Secure Boot Updates not completing on Parallels VMs

After running this PowerShell command: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023') I received a TRUE result as a certificate update confirmation.

 

I assumed I would get a new Secure Boot status message stating "all required certificates have been applied" (or seeing a green badge) means your certificates are fully updated" although the status message is still "Secure boot is on but your device is using an older boot trust configuration that should be updated. There is not enough data to classify your device for automatic update"

 

The latest Windows update creates some diagnostic scripts in this folder. Use them to see the details.
C:\WINDOWS\SecureBoot\ExampleRolloutScripts
Detect-SecureBootCertUpdateStatus.ps1 will show a summary. You need the KEK to be updated, which in turn requires a PK from Parallels. This was the main issue up until now. If that is fixed, everything else can proceed. It sounds like your machine got the Windows UEFI CA 2023, but it will not trust it until the PK and 2023 KEK also land. Once that is sorted, it should be able to proceed to using the 2023 signed bootloader - it will not do that step until the trust is established. It may need to run a scheduled task and be restarted again to complete all the steps and give you a green tick.

 

PaulWoodward,
Your explanation helped me understand the complete update process. Thank You for taking the time to explain.

 

you're welcome, that's what the community is all about!

 

I am running Parallels version 26.3.3 (57507) and Windows 11 Pro 25H2. I got the same message in the Device Security panel: "Secure boot is on but your device is using an older boot trust configuration that should be updated." Today I applied the latest Windows update, KB5094126, which updated my OS build to 26200.8655. After the reboot the message in Device Security didn't change immediately. But I waited a while, and now the message has changed to "Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed." It appears that Windows has finally applied whatever updates are required to the boot manager, and combined with the updated certificates the issue appears to be resolved, at least for me.