I'm an IT Pro. We are pushing out the 2023 Secure Boot updates to all our physical devices, a process that must complete in June 2026, and I need to do the same for my Parallels VMs. While some of the updates are being delivered, the KEK update is failing to land.
PS C:\WINDOWS\system32> Get-UEFICertificate | select subject
Subject
-------
CN=Parallels UEFI Platform Key 2016, O=Parallels Holdings Ltd, C=US
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
We're missing CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
When this works properly the last reported Event ID is 1808
Here is the output from the Microsoft "Detect-SecureBootCertUpdateStatus" script:
{"UEFICA2023Status":"InProgress","UEFICA2023Error":2147942402,"UEFICA2023ErrorEvent":1803,"AvailableUpdates":"0x4004","AvailableUpdatesPolicy":null,"Hostname":"W11-PVM9ADMARM1","CollectionTime":"2026-03-18T15:52:07.8520153+00:00","SecureBootEnabled":true,"HighConfidenceOptOut":null,"MicrosoftUpdateManagedOptIn":null,"OEMManufacturerName":"Parallels International GmbH.","OEMModelSystemFamily":"Parallels VM","OEMModelNumber":"Parallels ARM Virtual Machine","FirmwareVersion":"26.2.2 (57373)","FirmwareReleaseDate":"Fri, 30 Jan 2026 16:40:30","OSArchitecture":"ARM64","CanAttemptUpdateAfter":"2026-03-03T07:38:56.9440000Z","LatestEventId":1803,"BucketId":"4cbfbb8b5b825969859374b1f5dc1d6245853d7fe592cac4325034967f3cc6fe","Confidence":"Under Observation - More Data Needed.","SkipReasonKnownIssue":null,"Event1801Count":19,"Event1808Count":0,"Event1795Count":0,"Event1795ErrorCode":null,"Event1796Count":0,"Event1796ErrorCode":null,"Event1800Count":0,"RebootPending":false,"Event1802Count":0,"KnownIssueId":null,"Event1803Count":11,"MissingKEK":true,"OSVersion":"10.0.26200","LastBootTime":"2026-03-18T15:38:05.4589810+00:00","BaseBoardManufacturer":"Parallels ARM Virtual Machine","BaseBoardProduct":"Parallels ARM Virtual Platform","SecureBootTaskEnabled":true,"SecureBootTaskStatus":"Ready","WinCSKeyApplied":true,"WinCSKeyStatus":"Applied"}
The 1803 event says the following:
A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning.
This device signature information is included here.
DeviceAttributes: BaseBoardManufacturer
arallels ARM Virtual Machine;FirmwareManufacturer
arallels International GmbH.;FirmwareVersion:26.2.2 (57373);OEMModelNumber
arallels ARM Virtual Machine;OEMModelBaseBoard
arallels ARM Virtual Platform;OEMModelSystemFamily
arallels VM;OEMManufacturerName
arallels International GmbH.;OEMModelSKU
arallels_ARM_VM;OSArchitecture:arm64;
BucketId: 4cbfbb8b5b825969859374b1f5dc1d6245853d7fe592cac4325034967f3cc6fe
BucketConfidenceLevel: Under Observation - More Data Needed.
For more information, please see
https://go.microsoft.com/fwlink/?linkid=2339472
