Hey everyone, I'm facing some issues ensuring that the new secure boot certificates for 2023 are properly applied across my Windows Server environment. I've got a mixed setup with Server versions 2016, 2019, 2022, and 2025, and all necessary Windows updates are installed.
I've been running my servers on different platforms: Hyper-V seems to handle it well with both the KEK and DB certificates applied. Proxmox is still left to test, but VMware is where I'm encountering trouble. Based on a Broadcom knowledge base article regarding secure boot certificate issues, it seems you need to set the hardware compatibility of the VMs to version 8.02. However, my tests indicate that both KEK and DB certificates can be validated even on compatibility as old as 6.7 using PowerShell commands.
These commands check whether the correct certificates are there:
- **[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).Bytes) -match 'Microsoft Corporation KEK 2K CA 2023'**
- **[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match '2023'**
Both should return **True**, yet I'm still seeing Event ID 1801 in the system log which states, "Updated secure boot certificates are available on this device but have not yet been applied to the Firmware." So, I'm left wondering if this message is just noise or if it's indicating a real issue. Is there any definite way to check if the certificates are confirmed applied or not? Any guidance would be greatly appreciated!
2 Answers
Have you checked out this article? It has steps for dumping the VM's UEFI data, which could help you confirm if the certificates are actually there: https://knowledge.broadcom.com/external/article/424429/verification-of-secure-boot-certificate.html
It sounds like you might need to change the VM version. Try powering off the machine, deleting or renaming the nvram file, and then boot it up again. Make sure you've got the registry key that triggers the update applied as well. It might take a few reboots before you see everything show as successful, based on my experience.
Thanks! Have you also upgraded the hardware compatibility to version 8 on the VMs? Did you run into this Event ID too?
Thanks for the tip! I followed that article and managed to grab the kek-cert-0.der and kek-cert-1.der files. In the kek-cert-0.der, I noticed the expected certificate, but the other only has 2011. Here’s a snapshot I got: [link](https://preview.redd.it/6ne2ckqolsmg1.png?width=854&format=png&auto=webp&s=de108ae7e82495a4f4c408be83945133ca9488ff)