Updating the Secure Boot Certificate of a Desktop

Scenarios

When a Windows 11 image is created, the desktop's secure boot certificate is the third-party certificate of version 2011. If the certificate is revoked or invalid, the desktop may malfunction. The certificate of version 2023 cannot be directly imported to the desktop. To ensure that the desktop works properly, perform the following operations to update the desktop's secure boot certificate to version 2023.

Prerequisites

You have created a Windows 11 image and provisioned an ECS:

Create a Windows 11 image by referring to Required Software, Registering a Private Image Using an ISO File, Creating an ECS, Configuring an ECS, and Creating a User Desktop Image.
Provision an ECS on the ECS console using the OS image created in Creating a User Desktop Image.

When provisioning an ECS, select Ac8 for the flavor.

You have obtained the certificate of version 2023:

Obtain the platform key: On the page for obtaining the certificate, click the windows oem devices pk.cer key next to PKpub to download the key.
Obtain the key exchange key: On the page for obtaining the certificate, click the microsoft corporation kek 2k ca 2023.crt key next to Microsoft Corporation KEK 2K CA 2023 to download the key.
Obtain the signature database key: On the page for obtaining the certificate, click the windows uefi ca 2023.crt key next to Windows UEFI CA 2023 to download the key.

Constraints

Only the following OS versions are supported:

Windows 11 Enterprise 23H2
Windows 11 Pro 24H2
Windows 11 Enterprise 24H2
Windows 11 Enterprise LTSC 24H2

Procedure

Updating the DB certificate

Add the Windows UEFI CA 2023 certificate to the UEFI Secure Boot Signature Database (DB). In doing so, the device firmware will trust the startup applications signed by this certificate.

Log in to the ECS using the account and password.
Run the following commands to update the DB certificate:
1. Search for Command Prompt in the Start menu of the ECS and click Run as administrator to open the CLI window.
Run reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f.
1. Search for Windows PowerShell in the Start menu of the ECS and click Run as administrator to open the Windows PowerShell window.
Run Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update".
Search for Windows PowerShell in the Start menu of the ECS and click Run as administrator to open the Windows PowerShell window.

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

If True is returned, the database has been updated.

Updating the boot manager on the device

Install the boot manager signed by the Windows UEFI CA 2023 certificate on the device.

Search for Command Prompt in the Start menu of the ECS and click Run as administrator to open the CLI window.

Run reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f.
Search for Windows PowerShell in the Start menu of the ECS and click Run as administrator to open the Windows PowerShell window.

Run Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update".
Restart the ECS.

Checking whether the certificate of version 2023 has been updated

Check whether the bootmgfw.efi file is signed by the Windows UEFI CA 2023 certificate.

Search for Command Prompt in the Start menu of the ECS and click Run as administrator to open the CLI window.
Mount the EFI partition as an administrator.

Run mountvol s: /s.
Copy the bootmgfw.efi configuration file to drive C.

Run copy S:\EFI\Microsoft\Boot\bootmgfw.efi c:\bootmgfw_2023.efi.
Right-click the C:\bootmgfw_2023.efi file, click Properties, and select the Digital Signatures tab.
Click the details and then click the button of viewing certificates.
On the certificate details page displayed, click the certificate path.

If the certificate version is not 2023, repeat 4, 5, and 7 to 11.

Revoking the certificate of version 2011

After the certificate of version 2011 is revoked, the ECS cannot be started after the restart because the certificate configured for image verification is of version 2011.

Add the Windows Production PCA 2011 certificate to the Secure Boot UEFI Forbidden List (DBX).
Run the following commands:
1. Search for Command Prompt in the Start menu of the ECS and click Run as administrator to open the CLI window.
Run reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f.
1. Search for Windows PowerShell in the Start menu of the ECS and click Run as administrator to open the Windows PowerShell window.
Run Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update".
Press Win + R on the ECS. In the displayed dialog box, enter eventvwr.msc to open Event Viewer.
On the Event Viewer page, click Windows Logs > System.
Check the event whose ID is 1037 to verify whether the installation list and revocation list have been applied.

Deleting the temporary admin user

The temporary user is the user created in 14.

Right-click in the lower left corner and choose Run from the shortcut menu.

The Run dialog box is displayed.
Enter sysdm.cpl in the Open text box and press Enter.

The System Properties window is displayed.
On the Advanced tab, click Settings under User Profiles.
On the User Profiles page, select the profiles of the user to be deleted and click Delete.
Click OK.
Close the System Properties window.
Click Start > Run.

The Run dialog box is displayed.
Enter compmgmt.msc in the Open text box and press Enter.

The Computer Management window is displayed.
In the navigation pane on the left, choose System Tools > Local Users and Groups > Users.
In the right pane, right-click the username to be deleted and choose Delete.
Click Yes.
Click OK.
Close the Computer Management window.

Creating an image

In the ECS list, locate the ECS for which you want to create an image, click More in the Operation column, and choose Manage Image/Backup > Create Image.

Configuring the certificate of version 2023 and secure boot

Obtain the certificate of version 2023 by referring to Prerequisites.
Log in to the ECS using the account and password.
Convert the certificate key obtained in 31 to Base64 code.
Search for Windows PowerShell in the Start menu of the ECS and click Run as administrator to open the Windows PowerShell window.

Run the following commands to convert the certificate to Base64 code:

[System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("windows oem devices pk.cer certificate storage path")) | Out-File -FilePath "windows oem devices pk.base64 certificate generation path" -NoNewline

[System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("microsoft corporation kek 2k ca 2023.crt certificate storage path")) | Out-File -FilePath "microsoft corporation kek 2k ca 2023.base64 certificate generation path" -NoNewline

[System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("windows uefi ca 2023.crt certificate storage path")) | Out-File -FilePath "windows uefi ca 2023.base64 certificate generation path" -NoNewline
Replace the three certificate storage paths and three certificate generation paths in the preceding commands with the actual ones.

Example of the windows oem devices pk.cer certificate:
- Example of the certificate storage path: C:\windows oem devices pk.cer
- Example of the certificate generation path: C:\windows oem devices pk.base64
Call the APIs to enable secure boot and VTPM.
1. Obtain the image_id. In the navigation pane of the ECS console, choose Image Management Service.
2. On the Image Management Service page, obtain the image ID, as shown in Figure 1.
  Figure 1 Image ID
3. Edit the following content:
  Replace the values of the following parameters:
  - Replace $__platform_key with the content of the windows oem devices pk.base64 certificate generated in 34.
  - Replace $__key_exchange_key with the content of the microsoft corporation kek 2k ca 2023.base64 certificate generated in 34.
  - Replace $__signature_database with the content of the windows uefi ca 2023.base64 certificate generated in 34.
  Do not copy -----BEGIN CERTIFICATE----- in the first line and -----END CERTIFICATE----- at the end when copying the key content in 34.
```
[
    {
    "op": "add",
    "path": "/__support_tpm",
    "value": "true"
},{
    "op": "add",
    "path": "/__support_secure_boot",  
    "value": "true"
  },
  {
    "op": "add",
    "path": "/__platform_key",         
    "value": "$__platform_key"      
  },
  {
    "op": "add",
    "path": "/__key_exchange_key",
    "value": "$__key_exchange_key"   
  },
  {
    "op": "add",
    "path": "/__signature_database",
    "value": "$__signature_database"  
  }
]
```
1. Call the API through API Explorer.
  1. Select a region from the Region drop-down list.
  2. Enter the image_id obtained in 35.b.
  3. Click Switch to Text Input and enter the content edited in 35.c.
  4. Click Debug, as shown in Figure 2.
    Figure 2 API calling

Use the created image to provision desktops on the Workspace console.
Workspace supports scheduled desktop snapshot creation. The purpose of desktop snapshot creation is to quickly back up and restore data. If a personal misoperation, software incompatibility, system breakdown or fault, or software conflict occurs, snapshot restoration can help quickly restore your desktop to the previous state, preventing data loss and work interruption.
- For details about how to create a desktop snapshot, see Scheduled Snapshot Creation.
- For details about how to restore a snapshot, see "Restoring a snapshot" in Snapshots.