Hello,
i have a question to Windows Server VMs and updateing secure boot certificates. I found out there are 2 feasible ways for me.
Way 1 is a full update including nvram-file, but needs more care.
Way 2 is a lazy way by running just a few task within windows, result may be usable, but is not really clean.
Way 1
- VM down
- upgrade hw-version to latest
- delete nvram file
- start vm and initiate the known registry entries and task to actuate Windows to update securebootcertificate chain.
- two reboots later VM is fresh just like a newly installed one. All values are fine.
Way 2
- initiate the known registry entries and tasks without updating nvram (uefi) file and without updating hw-version of VM.
- In this case windows is also updating the certificate chain
- 2 reboots later we may have a bootable system after jun 2026.
in Way 2 we get to a status where WindowsUEFICA2023Capable is 2, which meens VM is using the news 2023 certificates. But also we have an error in KEK-certificate area: KEKLastUpdateErrorReason shows "Firmware_MissingKEKInPackage" or "InstallerError". UEFICA2023Status stays "InProgress".
May question is which way should i use. is way 2 safe, even with problems in KEK-area? WindowsUEFICA2023Capable = 2 should be the significant value.
Way 2 is better to handle, just inserting some tasks in our global environment.
Way 1 may be clean, but there are some hundreds of VMs we had to handle this way + unexpected downtimes.
Do you have some experiences made in updating secure boot certificates?
What is your opinion to this topic?
Thanks,
Hans
btw: it is commonly known that Windows Client OS should update thereselfs, only Server OS should be edited manually. But as we look on our data a lot of win11 OS are still not updated. i recommend to explicitely check in your environment.
-------------------------------------------