Secure Boot – Microsoft UEFI CA 2023 Certificate Not Included in EFI Disk

[Wintendo]

(...)
Yes, but existing VMs need to be actively updated, affected VMs will output a visible warning in the VM start worker task log with the respective instructions (they are basically the same as needed on PVE 9)

Works like a charm on 8.4 ; thank you very much.

Win 11 guest shows afterwards : Event-Log SYSTEM IINFORMATION 1799 Der mit Windows UEFI CA 2023 signierte Start-Manager wurde erfolgreich installiert.

PS C:\Users\Administrator> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\ -Name UEFICA2023Status | Select-Object UEFICA2023Status

UEFICA2023Status
----------------
Updated

Tested on pve-manager/8.4.18/40eb4ac16f053344 (running kernel: 6.8.12-20-pve)

Christian

 

[aldomoro]

Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.

1. I removed old EFI disk from VM (where I could see efitype=4m)
2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
5. VM rebooting
6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)

Thanks for correction if you find a bug in my procedure

AL