Secure Boot Remediation
This guide describes the full procedure for remediating Secure Boot on a virtual machine, required due to upcoming Microsoft certificate changes. The process consists of two automated day-2 operations with a mandatory manual step in between that must be performed by the customer.
Overview
| Step | Type | Action |
|---|---|---|
| 1 | Automated (Day-2 Operation) | Secure Boot Preparation |
| 2 | Manual (Customer) | Platform Key Enrollment in BIOS/EFI |
| 3 | Automated (Day-2 Operation) | Secure Boot Finalization |
Step 1: Secure Boot Preparation (Automated Operation)
This day-2 action prepares your virtual machine for the Secure Boot certificate update required due to upcoming Microsoft changes.
The process will automatically perform the following steps:
- Configure VM boot settings to allow Secure Boot updates
- Attach a temporary disk containing the required Microsoft Platform Key (PK)
- Create a safety snapshot for rollback purposes
- Perform a controlled reboot of the virtual machine
Once completed, the VM is ready for manual Secure Boot key enrollment. Proceed to Step 2.
Step 2: Secure Boot Platform Key Enrollment (Manual Steps)
After the preparation is complete, the customer must manually enroll the Platform Key in the VM's BIOS/EFI.
Follow the steps below carefully.
Step 1: Open Virtual Machine Console
- Open the VM Console via the Portal
- Keep the console open for BIOS/EFI access
Step 2: Power On the Virtual Machine
- Start the VM while the console is open
- Press F2 to enter BIOS/EFI setup
Step 3: Enroll Microsoft Platform Key
Navigate in BIOS:
- Enter Setup
- Secure Boot Configuration
- PK Options
- Enroll PK
- Enroll KEK
Enroll PK:
- Select the disk labeled
KEYUPDATE - Choose:
WindowsOEMDevicesPK.der - Confirm and commit changes
Enroll KEK:
- Select the disk labeled
KEYUPDATE - Choose:
microsoft corporation kek 2k ca 2023.der - Confirm and commit changes
- Exit BIOS
Step 4: Reboot the Virtual Machine
- The VM should reboot automatically after exiting BIOS
- If not, reboot it manually via the Portal
Step 5: Operating System Boot
- Wait until the operating system has fully started
Step 6: Verify Platform Key
Linux:
mokutil --pkWindows:
Execute the provided PowerShell verification script. The script will:
- Check if Microsoft Secure Boot certificates (2023) are present
- Verify required Windows updates
- Support certificate migration (if needed)
Step 7: Sanity Reboot
Perform a full power cycle to ensure Secure Boot is functioning correctly:
- Power OFF the VM
- Power ON the VM
Once all manual steps are completed successfully, proceed to Step 3.
Step 3: Secure Boot Finalization (Automated Operation)
This day-2 action completes the Secure Boot remediation after the Platform Key (PK) has been successfully enrolled.
The process will automatically perform the following steps:
- Detach the temporary disk used for Platform Key installation
- Remove temporary Secure Boot compatibility settings
- Restore normal VM boot configuration
- Delete previously created safety snapshots
After completion, the virtual machine is returned to its standard configuration and is ready for normal operation.
Remediation Runbooks
Remediation Runbook (No vTPM)
Follow the full three-step procedure described above (Steps 1–3).
Remediation Runbook (vTPM)
Same procedure as Remediation Runbook (No vTPM) as long as no BitLocker is used.
Remediation Runbook (vTPM with BitLocker Enabled)
When BitLocker is active, additional steps are required before and after the standard remediation.
| Step | Responsible | Action |
|---|---|---|
| Suspend BitLocker | Customer | Before starting the remediation, suspend BitLocker |
| Run Remediation | Swisscom / Customer | Execute Steps 1–3 as described in Remediation Runbook (No vTPM) |
| Resume BitLocker | Customer | After successful remediation, resume BitLocker |
Suspend BitLocker (run before Step 1):
Suspend-BitLocker -MountPoint "C:" -RebootCount 0
Resume BitLocker (run after Step 3):
Resume-BitLocker -MountPoint "C:"