Secure Boot – Microsoft UEFI CA 2023 Certificate Not Included in EFI Disk

[Wintendo]

(...)
Yes, but existing VMs need to be actively updated, affected VMs will output a visible warning in the VM start worker task log with the respective instructions (they are basically the same as needed on PVE 9)

Works like a charm on 8.4 ; thank you very much.

Win 11 guest shows afterwards : Event-Log SYSTEM IINFORMATION 1799 Der mit Windows UEFI CA 2023 signierte Start-Manager wurde erfolgreich installiert.

PS C:\Users\Administrator> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\ -Name UEFICA2023Status | Select-Object UEFICA2023Status

UEFICA2023Status
----------------
Updated

Tested on pve-manager/8.4.18/40eb4ac16f053344 (running kernel: 6.8.12-20-pve)

Christian

 

[aldomoro]

Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.

1. I removed old EFI disk from VM (where I could see efitype=4m)
2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
5. VM rebooting
6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)

Thanks for correction if you find a bug in my procedure

AL

 

[complexplaster27]

Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.

1. I removed old EFI disk from VM (where I could see efitype=4m)
2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
5. VM rebooting
6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)

Thanks for correction if you find a bug in my procedure

AL

Yep this is exactly how I'm doing it and works a treat each time.

 

[techsolo12]

Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.

1. I removed old EFI disk from VM (where I could see efitype=4m)
2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
5. VM rebooting
6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)

Thanks for correction if you find a bug in my procedure

AL

You should also check if the Event ID 1808 is existing in your Event Log.
Only this event confirms that all certificates and changes are completed.

Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-TPM-WMI'; Id=1808} -MaxEvents 3 |
Select-Object TimeCreated, Id, LevelDisplayName, Message

 

[Nick Kooij]

Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.

1. I removed old EFI disk from VM (where I could see efitype=4m)
2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
5. VM rebooting
6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)

Thanks for correction if you find a bug in my procedure

AL

Around 4 hours ago, I had a Windows 11 Pro VM, running on Proxmox 9.1, reboot and automatically performing steps 3-4.

The only relevant configuration changes I made to the VM were:

• Update to Proxmox 9.1
• Changed the VM Machine type to `pc-q35-10.1`
  • BIOS was already OVMF (EUFI)
• Enroll the 2023 keys:
  • Hardware -> EFI Disk -> Disk Action -> Enroll Updated Certificates

I never actually set any registry keys, or made any Group Policy changes, within the VM to trigger the latter steps.

So it seems as Microsoft is rolling out these changes, they now have the QEMU machine type pc-q35-10.1 is now in the High Confidence database, so the final steps, within the VM, are automatic.

This simplify deployment a bit.

 

[complexplaster27]

Around 4 hours ago, I had a Windows 11 Pro VM, running on Proxmox 9.1, reboot and automatically performing steps 3-4.

The only relevant configuration changes I made to the VM were:

• Update to Proxmox 9.1
• Changed the VM Machine type to `pc-q35-10.1`
  • BIOS was already OVMF (EUFI)
• Enroll the 2023 keys:
  • Hardware -> EFI Disk -> Disk Action -> Enroll Updated Certificates

I never actually set any registry keys, or made any Group Policy changes, within the VM to trigger the latter steps.

So it seems as Microsoft is rolling out these changes, they now have the QEMU machine type pc-q35-10.1 is now in the High Confidence database, so the final steps, within the VM, are automatic.

This simplify deployment a bit.

So after you set the Machine to 10.1 you don't need to reboot the client at all? I'll test this on a Windows Server machine to see if this behavior replicates.

 

[MarkusKo]

On Windows Server you *have* to do this manually, just adding the updated efi disk in PVE is not enough, the Windows Server boot loader has to be updated as well.

Set registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates -> 0x5944
Reboot, run the task "Secure-Boot-Update" under Microsoft->Windows->PI
Reboot again, run the task "Secure-Boot-Update" under Microsoft->Windows->PI (maybe have to do that multiple times)
Check if the registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status" is set to "Updated"

For other methods of updating the Windows Server boot loader to UEFI CA2023 read the official Microsoft docs linked down below.

Windows Server 2025 certified server platforms already include the 2023 certificates in firmware. For servers that do not,
IT administrators must manually update the certificates, because Windows Server does not receive them automatically.
Unlike Windows PCs, which receive the 2023 Secure Boot certificates through Controlled Feature Rollout (CFR) as part of the
monthly update process, Windows Server requires manual action.

https://techcommunity.microsoft.com...ook-for-certificates-expiring-in-2026/4495789

 

[SvenTej]

Hmm on a WIN2019 Server I have an issue.

I updatred the efi-disk (The test "EFI disk without 'ms-cert=2023k' option, suggesting that not all UEFI 2023
certificates from Microsoft are enrolled yet. ..." is gone)

I then did the upper mentioned regisry stuff.

But....The registry key HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\WindowsUEFICA2023Capable is 1.

I would expect a 2.....

Any hints to solve this?
It is a domain controller running WIN2019 with all patches installed

 

[gasherbrum]

On Windows Server you *have* to do this manually, just adding the updated efi disk in PVE is not enough, the Windows Server boot loader has to be updated as well.

Set registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates -> 0x5944
Reboot, run the task "Secure-Boot-Update" under Microsoft->Windows->PI
Reboot again, run the task "Secure-Boot-Update" under Microsoft->Windows->PI (maybe have to do that multiple times)
Check if the registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status" is set to "Updated"

For other methods of updating the Windows Server boot loader to UEFI CA2023 read the official Microsoft docs linked down below.

Windows Server 2025 certified server platforms already include the 2023 certificates in firmware. For servers that do not,
IT administrators must manually update the certificates, because Windows Server does not receive them automatically.
Unlike Windows PCs, which receive the 2023 Secure Boot certificates through Controlled Feature Rollout (CFR) as part of the
monthly update process, Windows Server requires manual action.

https://techcommunity.microsoft.com...ook-for-certificates-expiring-in-2026/4495789

Yes I found this to be the case as well, Win 11 would update automatically but Server 2022 or earlier will need the reg key changed and wait 12 hours + reboot