Secure Boot Updates not completing on Parallels VMs

I'm an IT Pro. We are pushing out the 2023 Secure Boot updates to all our physical devices, a process that must complete in June 2026, and I need to do the same for my Parallels VMs. While some of the updates are being delivered, the KEK update is failing to land.

PS C:\WINDOWS\system32> Get-UEFICertificate | select subject
Subject
-------
CN=Parallels UEFI Platform Key 2016, O=Parallels Holdings Ltd, C=US
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

We're missing CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
When this works properly the last reported Event ID is 1808
Here is the output from the Microsoft "Detect-SecureBootCertUpdateStatus" script:

{"UEFICA2023Status":"InProgress","UEFICA2023Error":2147942402,"UEFICA2023ErrorEvent":1803,"AvailableUpdates":"0x4004","AvailableUpdatesPolicy":null,"Hostname":"W11-PVM9ADMARM1","CollectionTime":"2026-03-18T15:52:07.8520153+00:00","SecureBootEnabled":true,"HighConfidenceOptOut":null,"MicrosoftUpdateManagedOptIn":null,"OEMManufacturerName":"Parallels International GmbH.","OEMModelSystemFamily":"Parallels VM","OEMModelNumber":"Parallels ARM Virtual Machine","FirmwareVersion":"26.2.2 (57373)","FirmwareReleaseDate":"Fri, 30 Jan 2026 16:40:30","OSArchitecture":"ARM64","CanAttemptUpdateAfter":"2026-03-03T07:38:56.9440000Z","LatestEventId":1803,"BucketId":"4cbfbb8b5b825969859374b1f5dc1d6245853d7fe592cac4325034967f3cc6fe","Confidence":"Under Observation - More Data Needed.","SkipReasonKnownIssue":null,"Event1801Count":19,"Event1808Count":0,"Event1795Count":0,"Event1795ErrorCode":null,"Event1796Count":0,"Event1796ErrorCode":null,"Event1800Count":0,"RebootPending":false,"Event1802Count":0,"KnownIssueId":null,"Event1803Count":11,"MissingKEK":true,"OSVersion":"10.0.26200","LastBootTime":"2026-03-18T15:38:05.4589810+00:00","BaseBoardManufacturer":"Parallels ARM Virtual Machine","BaseBoardProduct":"Parallels ARM Virtual Platform","SecureBootTaskEnabled":true,"SecureBootTaskStatus":"Ready","WinCSKeyApplied":true,"WinCSKeyStatus":"Applied"}
​

The 1803 event says the following:

A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning.
This device signature information is included here.

DeviceAttributes: BaseBoardManufacturerarallels ARM Virtual Machine;FirmwareManufacturerarallels International GmbH.;FirmwareVersion:26.2.2 (57373);OEMModelNumberarallels ARM Virtual Machine;OEMModelBaseBoardarallels ARM Virtual Platform;OEMModelSystemFamilyarallels VM;OEMManufacturerNamearallels International GmbH.;OEMModelSKUarallels_ARM_VM;OSArchitecture:arm64;

BucketId: 4cbfbb8b5b825969859374b1f5dc1d6245853d7fe592cac4325034967f3cc6fe
BucketConfidenceLevel: Under Observation - More Data Needed.
For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472​

 

I've submitted two support tickets asking when Parallels will provide the necessary KEK-2023 so the process can be completed. They closed the first ticket with only a response that it was with engineering. In my case every thing is in place except the BIOS updated with KEK-2023, and only Parallels can supply that piece. Amazing how little discussion there is on this, since worse case is if they do not address it timely, we can no longer access our Windows 11 VMs using secure boot once the deadline comes. A simple we are aware and the solution will be available prior to deadline, isn't too much to ask, for anyone paying for a subscription and relying on their product.

 

Update, as of the last Parallels update on 3/27 I have noted the 1801 TPM-WMI system event has stopped occurring, it was occurring consistently twice per day, indicating this has likely been resolved. I haven't run the script yet to verify but this indicator is promising. I closed my ticket at least, as it wasn't of much use anyhow.

 

After re‑running the Secure Boot checks I used earlier, it looks like Parallels changed how Secure Boot works inside the VM. Windows still reports Secure Boot as enabled, but the underlying setup is different from before.
The main change is that the VM now uses a Parallels‑issued Platform Key instead of the Microsoft one. Because of that, Windows no longer expects the newer Microsoft KEK‑2023 key, which explains why the daily 1801 event stopped showing up. The KEK, DB, and DBX entries that used to come from Microsoft aren't exposed the same way anymore, but Windows is satisfied with the current setup and treats the VM as compliant.

 

I'm still getting 1801 and 1803, despite a VM firmware update to 26.3.0. It is now April. The deadline is rapidly approaching. Still no word if/when this should be resolved by Parallels. This lack of comms is not really acceptable from an expensive commercial product.
(1803)

A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning.
This device signature information is included here.
DeviceAttributes: BaseBoardManufacturerarallels ARM Virtual Machine;FirmwareManufacturerarallels International GmbH.;FirmwareVersion:26.3.0 (57392);OEMModelNumberarallels ARM Virtual Machine;OEMModelBaseBoardarallels ARM Virtual Platform;OEMModelSystemFamilyarallels VM;OEMManufacturerNamearallels International GmbH.;OEMModelSKUarallels_ARM_VM;OSArchitecture:arm64;
BucketId: a513de5264f33dcf43d56027944182444d5898f0a8cbb92bdee6a679ae0047eb
BucketConfidenceLevel: No Data Observed - Action Required.
For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472​

 

Has made no difference for me. Still seeing the 1803 error despite the 26.3.1 firmware.

 

I've seen reference to this article from Broadcom/VMware.
https://knowledge.broadcom.com/external/article/423919

cause: The Platform Key (PK) on virtual machines has an invalid signature, which causes updates to the Key Exchange Key (KEK) database to fail. As a result, the automated Secure Boot update process fails and reports error events or logs.

solution: Update the Platform Key that has an invalid signature by replacing it with the Windows OEM Device Key before performing any automated updates to the Secure Boot databases.

In essence, Download the Windows OEM Device Key (PK) from Microsoft, convert it to DER, go into EFI setup, enrol the PK. To do this, you need to add an option to the VM (uefi.allowAuthBypass = "TRUE"). No idea if something similar exists for Parallels?

Could be I need to do something similar?? Be nice if Parallels had proper documentation like this!

 

Hmm, this isn't going to help any. The PK expired in March!

PS C:\> Get-SecureBootUEFI -Name PK -Decoded

SignatureOwner : cc248a4f-5276-411b-bef3-c7206872cdd8
Subject : CN=Parallels UEFI Platform Key 2016, O=Parallels Holdings Ltd, C=US
Version : 3
Algorithm : sha256RSA
SerialNumber : 00F2E7F83F5ED7C0E2
ValidFrom : 2016-03-22 12:49:12Z
ValidTo : 2026-03-20 12:49:12Z

 

Hmm, so on a brand new Parallels Win 11 machine:

PS C:\> Get-SecureBootUEFI -Name PK -Decoded

SignatureOwner : 77fa9abd-0359-4d32-bd60-28f4e78f784b
Subject : CN=Windows OEM Devices PK, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version : 3
Algorithm : sha256RSA
SerialNumber : 3300000014E8C838DEDE044EA7000000000014
ValidFrom : 2023-09-21 21:28:26Z
ValidTo : 2038-09-18 21:28:26Z


PS C:\Users\paul> Get-SecureBootUEFI -Name KEK -Decoded

SignatureOwner : 77fa9abd-0359-4d32-bd60-28f4e78f784b
Subject : CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version : 3
Algorithm : sha256RSA
SerialNumber : 610AD188000000000003
ValidFrom : 2011-06-24 21:41:29Z
ValidTo : 2026-06-24 21:51:29Z

SignatureOwner : 77fa9abd-0359-4d32-bd60-28f4e78f784b
Subject : CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
Version : 3
Algorithm : sha256RSA
SerialNumber : 33000000131416B8616D82824B000000000013
ValidFrom : 2023-03-02 20:21:35Z
ValidTo : 2038-03-02 20:31:35Z

So all good. Now the question is, do I need to trash and rebuild all my VMs, or do Parallels have a solution?

 

Parallels has published een kb article about this. Secure boot certificate updates and Parallels Desktop

 

Thanks for letting me know. At least this does mention the issue, and I know it is being worked on. But it's very light on detail. I'm not a child. I still need an actual date when I can expect this to be delivered, because machines that have not completed the transition to the new certs will be blocked from our Corporate environment in mid June. If the aim is to deliver a solution by Jun 1st, I could work with that. I understand dates can slip, and that's OK. But I need to know what date you are working to. For context, since Dec 2025 I have transitioned over 400 physical PCs and a bunch of VMware VMs, and yet I'm still waiting for Parallels to deliver a solution with only 6 weeks to go! I'm seriously considering canceling my Pro subscriptions and moving to Fusion. I do not want to, it's a worse product, but at least they have a documented manual solution available. I've been waiting 6 weeks to get an article mentioning the issue, and then it comes and is mostly fluff. This all falls very short of the kind of comms an IT pro needs.

 

I am not a parallels representative. So do not shoot the messenger

 

Sorry for any offence Ronaldv, none intended. My frustration is with the Parallels post and their performance in getting this matter dealt with. I very much appreciate you bringing it to my attention. Thank you. The fact that it is you keeping me informed and not Parallels (who have closed my support ticket) reinforces my opinion that their support and comms are severely lacking.