Frequently Asked Question
Microsoft UEFI Certificate
Q: Microsoft UEFI Certificate – What does it mean and how do I fix it?
You're seeing a warning related to the Microsoft UEFI 2023 certificate in your virtual machine (VM) environment. This message indicates that your VM is missing the required UEFI certificate for secure boot validation, specifically the Microsoft UEFI 2023 certificate, which is necessary for modern Windows systems to boot securely.
???? What does the message mean?
The error:
"EFI disk without ms-cert=2023 option, suggesting that the Microsoft UEFI 2023 certificate is not enrolled yet. The UEFI 2011 certificate expires in June 2026!"
means:
- Your VM is using UEFI firmware (common in modern Windows systems).
- It relies on secure boot to verify that the operating system and boot loader are trusted.
- Microsoft issues UEFI certificates to ensure only signed, trusted boot components can run.
- The UEFI 2011 certificate (used by older Windows versions) will expire in June 2026.
- To maintain secure boot functionality beyond that date, you must enroll the newer Microsoft UEFI 2023 certificate.
- If you don’t, your VM may fail to boot after June 2026 — or be blocked from booting entirely.
This is especially important if your VM runs Windows 10/11, Windows Server 2016+, or any system that uses BitLocker or Secure Boot.
⚠️ What happens if you don’t fix it?
If you ignore this warning and do not enroll the Microsoft UEFI 2023 certificate:
- Boot failure after June 2026
Once the UEFI 2011 certificate expires, systems will no longer trust the boot chain unless the newer 2023 certificate is present. This can cause:
- VMs failing to boot.
- Windows refusing to start with a "Secure Boot violation" or "Boot device not trusted" error.
- Potential data loss or downtime during critical operations.
- BitLocker issues
If your VM uses BitLocker, and secure boot is enforced, the system may fail to unlock the drive during boot because the boot chain is no longer trusted.
- Security risks
Without proper UEFI certificates, your system may become vulnerable to boot-level malware (e.g., rootkits) that can bypass traditional security measures.
- Compliance and audit risks
In regulated environments (e.g., healthcare, finance), failing to maintain secure boot compliance could lead to audit failures.
✅ How to fix it
Follow these steps to resolve the issue:
Step 1: Enroll the Microsoft UEFI 2023 certificate in your VM
Important: The VM must be shut down before running this command.
Run the following command on your Proxmox VE (PVE) host (or equivalent hypervisor with QEMU):
qm enroll-efi-keys 102
Replace 102 with the actual VM ID of your virtual machine.
This command:
- Adds the Microsoft UEFI 2023 certificate to the VM’s UEFI firmware.
- Ensures secure boot will trust the Windows boot process.
- Is safe to run even if the VM is not currently using secure boot.
???? Note: This command is specific to Proxmox VE. If you're using a different hypervisor (e.g., VMware, Hyper-V), the process may differ.
Step 2: If your VM uses BitLocker, disable BitLocker protectors temporarily
If your Windows VM uses BitLocker on any drive (e.g., C:), you must temporarily disable BitLocker before enrolling the new UEFI certificate. Otherwise, the system may fail to boot due to policy conflicts.
Run the following command inside Windows PowerShell (as Administrator):
manage-bde -protectors -disable C:
Replace C: with the drive letter of any BitLocker-protected volume.
???? Repeat this for each drive that has BitLocker enabled (e.g.,D:,E:).
⚠️ After enrolling the UEFI certificate, you can re-enable BitLocker using: ``powershell manage-bde -protectors -enable C: ``
Step 3: Reboot the VM
After running the qm enroll-efi-keys command and disabling BitLocker (if applicable), start the VM.
- The system should now boot normally.
- Secure boot will be validated using the updated Microsoft UEFI 2023 certificate.
- The warning message should disappear.
????️ Additional Notes
qm get 102 | grep efi
- Check your VM’s UEFI settings: Ensure that Secure Boot is enabled in the VM configuration.
- Verify the certificate: After enrollment, you can check the UEFI keys in the VM’s firmware settings or via the command line:
Look for ms-cert=2023 in the output.
- For non-Proxmox environments:
- If you're using VMware, use the
vmkfstoolsoresxclicommands to manage UEFI certificates. - If you're using Hyper-V, ensure the VM is configured with Secure Boot and UEFI firmware, and that the Microsoft certificate is included in the firmware.
- Automated monitoring: Consider setting up alerts or scheduled checks to ensure UEFI certificates remain valid.
✅ Summary: What to do now
| Action | Description |
|---|---|
| ✅ Shut down the VM | Required before enrolling keys |
✅ Run qm enroll-efi-keys <VM_ID> |
Adds Microsoft UEFI 2023 certificate |
| ✅ Disable BitLocker (if enabled) | Use manage-bde -protectors -disable in PowerShell |
| ✅ Reboot the VM | Ensures new certificate is active |
| ✅ Re-enable BitLocker (optional) | Only after UEFI is updated |
❓ Need help?
If you're unsure about your VM’s configuration or encounter errors during the process:
- Check the VM ID and ensure it's correct.
- Confirm the VM is shut down (not paused or suspended).
- Verify that UEFI firmware is enabled in the VM settings.
- Contact our support team with the VM ID and error message for further assistance.
⚠️ Do not delay — the UEFI 2011 certificate expires in June 2026. After that, unpatched systems may become unbootable.
Let us know if you'd like a script to automate this process across multiple VMs.
