Secure Boot Updates not completing on Parallels VMs

After running this PowerShell command: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023') I received a TRUE result as a certificate update confirmation.

 

I assumed I would get a new Secure Boot status message stating "all required certificates have been applied" (or seeing a green badge) means your certificates are fully updated" although the status message is still "Secure boot is on but your device is using an older boot trust configuration that should be updated. There is not enough data to classify your device for automatic update"

 

The latest Windows update creates some diagnostic scripts in this folder. Use them to see the details.
C:\WINDOWS\SecureBoot\ExampleRolloutScripts
Detect-SecureBootCertUpdateStatus.ps1 will show a summary. You need the KEK to be updated, which in turn requires a PK from Parallels. This was the main issue up until now. If that is fixed, everything else can proceed. It sounds like your machine got the Windows UEFI CA 2023, but it will not trust it until the PK and 2023 KEK also land. Once that is sorted, it should be able to proceed to using the 2023 signed bootloader - it will not do that step until the trust is established. It may need to run a scheduled task and be restarted again to complete all the steps and give you a green tick.