Virtual machines that do not have a valid Platform Key (PK) fail to complete automated updates to Secure Boot databases, including DB, DBX, and KEK.
The Platform Key (PK) on virtual machines has an invalid signature, which causes updates to the Key Exchange Key (KEK) database to fail. As a result, the automated Secure Boot update process fails and reports error events or logs.
Note: This knowledge article replaces a previous article (KB 421593) to avoid suggestions of deleting NVRAM, as that behavior can lead to unexpected corruptions of the associated VM.
Update the Platform Key that has an invalid signature by replacing it with the Windows OEM Device Key before performing any automated updates to the Secure Boot databases.
VC 7.x: Edit Settings > VM Options > Advanced > Edit ConfigurationVC 8.x and 9.x: Edit Settings > Advanced Parametersuefi.allowAuthBypass = "TRUE"uefi.allowAuthBypass = "TRUE"mokutil --pk$pk = Get-SecureBootUEFI -Name PK
$bytes = $pk.Bytes
$cert = $bytes[44..($bytes.Length-1)]
[IO.File]::WriteAllBytes("PK.der", $cert)
certutil -dump PK.derA temporary FAT32 disk is required to stage the Platform Key (PK) and related certificates for the Secure Boot update process.
lsblk/dev/sdb.sudo mkfs.vfat -F 32 -n KEYUPDATE /dev/sdbsudo mkdir -p /mnt/keys
sudo mount /dev/sdb /mnt/keysmount | grep keyssudo cp WindowsOEMDevicesPK.der /mnt/keyssudo umount /mnt/keysdiskmgmt.msc and press Enter.format /FS:FAT32 X:X: with the appropriate drive letter.To manually update the KEK certificate on the virtual machine, follow the instructions below:
openssl command below:openssl x509 -inform der -in KEK.cer -outform der -out KEK-2023.derKEK-2023.der) to the disk mentioned in the Disk Preparation for Platform Key Update step under the Resolution section above.Secure Boot ConfigurationKEK OptionsEnroll KEKKEK-2023.derCommit Changes and Exit.der file again as it may have been corrupted in transport:Only DER encoded certificate file (*.cer/der/crt) is supportedopenssl command below:openssl x509 -inform der -in PK.cer -outform der -out PK.der