Secure Boot – Microsoft UEFI CA 2023 Certificate Not Included in EFI Disk

Hi,
ces said:
Hi @fiona,
after deleting the EFI-Disk of an old VM on a current PVE 8.4.16 and creating a new EFI-Disk with enrolled keys, the disk contains only the old certs. Is that only applicable for current PVE 9.1?
Thanks for the info.
Click to expand...
yes, for Proxmox VE 8 there was no backport of the changes yet. It's planned to be done once the improvements to enrollment land, so everything can be backported at the same time.
 
  • Like
Reactions: ces and BastianR
Hello,

I read this thread. So what are the steps need to be done for windows server?
As we have thousend of VMs, what need to be done to update the certificate?

Can this be done inside VM only with some windows update?
Or do we need to stop every vm and run command "qm enroll-efi-keys"?

For me it's not clear what need to be done. And we need some clear and easy to handle way. As we can not manually update all thousend VMs.

Best Regards
 
  • Like
Reactions: Gavino
Hi @Nerion,
with qemu-server >= 9.1.4, you can set the ms-cert=2023w property for an EFI disk via the API. This can also be done for running VMs and will lead to enrollment of the new certificates the next time pending changes for the VM are applied (e.g. when doing a reboot via API/UI).

There will also be an UI button for it once the rest of the patches is applied: https://lore.proxmox.com/pve-devel/20260121154453.285642-1-f.ebner@proxmox.com/T/

The rest is done within the VMs, see the relevant Microsoft articles: https://lore.proxmox.com/pve-devel/20260121154453.285642-4-f.ebner@proxmox.com/
 
  • Like
Reactions: Gavino and jtru
fiona said:
Hi @Nerion,
with qemu-server >= 9.1.4, you can set the ms-cert=2023w property for an EFI disk via the API. This can also be done for running VMs and will lead to enrollment of the new certificates the next time pending changes for the VM are applied (e.g. when doing a reboot via API/UI).

There will also be an UI button for it once the rest of the patches is applied: https://lore.proxmox.com/pve-devel/20260121154453.285642-1-f.ebner@proxmox.com/T/

The rest is done within the VMs, see the relevant Microsoft articles: https://lore.proxmox.com/pve-devel/20260121154453.285642-4-f.ebner@proxmox.com/
Click to expand...
Hello,

when this new version is going to be released in the enterprise repo?
 
You must log in or register to reply here.
Top Bottom
Back