QEmu CLI - Windows 11

After a clean Linux installation, I installed the ‘qemu-full’ and ‘edk2-ovmf’ packages, and now I try to install Windows 11 in a VM.

I know, that Windows 11 has a TPM requirement, and if you don’t have it, you get a message that your machine doesn’t meet the minimal system requirements, but I’m not quite there yet.

Using the QEMU command, I can boot a VM, and it briefly displayed “Press any key to boot from the CD-ROM …”, but I do so, I’m just dropped to an UEFI Shell, so there must be something wrong with the UEFI configuration in my machine.

Here’s the command I use:

qemu-system-x86_64 \
  -cdrom /home/kevin/ISOs/Win11_24H2_English_x64.iso \
  -boot order=d \
  -drive if=pflash,format=raw,file=/home/kevin/VMs/OVMF.4m.fd \
  -vga qxl \
  -display sdl \
  -smp cpus=4 \
  -m 4G

I tried different methods according to Arch’s Wiki:

• Copy the file OVMF.4m.fd and use that one.
• Copy the file OVMF_VARS.4m.fd and use that one in combination with _CODE file
• …

Files were copied from different locations such as /usr/share/edk2, /usr/share/edk2-omf, … but all these solutions just drops me back to the UEFI shell.

What am I missing here?

You can just use virt-manager to create the vm, just before you click finish select “Customize configuration before install” and the click Finish. There you can change the firmware from “BIOS” to UEFI" or whatever you want from the dropdown list. So no need to manually copy over the file to have uefi boot for a vm.

I want to use the command line, as I’m in a terminal only machine. So, I want to keep my machine clean and lean, so I’m just trying to understand why it’s not working.

I’ll show you want I mean, you can just use the full path for the OVMF file, which is what happens when you use virt-manager.

Screenshot From 2025-04-25 14-25-551275×880 70.5 KB

The problem remains the same. I can’t get to the Windows 11 Installer.

I never said that would solve it, I was just pointing out you don’t need to manually copy the OVMF file. Let me just install a Windows 11 vm and see how it compares to what you have.

I tried with Fedora’s OVMF files too to have secure boot enabled, but even then, I can’t get the installer to launch. I believe I’m just missing some arguments on the command line, however, I’m not able to solve it. As soon as I can see the ISO boot, and launch the installer, I’m fine, but I can’t even get to the installer currently.

Looks like you also need something else.

<os firmware="efi">
    <type arch="x86_64" machine="pc-q35-9.2">hvm</type>
    <firmware>
      <feature enabled="no" name="enrolled-keys"/>
      <feature enabled="yes" name="secure-boot"/>
    </firmware>
    <loader readonly="yes" secure="yes" type="pflash" format="raw">/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd</loader>
    <nvram template="/usr/share/edk2/x64/OVMF_VARS.4m.fd" templateFormat="raw" format="raw">/var/lib/libvirt/qemu/nvram/win11_VARS.fd</nvram>
    <boot dev="hd"/>
  </os>

So something like this I think?
-drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd \ -drive if=pflash,format=raw,file=*/copy/of/OVMF_VARS.4m.fd*

Check 4.3 of Qemu Archwiki page?

I tried reading the Archwiki page, but I don’t manage to solve it.
Here’s the command I’m using:

qemu-system-x86_64 \
  -cdrom ~/ISOs/Win11_24H2_English_x64.iso \
  -boot order=d \
  -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd \
  -drive if=pflash,format=raw,file=/home/kevin/VMs/OVMF_VARS.4m.fd \
  -vga qxl \
  -display sdl \
  -smp cpus=4 \
  -m 4G \
  -machine q35

So, this is basically the same as what you suggest, and the machine boots, I get a message from the CD Rom, so the bootloader is executed, “Press any key to boot from …”, and when I do so, the machine just restarts. When I don’t do anything, it drops to an UEFI shell.

I’m really lost. I need Win11, for work, but Arch doesn’t want me to install it. At least not without virt-manager, but I want to really understand the commands, so I prefer to NOT install virt-manager.

I think you need the right combination of those pflash secboot ones.

-drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd
-drive if=pflash,format=raw,file=/usr/share/edk2/x64/OVMF_VARS.4m.fd \

Just haven’t figured out which combination but the first one seems to be correct, not sure about the second one yet, because Windows 11 requires secureboot to be on.

Well, I followed the Arch Wiki to use UEFI with Secure Boot, by downloading the secure boot stuff from Fedora, but I the installer doesn’t look.

This is the command I’m using in the case of secure boot.

qemu-system-x86_64 \
  -cdrom ~/ISOs/Win11_24H2_English_x64.iso \
  -boot order=d \
  -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd \
  -drive if=pflash,format=raw,file=/home/kevin/VMs/OVMF_VARS_4M.secboot.fd \
  -vga qxl \
  -display sdl \
  -smp cpus=4 \
  -m 4G \
  -machine q35

Seem this one is correct.
format="raw">/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd

The second one seems to need a copy of “/usr/share/edk2/x64/OVMF_VARS.4m.fd” copied to under “/var/lib/libvirt/qemu/nvram/win11_VARS.fd”

Since you are using a custom path for that second one, also check the permissions of the path.

-rw-r–r-- 1 libvirt-qemu libvirt-qemu 540672 apr 25 15:07 win11_VARS.fd

As far as I understand the Wiki, the second one should be a copy of the one found in Fedora so that’s what I’m using. Anyway, I used the file you mentioned too for testing and it remains the same. No installer. And I give everyone write permissions on that file.

I managed to find it. I was using a virtual CPU, and it seems just that it wasn’t beefy enough. If I use kvm and specify ‘host’ as the CPU type, then we’re fine.

You also still need to create a hard drive image, something like this?

qemu-img create -f raw image_file 4G

-drive file=/home/kevin/VMs/win11.raw,format=raw \

I know, but I left it out of the command just for testing. I doubt that 4G will be enough

Yeah it was just an example.