Secure Boot – Microsoft UEFI CA 2023 Certificate Not Included in EFI Disk

[Wintendo]

(...)
Yes, but existing VMs need to be actively updated, affected VMs will output a visible warning in the VM start worker task log with the respective instructions (they are basically the same as needed on PVE 9)

Works like a charm on 8.4 ; thank you very much.

Win 11 guest shows afterwards : Event-Log SYSTEM IINFORMATION 1799 Der mit Windows UEFI CA 2023 signierte Start-Manager wurde erfolgreich installiert.

PS C:\Users\Administrator> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\ -Name UEFICA2023Status | Select-Object UEFICA2023Status

UEFICA2023Status
----------------
Updated

Tested on pve-manager/8.4.18/40eb4ac16f053344 (running kernel: 6.8.12-20-pve)

Christian

 

[aldomoro]

Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.

1. I removed old EFI disk from VM (where I could see efitype=4m)
2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
5. VM rebooting
6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)

Thanks for correction if you find a bug in my procedure

AL

 

[complexplaster27]

Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.

1. I removed old EFI disk from VM (where I could see efitype=4m)
2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
5. VM rebooting
6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)

Thanks for correction if you find a bug in my procedure

AL

Yep this is exactly how I'm doing it and works a treat each time.

 

[techsolo12]

Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.

1. I removed old EFI disk from VM (where I could see efitype=4m)
2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
5. VM rebooting
6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)

Thanks for correction if you find a bug in my procedure

AL

You should also check if the Event ID 1808 is existing in your Event Log.
Only this event confirms that all certificates and changes are completed.

Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Microsoft-Windows-TPM-WMI'; Id=1808} -MaxEvents 3 |
Select-Object TimeCreated, Id, LevelDisplayName, Message

 

[Nick Kooij]

Hi

Short guide how I managed to upgrade UEFI certificates on Windows VM after upgrading my Proxmox VE to 9.1.6.

1. I removed old EFI disk from VM (where I could see efitype=4m)
2. I created new EFI disk (where I can see efitype=4m,mscert=2023k)
3. After VM was started I opened regedit as admin and changed HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 5944
4. Then I opened Task Scheduler as admin and run Microsoft\Windows\PI\Secure-Boot-Update task (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4100 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was changed to InProgress
5. VM rebooting
6. I ran Microsoft\Windows\PI\Secure-Boot-Update task again (HKLM\System\CurrentControlSet\Control\SecureBoot\AvailableUpdates was changed to 4000 and HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status was change to Updated)

Thanks for correction if you find a bug in my procedure

AL

Around 4 hours ago, I had a Windows 11 Pro VM, running on Proxmox 9.1, reboot and automatically performing steps 3-4.

The only relevant configuration changes I made to the VM were:

• Update to Proxmox 9.1
• Changed the VM Machine type to `pc-q35-10.1`
  • BIOS was already OVMF (EUFI)
• Enroll the 2023 keys:
  • Hardware -> EFI Disk -> Disk Action -> Enroll Updated Certificates

I never actually set any registry keys, or made any Group Policy changes, within the VM to trigger the latter steps.

So it seems as Microsoft is rolling out these changes, they now have the QEMU machine type pc-q35-10.1 is now in the High Confidence database, so the final steps, within the VM, are automatic.

This simplify deployment a bit.

 

[complexplaster27]

Around 4 hours ago, I had a Windows 11 Pro VM, running on Proxmox 9.1, reboot and automatically performing steps 3-4.

The only relevant configuration changes I made to the VM were:

• Update to Proxmox 9.1
• Changed the VM Machine type to `pc-q35-10.1`
  • BIOS was already OVMF (EUFI)
• Enroll the 2023 keys:
  • Hardware -> EFI Disk -> Disk Action -> Enroll Updated Certificates

I never actually set any registry keys, or made any Group Policy changes, within the VM to trigger the latter steps.

So it seems as Microsoft is rolling out these changes, they now have the QEMU machine type pc-q35-10.1 is now in the High Confidence database, so the final steps, within the VM, are automatic.

This simplify deployment a bit.

So after you set the Machine to 10.1 you don't need to reboot the client at all? I'll test this on a Windows Server machine to see if this behavior replicates.

 

[MarkusKo]

On Windows Server you *have* to do this manually, just adding the updated efi disk in PVE is not enough, the Windows Server boot loader has to be updated as well.

Set registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates -> 0x5944
Reboot, run the task "Secure-Boot-Update" under Microsoft->Windows->PI
Reboot again, run the task "Secure-Boot-Update" under Microsoft->Windows->PI (maybe have to do that multiple times)
Check if the registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status" is set to "Updated"

For other methods of updating the Windows Server boot loader to UEFI CA2023 read the official Microsoft docs linked down below.

Windows Server 2025 certified server platforms already include the 2023 certificates in firmware. For servers that do not,
IT administrators must manually update the certificates, because Windows Server does not receive them automatically.
Unlike Windows PCs, which receive the 2023 Secure Boot certificates through Controlled Feature Rollout (CFR) as part of the
monthly update process, Windows Server requires manual action.

https://techcommunity.microsoft.com...ook-for-certificates-expiring-in-2026/4495789

 

[SvenTej]

Hmm on a WIN2019 Server I have an issue.

I updatred the efi-disk (The test "EFI disk without 'ms-cert=2023k' option, suggesting that not all UEFI 2023
certificates from Microsoft are enrolled yet. ..." is gone)

I then did the upper mentioned regisry stuff.

But....The registry key HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\WindowsUEFICA2023Capable is 1.

I would expect a 2.....

Any hints to solve this?
It is a domain controller running WIN2019 with all patches installed

 

[gasherbrum]

On Windows Server you *have* to do this manually, just adding the updated efi disk in PVE is not enough, the Windows Server boot loader has to be updated as well.

Set registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates -> 0x5944
Reboot, run the task "Secure-Boot-Update" under Microsoft->Windows->PI
Reboot again, run the task "Secure-Boot-Update" under Microsoft->Windows->PI (maybe have to do that multiple times)
Check if the registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status" is set to "Updated"

For other methods of updating the Windows Server boot loader to UEFI CA2023 read the official Microsoft docs linked down below.

Windows Server 2025 certified server platforms already include the 2023 certificates in firmware. For servers that do not,
IT administrators must manually update the certificates, because Windows Server does not receive them automatically.
Unlike Windows PCs, which receive the 2023 Secure Boot certificates through Controlled Feature Rollout (CFR) as part of the
monthly update process, Windows Server requires manual action.

https://techcommunity.microsoft.com...ook-for-certificates-expiring-in-2026/4495789

Yes I found this to be the case as well, Win 11 would update automatically but Server 2022 or earlier will need the reg key changed and wait 12 hours + reboot

 

[techsolo12]

Hmm on a WIN2019 Server I have an issue.

I updatred the efi-disk (The test "EFI disk without 'ms-cert=2023k' option, suggesting that not all UEFI 2023
certificates from Microsoft are enrolled yet. ..." is gone)

I then did the upper mentioned regisry stuff.

But....The registry key HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\WindowsUEFICA2023Capable is 1.

I would expect a 2.....

Any hints to solve this?
It is a domain controller running WIN2019 with all patches installed

The value in "WindowsUEFICA2023Capable" is not important. Its only a reference value.
You only need Event ID "1808" in Windows Event Log and "UEFICA2023Status" with value "Updated".
The screenshot below comes from original Micro$oft guidelines.

 

[SvenTej]

Hey,
Thanks a lot for the clarification.
So as I have the Event ID 1808 and the status is "updated" I should be fine.


Regards
S.

 

[OsvaldoP]

Our windows servers does not update the regkeys [1] to automatically download the new certificates.
Also older Win11 Clients have wrong regeky set.

After changing the key [1] manually, starting the "Secure-Boot-Update" windows reports ok. (UEFICA2023Status = Updated)

Does anybody know if also a PVE update is necessary? If yes, which is the min requied PVE Version to get the 2023 Certificates?
Currently we are using PVE 8.4.

kr
Roland

 

[ismikes]

On a 9.1.9 (fully updated) system for an Ubuntu 24.04 VM:

root@presto:~# qm enroll-efi-keys 200
efidisk0: enrolling Microsoft UEFI CA 2023
INFO: reading raw edk2 varstore from /var/run/qemu-server/qsd-vm-200-efi-enroll-efidisk0-enroll.fuse
INFO: var store range: 0x64 -> 0x40000
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationUEFICA2011.pem
INFO: certificate already present, skipping
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftUEFICA2023.pem
INFO: certificate already present, skipping
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftWindowsProductionPCA2011.pem
INFO: certificate already present, skipping
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/WindowsUEFICA2023.pem
INFO: certificate already present, skipping
INFO: add KEK cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationKEK2KCA2023.pem
INFO: certificate already present, skipping
INFO: writing raw edk2 varstore to /var/run/qemu-server/qsd-vm-200-efi-enroll-efidisk0-enroll.fuse
Traceback (most recent call last):
File "/bin/virt-fw-vars", line 33, in <module>
sys.exit(load_entry_point('virt-firmware==24.11', 'console_scripts', 'virt-fw-vars')())
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3/dist-packages/virt/firmware/vars.py", line 305, in main
varstore.write_varstore(options.output, varlist)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/virt/firmware/varstore/edk2.py", line 157, in write_varstore
with open(filename, "wb") as f:
~~~~^^^^^^^^^^^^^^^^
OSError: [Errno 95] Operation not supported: '/var/run/qemu-server/qsd-vm-200-efi-enroll-efidisk0-enroll.fuse'
efidisk0: enrolling Microsoft UEFI CA 2023 failed - command 'virt-fw-vars --inplace /var/run/qemu-server/qsd-vm-200-efi-enroll-efidisk0-enroll.fuse --distro-keys ms-uefi --distro-keys windows --add-kek 77fa9abd-0359-4d32-bd60-28f4e78f784b /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationKEK2KCA2023.pem' failed: exit code 1

 

[gfngfn256]

Ubuntu 24.04 VM

Microsoft UEFI CA 2023 is for Microsoft OSs like Windows!

 

[ismikes]

Microsoft UEFI CA 2023 is for Microsoft OSs like Windows!

I might be wrong about this but I *think* it's for any system using UEFI with Secure Boot, is it not? My VM is giving this warning about it when it boots:

WARN: EFI disk without 'ms-cert=2023k' option, suggesting that not all UEFI 2023
certificates from Microsoft are enrolled yet.
The UEFI 2011 certificates expire in June 2026! The new certificates are required
for secure boot update for Windows and common Linux distributions.
Use 'Disk Action > Enroll Updated Certificates' in the UI or, while the VM is
shut down, run 'qm enroll-efi-keys 200' to enroll the new certificates.

 

[ismikes]

One is supposed to perform the action on the EFI Disk of the VM, correct?

 

[janus57]

Hi,

Microsoft UEFI CA 2023 is for Microsoft OSs like Windows!

not only, it also impact linux when Secure Boot is enable and use shim signed with : MS 2023 UEFI CA

One is supposed to perform the action on the EFI Disk of the VM, correct?

have you done it when the VM was shutdown ?

Best regards,

 

[ismikes]

have you done it when the VM was shutdown ?

It was shut-down when I ran the command I posted above. I've since tried running while it was up via the UI and that seemed to complete without giving an error message. However, I now get this warning message when booting the VM:

efidisk0: enrolling Microsoft UEFI CA 2023
INFO: reading raw edk2 varstore from /var/run/qemu-server/qsd-vm-200-efi-enroll-efidisk0-enroll.fuse
INFO: var store range: 0x64 -> 0x40000
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationUEFICA2011.pem
INFO: certificate already present, skipping
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftUEFICA2023.pem
INFO: certificate already present, skipping
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftWindowsProductionPCA2011.pem
INFO: certificate already present, skipping
INFO: add db cert /usr/lib/python3/dist-packages/virt/firmware/certs/WindowsUEFICA2023.pem
INFO: certificate already present, skipping
INFO: add KEK cert /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationKEK2KCA2023.pem
INFO: certificate already present, skipping
INFO: writing raw edk2 varstore to /var/run/qemu-server/qsd-vm-200-efi-enroll-efidisk0-enroll.fuse
Traceback (most recent call last):
File "/bin/virt-fw-vars", line 33, in <module>
sys.exit(load_entry_point('virt-firmware==24.11', 'console_scripts', 'virt-fw-vars')())
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3/dist-packages/virt/firmware/vars.py", line 305, in main
varstore.write_varstore(options.output, varlist)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/virt/firmware/varstore/edk2.py", line 157, in write_varstore
with open(filename, "wb") as f:
~~~~^^^^^^^^^^^^^^^^
OSError: [Errno 95] Operation not supported: '/var/run/qemu-server/qsd-vm-200-efi-enroll-efidisk0-enroll.fuse'
unable to apply pending change efidisk0 : efidisk0: enrolling Microsoft UEFI CA 2023 failed - command 'virt-fw-vars --inplace /var/run/qemu-server/qsd-vm-200-efi-enroll-efidisk0-enroll.fuse --distro-keys ms-uefi --distro-keys windows --add-kek 77fa9abd-0359-4d32-bd60-28f4e78f784b /usr/lib/python3/dist-packages/virt/firmware/certs/MicrosoftCorporationKEK2KCA2023.pem' failed: exit code 1
WARN: EFI disk without 'ms-cert=2023k' option, suggesting that not all UEFI 2023
certificates from Microsoft are enrolled yet.
The UEFI 2011 certificates expire in June 2026! The new certificates are required
for secure boot update for Windows and common Linux distributions.
Use 'Disk Action > Enroll Updated Certificates' in the UI or, while the VM is
shut down, run 'qm enroll-efi-keys 200' to enroll the new certificates.

For Windows with BitLocker, run the following command inside Powershell:
manage-bde -protectors -disable <drive>
for each drive with BitLocker (for example, <drive> could be 'C:').
This is required for each drive with BitLocker before proceeding with enrollment.
Otherwise, you will be prompted for the BitLocker recovery key on the next boot.

TASK WARNINGS: 1