Tip for Windows 11 on Libvirt/KVM

Getting good performance with Windows 11 Pro running under Libvirt/KVM on Linux requires some special configs, especially if one wants to enable WSL2 (which requires 'Nested virtualization'). This is a brief cheatsheet on the required configuration.

Overview

Getting good performance with Windows 11 Pro running under Libvirt/KVM on Linux requires some special configs, especially if one wants to enable WSL2 (which requires ‘Nested virtualization’). This is a brief cheatsheet on the required configuration.

Win 11 Pro with WSL2 and Hypervisor-based Security Cheatsheet for Libvirt

Assumes recent-ish version of Libvirt (e.g. Debian 12 Bookworm’s version as of 2026-06-19, which is later in the release cycle as the next Debian (Trixie) is now at RC1).

1. In a terminal windows execute ‘sudo virsh capabilities` and make note of the CPU model and toplogy.
2. Start with virt-manager (Virtual Machine Manager) with editing of XML enabled in preferences.
3. Start the wizard for a creating new virtual machine from local install media
4. Select your Windows 11 24H2 x64 ISO and make sure the OS is detected as ‘Microsoft Windows 11’.
5. Choose your RAM and number of CPU cores to assign to the virtual machine
6. Choose your storage
7. Check ‘Customize configuration before install’
8. Choose your network.
9. Click ‘Finish’
10. Ensure firmware is selected as ‘UEFI’
11. Under CPUs ensure Copy host CPU configuration (host-passthrough) is unchecked and model is the model that your were shown by virsh capabilities, and make sure you ‘Apply’ changes.
12. _{Choose the sound card as ICH6 not ICH9! (see https://github.com/virtio-win/virtio-win-pkg-scripts/issues/105)}
13. Add the virtio-win ISO as an additional CD-ROM.
14. Edit the XML.

    1. Inside the <os firmware='efi'>…</os> tags, add:

       <firmware>
         <feature enabled="yes" name="enrolled-keys"/>
         <feature enabled="yes" name="secure-boot"/>
       </firmware>

    2. Inside the <features>…</features> tags, add:

       <vmport state="off"/>
       <smm state="on"/>

    3. Edit the <cpu mode=… match="exact">…</cpu> section to be (modifying topology appropriately for your CPU and the number of logical cores you wish to assign. The example below will use 4 virtual cores with 2 threads each for 8 virtual logical cores):

       <cpu mode="custom" match="exact" check="partial">
          <model>your_cpu_model</model>
          <topology sockets="1" dies="1" cores="4" threads="2"/>
          <feature policy="require" name="vmx"/>
          <feature policy="disable" name="hypervisor"/>
          <feature policy="disable" name="mpx"/>
       </cpu>

    4. Apply your changes.

15. Boot the VM and install Windows, using the usual procedure for adding the virtio drivers needed to complete the install.
16. Once in Windows execute msinfo32.exe and confirm secure boot and virtualization-based security are operational.
17. Install WSL2 and verify it works.
18. Done!

References

Information was gleaned from the following sources, as well as the libvirt documentation, and testing.

• https://pve.proxmox.com/wiki/Nested_Virtualization#Troubleshooting
• https://wiki.archlinux.org/title/Libvirt
• https://forums.unraid.net/topic/131838-windows-11-virtual-machine-platform-wsl2-boot-loop/
• https://bugzilla.redhat.com/show_bug.cgi?id=1744045
• https://stackoverflow.com/questions/62274613/run-wsl2-in-windows-10-guest-vm-running-on-a-linux-host
• https://forums.unraid.net/topic/139187-vt-x-nested-virtualisation-612/

See also:

• https://github.com/virtio-win/virtio-win-pkg-scripts/issues/105