Secure Boot Updates not completing on Parallels VMs

I'm an IT Pro. We are pushing out the 2023 Secure Boot updates to all our physical devices, a process that must complete in June 2026, and I need to do the same for my Parallels VMs. While some of the updates are being delivered, the KEK update is failing to land.

PS C:\WINDOWS\system32> Get-UEFICertificate | select subject
Subject
-------
CN=Parallels UEFI Platform Key 2016, O=Parallels Holdings Ltd, C=US
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

We're missing CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
When this works properly the last reported Event ID is 1808
Here is the output from the Microsoft "Detect-SecureBootCertUpdateStatus" script:

{"UEFICA2023Status":"InProgress","UEFICA2023Error":2147942402,"UEFICA2023ErrorEvent":1803,"AvailableUpdates":"0x4004","AvailableUpdatesPolicy":null,"Hostname":"W11-PVM9ADMARM1","CollectionTime":"2026-03-18T15:52:07.8520153+00:00","SecureBootEnabled":true,"HighConfidenceOptOut":null,"MicrosoftUpdateManagedOptIn":null,"OEMManufacturerName":"Parallels International GmbH.","OEMModelSystemFamily":"Parallels VM","OEMModelNumber":"Parallels ARM Virtual Machine","FirmwareVersion":"26.2.2 (57373)","FirmwareReleaseDate":"Fri, 30 Jan 2026 16:40:30","OSArchitecture":"ARM64","CanAttemptUpdateAfter":"2026-03-03T07:38:56.9440000Z","LatestEventId":1803,"BucketId":"4cbfbb8b5b825969859374b1f5dc1d6245853d7fe592cac4325034967f3cc6fe","Confidence":"Under Observation - More Data Needed.","SkipReasonKnownIssue":null,"Event1801Count":19,"Event1808Count":0,"Event1795Count":0,"Event1795ErrorCode":null,"Event1796Count":0,"Event1796ErrorCode":null,"Event1800Count":0,"RebootPending":false,"Event1802Count":0,"KnownIssueId":null,"Event1803Count":11,"MissingKEK":true,"OSVersion":"10.0.26200","LastBootTime":"2026-03-18T15:38:05.4589810+00:00","BaseBoardManufacturer":"Parallels ARM Virtual Machine","BaseBoardProduct":"Parallels ARM Virtual Platform","SecureBootTaskEnabled":true,"SecureBootTaskStatus":"Ready","WinCSKeyApplied":true,"WinCSKeyStatus":"Applied"}
​

The 1803 event says the following:

A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning.
This device signature information is included here.

DeviceAttributes: BaseBoardManufacturerarallels ARM Virtual Machine;FirmwareManufacturerarallels International GmbH.;FirmwareVersion:26.2.2 (57373);OEMModelNumberarallels ARM Virtual Machine;OEMModelBaseBoardarallels ARM Virtual Platform;OEMModelSystemFamilyarallels VM;OEMManufacturerNamearallels International GmbH.;OEMModelSKUarallels_ARM_VM;OSArchitecture:arm64;

BucketId: 4cbfbb8b5b825969859374b1f5dc1d6245853d7fe592cac4325034967f3cc6fe
BucketConfidenceLevel: Under Observation - More Data Needed.
For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472​

 

I've submitted two support tickets asking when Parallels will provide the necessary KEK-2023 so the process can be completed. They closed the first ticket with only a response that it was with engineering. In my case every thing is in place except the BIOS updated with KEK-2023, and only Parallels can supply that piece. Amazing how little discussion there is on this, since worse case is if they do not address it timely, we can no longer access our Windows 11 VMs using secure boot once the deadline comes. A simple we are aware and the solution will be available prior to deadline, isn't too much to ask, for anyone paying for a subscription and relying on their product.

 

Update, as of the last Parallels update on 3/27 I have noted the 1801 TPM-WMI system event has stopped occurring, it was occurring consistently twice per day, indicating this has likely been resolved. I haven't run the script yet to verify but this indicator is promising. I closed my ticket at least, as it wasn't of much use anyhow.

 

After re‑running the Secure Boot checks I used earlier, it looks like Parallels changed how Secure Boot works inside the VM. Windows still reports Secure Boot as enabled, but the underlying setup is different from before.
The main change is that the VM now uses a Parallels‑issued Platform Key instead of the Microsoft one. Because of that, Windows no longer expects the newer Microsoft KEK‑2023 key, which explains why the daily 1801 event stopped showing up. The KEK, DB, and DBX entries that used to come from Microsoft aren't exposed the same way anymore, but Windows is satisfied with the current setup and treats the VM as compliant.

 

I'm still getting 1801 and 1803, despite a VM firmware update to 26.3.0. It is now April. The deadline is rapidly approaching. Still no word if/when this should be resolved by Parallels. This lack of comms is not really acceptable from an expensive commercial product.
(1803)

A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning.
This device signature information is included here.
DeviceAttributes: BaseBoardManufacturerarallels ARM Virtual Machine;FirmwareManufacturerarallels International GmbH.;FirmwareVersion:26.3.0 (57392);OEMModelNumberarallels ARM Virtual Machine;OEMModelBaseBoardarallels ARM Virtual Platform;OEMModelSystemFamilyarallels VM;OEMManufacturerNamearallels International GmbH.;OEMModelSKUarallels_ARM_VM;OSArchitecture:arm64;
BucketId: a513de5264f33dcf43d56027944182444d5898f0a8cbb92bdee6a679ae0047eb
BucketConfidenceLevel: No Data Observed - Action Required.
For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472​