You can find more information here: https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e
When booting a VM that does not contain the correct keys, the following message may appear:
EFI disk without 'ms-cert=2023k' option, suggesting that not all UEFI 2023certificates from Microsoft are enrolled yet. The UEFI 2011 certificates expirein June 2026! The new certificates are required for secure boot update for Windowsand common Linux distributions. Use 'Disk Action > Enroll Updated Certificates'in the UI or, while the VM is shut down, run 'qm enroll-efi-keys <vmid>' to enrollthe new certificates.For Windows with BitLocker, run the following command inside Powershell:manage-bde -protectors -disable <drive>for each drive with BitLocker (for example, <drive> could be 'C:').
How can you resolve this?
Log in to Proxmox, select the correct VM, go to the Hardware tab, select the EFI Disk, click Disk Action, and click Enroll Updated Certificates.
Next, you must power down the VM to apply the changes to the EFI disk.
How do you verify that the correct certificates have been deployed?
In PowerShell, you can check whether the correct UEFI keys are available using the command:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
If the output here is “true,” then the new certificates have been deployed.
