu/swtpm "swtpm PPA repository"

View file

@ -23,23 +23,42 @@ authors:
- ditatompel
---
Microsoft tightened the security of **Windows 11** by adding [TPM](https://support.microsoft.com/en-us/topic/what-is-tpm-705f241d-025d-4470-80c5-4feeb24fa1ee) and [Secure-Boot](https://support.microsoft.com/en-us/windows/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad) as the minimum requirement to install it. This article show how to **enable TPM on KVM host** and **enable Secure-Boot for Windows 11 VM**.
Microsoft tightened the security of **Windows 11** by adding [TPM][win_tpm]
and [Secure-Boot][win_secure_boot] as the minimum requirement to install it.
This article show how to **enable TPM on KVM host** and
**enable Secure-Boot for Windows 11 VM**.
Before starting and going any further, you need to fulfill the following requirements to follow this article:
Before starting and going any further, you need to fulfill the following
requirements to follow this article:
- Have the official Windows 11 ISO. You can [download the official Windows 11 ISO from Microsoft website](https://www.microsoft.com/en-gb/software-download/windows11).
- [Download Windows 11 virtio drivers](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso) to install required driver on guest machine such as Ethernet controller.
- Configured and running KVM environment including `virt-manager` (**Virtual Machine Manager** GUI) on your host machine.
- Have the official Windows 11 ISO. You can
[download the official Windows 11 ISO from Microsoft website][win11_dl].
- [Download Windows 11 virtio drivers][virtio_win_iso] to install required
driver on guest machine such as Ethernet controller.
- Configured and
[running KVM environment]({{< ref "/tutorials/how-to-install-virt-manager-on-arch-linux" >}})
including `virt-manager` (**Virtual Machine Manager** GUI) on your host
machine.
My KVM host running on Arch (BTW); however, the steps mentioned here are identical for other Linux distributions as well.
My KVM host running on Arch (BTW); however, the steps mentioned here are
identical for other Linux distributions as well.
{{< youtube ik31RsNqMcw >}}
## Install TPM on Linux KVM Host
To emulate TPM, we need to install a software called [swtpm](https://github.com/stefanberger/swtpm), a Libtpms-based TPM emulator with socket, character device, and Linux CUSE interface.
To emulate TPM, we need to install a software called [swtpm][swtpm_gh],
a Libtpms-based TPM emulator with socket, character device, and Linux CUSE
interface.
Since `swtpm` already available from _Arch Community package repository_, we can simply install it using `pacman -S swtpm`. If you are using another _distro_, look for information on how to install `swtpm` on your favorite `distro's` documentation page.
Since `swtpm` already available from _Arch Community package repository_, we
can simply install it using `pacman -S swtpm`. If you are using another
_distro_, look for information on how to install `swtpm` on your favorite
distro's documentation page.
For example, if you running KVM Host on **Ubuntu**, you need to add [Stefan Berger's PPA repository](https://launchpad.net/~stefanberger/+archive/ubuntu/swtpm) to your machine before doing `apt install swtpm-tools`.
For example, if you running KVM Host on **Ubuntu**, you need to add
[Stefan Berger's PPA repository][swtpm_ppa] to your machine before doing
`apt install swtpm-tools`.
To check your installed `swtpm` version, simply run `swtpm --version` command:
@ -49,39 +68,73 @@ TPM emulator version 0.7.3, Copyright (c) 2014-2021 IBM Corp
## Create Windows 11 VM
Create a new VM for Windows 11 from `virt-manager`, attach **Windows 11 ISO image** to your Windows 11 VM, configure your desired CPU, RAM and storage capacity for your Windows 11 VM, and at the end of the wizard, tick **"Costumize configuration before install"** checkbox.
Create a new VM for Windows 11 from `virt-manager`, attach
**Windows 11 ISO image** to your Windows 11 VM, configure your desired CPU,
RAM and storage capacity for your Windows 11 VM, and at the end of the wizard,
tick **"Costumize configuration before install"** checkbox.
## Configure Windows 11 VM Hardware
In order for Windows 11 work smoothly on KVM, we need to make some changes on its virtual hardware.
In order for Windows 11 work smoothly on KVM, we need to make some changes on
its virtual hardware.
- Click the Overview section, change firmware to something similar to `UEFI x86_64: /usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd`.
- Click **Add Hardware** and add `TPM`. Keep the `Type` option as `Emulated`, change `Model` option from `CRB` to `TIS`, and `Version` option to `2.0`.
- Click the Overview section, change firmware to something similar to
`UEFI x86_64: /usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd`.
- Click **Add Hardware** and add `TPM`. Keep the `Type` option as `Emulated`,
change `Model` option from `CRB` to `TIS`, and `Version` option to `2.0`.
![KVM Windows 11 TPM](kvm-win11-01-tpm.jpg#center)
- Click **Network interface** section and change Device model from `e1000e` to `virtio`.
- Click **Network interface** section and change Device model from
`e1000e` to `virtio`.
## Install Windows 11
Boot up the VM and follow Windows 11 _installation wizard_ and _initial setup wizard_. During the initial setup wizard, you'll notice you can't connect to the network because Windows didn't detect any network interface. For now, we can skip the problem for now, and fix the network issue latter.
Boot up the VM and follow Windows 11 _installation wizard_ and
_initial setup wizard_. During the initial setup wizard, you'll notice you
can't connect to the network because Windows didn't detect any network
interface. For now, we can skip the problem for now, and fix the network
issue latter.
Click **"I don't have internet"** and **"Continue with limited setup"**.
![KVM Windows 11 No Network](kvm-win11-02-no-network-iface.png#center)
> Note: In the latest version of Windows (the last one I tried in the `Win11_23H2_English_x64v2.iso`), the **"I don't have internet"** button does not appear.
> Note: In the latest version of Windows (the last one I tried in the
> `Win11_23H2_English_x64v2.iso`), the **"I don't have internet"** button does
> not appear.
> ![BypassNRO.cmd](kvm-win11-oobe-bypassnro.jpg#center "BypassNRO.cmd")
> To display it, press <kbd>SHIFT</kbd> + <kbd>F10</kbd> type `OOBE\BypassNRO.cmd` then press <kbd>ENTER</kbd>. After that the computer will restart and the **"I don't have internet"** button will appear.
> To display it, press <kbd>SHIFT</kbd> + <kbd>F10</kbd> type
> `OOBE\BypassNRO.cmd` then press <kbd>ENTER</kbd>. After that the computer
> will restart and the **"I don't have internet"** button will appear.
Continue initial setup wizard by create a **local account**, set **3 security questions** and **"privacy" settings** stuff. Wait for a few minutes until you boot into Windows desktop successfully.
Continue initial setup wizard by create a **local account**, set
**3 security questions** and **"privacy" settings** stuff. Wait for a few
minutes until you boot into Windows desktop successfully.
Until this step, your Windows 11 VM is successfully installed. Now, you need to poweroff the VM to fix network driver problem.
Until this step, your Windows 11 VM is successfully installed. Now, you need
to poweroff the VM to fix network driver problem.
## Install virtio driver on Windows 11 VM
Go to **SATA CDROM 1** section, and change `Source path` from where your Windows 11 VM ISO is located to where **Windows 11 virtio drivers** by simply click Browse button and choose [downloaded Windows 11 virtio drivers](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso) on your local machine.
Go to **SATA CDROM 1** section, and change `Source path` from where your
Windows 11 VM ISO is located to where **Windows 11 virtio drivers** by simply
click Browse button and choose
[downloaded Windows 11 virtio drivers][virtio_win_iso] on your local machine.
Now, boot up the Windows 11 VM again. After logged in to desktop, click **Search Icon from task bar**, search for **"Device Manager"** and run **"Device Manager"** program.
Now, boot up the Windows 11 VM again. After logged in to desktop, click
**Search Icon from task bar**, search for **"Device Manager"** and run
**"Device Manager"** program.
![Windows 11 Virtio Driver](kvm-win11-03-virtio-driver.jpg#center)
On "_Device Manager_" program, right click _Ethernet adapter_ and choose to _update driver_. Choose **"Browse my computer for drivers"** => pick the **Windows 11 virtio drivers ISO from CDROM**, tick **"Include subfolders"** checkbox, click the **"Next"** button and you should see the ethernet adapter driver is successfully installed.
On "_Device Manager_" program, right click _Ethernet adapter_ and choose to
_update driver_. Choose **"Browse my computer for drivers"** => pick the
**Windows 11 virtio drivers ISO from CDROM**, tick **"Include subfolders"**
checkbox, click the **"Next"** button and you should see the ethernet adapter
driver is successfully installed.
[win_tpm]: https://support.microsoft.com/en-us/topic/what-is-tpm-705f241d-025d-4470-80c5-4feeb24fa1ee "What is TPM?"
[win_secure_boot]: https://support.microsoft.com/en-us/windows/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad "Windows 11 and Secure Boot"
[win11_dl]: https://www.microsoft.com/en-gb/software-download/windows11 "Download Windows 11"
[virtio_win_iso]: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso "Windows 11 virtio drivers"
[swtpm_gh]: https://github.com/stefanberger/swtpm "swtpm GitHub repository"
[swtpm_ppa]: https://launchpad.net/~stefanberger/+archive/ubuntu/swtpm "swtpm PPA repository"