Secure Boot – Microsoft UEFI CA 2023 Certificate Not Included in EFI Disk

t.lamprecht said:
(...)
Yes, but existing VMs need to be actively updated, affected VMs will output a visible warning in the VM start worker task log with the respective instructions (they are basically the same as needed on PVE 9)
Click to expand...
Works like a charm on 8.4 ; thank you very much.

Win 11 guest shows afterwards : Event-Log SYSTEM IINFORMATION 1799 Der mit Windows UEFI CA 2023 signierte Start-Manager wurde erfolgreich installiert.

PS C:\Users\Administrator> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\ -Name UEFICA2023Status | Select-Object UEFICA2023Status

UEFICA2023Status
----------------
Updated

Tested on pve-manager/8.4.18/40eb4ac16f053344 (running kernel: 6.8.12-20-pve)

Christian
 
Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.
  1. I removed old EFI disk from VM (where I could see efitype=4m)
  2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
  3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
  4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
  5. VM rebooting
  6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)
Thanks for correction if you find a bug in my procedure

AL
 
  • Like
Reactions: complexplaster27
aldomoro said:
Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.
  1. I removed old EFI disk from VM (where I could see efitype=4m)
  2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
  3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
  4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
  5. VM rebooting
  6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)
Thanks for correction if you find a bug in my procedure

AL
Click to expand...
Yep this is exactly how I'm doing it and works a treat each time.
 
  • Like
Reactions: aldomoro
aldomoro said:
Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.
  1. I removed old EFI disk from VM (where I could see efitype=4m)
  2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
  3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
  4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
  5. VM rebooting
  6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)
Thanks for correction if you find a bug in my procedure

AL
Click to expand...

You should also check if the Event ID 1808 is existing in your Event Log.
Only this event confirms that all certificates and changes are completed.


Code: 
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-TPM-WMI'; Id=1808} -MaxEvents 3 |
Select-Object TimeCreated, Id, LevelDisplayName, Message
 
  • Like
Reactions: aldomoro and complexplaster27
You must log in or register to reply here.
Top Bottom
Back