[Bug]: #593
Description
Version
7.2.6
Host OS Type
Windows
Host OS name + version
Windows 11 Build 26200.8037
Host Architecture
x86
Guest OS Type
Windows
Guest Architecture
x86
Guest OS name + version
Windows 11 Build 26200.8037
Component
EFI
What happened?
I am receiving the following event log errors stating that the Microsoft Option ROM CA 2023(DB) cannot be updated
Event 1801, TPM-WMI
Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection. This device signature information is included here.
DeviceAttributes: BaseBoardManufacturer:;FirmwareManufacturer:innotek GmbH;FirmwareVersion:VirtualBox;OEMModelNumber:VirtualBox;OEMModelBaseBoard:VirtualBox;OEMModelSystemFamily:Virtual Machine;OEMManufacturerName:innotek GmbH;OEMModelSKU:;OSArchitecture:amd64;
BucketId: b11b9d2377190b0db769866b59072426790d4bc094f021b6107049eea9961a00
BucketConfidenceLevel: Under Observation - More Data Needed
UpdateType:
For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018.
And than the following event shows
Event 1796, TPM-WMI
The Secure Boot update failed to update Option ROM CA 2023 (DB) with error The system cannot find the file specified.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931
The other issue that I see is that the UEFI DBX DB is missing completely.
This is the output from the Powershell script created by github.com/cjee21 to Check UEFI PK, KEK, DB and DBX
Checking for Administrator permission...
Running as administrator - continuing execution...
16 March 2026
Manufacturer: innotek GmbH
Model: VirtualBox
BIOS: innotek GmbH, VirtualBox, VirtualBox, VBOX - 1
Windows version: 25H2 (Build 26200.8037)
Secure Boot status: Enabled
Current UEFI PK
√ UEFI PK
Default UEFI PK
WARNING: Failed to query UEFI variable PKDefault
Current UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
√ Microsoft Corporation KEK 2K CA 2023 (revoked: False)
Default UEFI KEK
WARNING: Failed to query UEFI variable 'KEKDefault' for cert 'Microsoft
Corporation KEK CA 2011'
WARNING: Failed to query UEFI variable 'KEKDefault' for cert 'Microsoft
Corporation KEK 2K CA 2023'
WARNING: Failed to query UEFI variable 'KEKDefault'
Current UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
√ Windows UEFI CA 2023 (revoked: False)
√ Microsoft UEFI CA 2023 (revoked: False)
X Microsoft Option ROM UEFI CA 2023
Default UEFI DB
WARNING: Failed to query UEFI variable 'dbDefault' for cert 'Microsoft Windows
Production PCA 2011'
WARNING: Failed to query UEFI variable 'dbDefault' for cert 'Microsoft
Corporation UEFI CA 2011'
WARNING: Failed to query UEFI variable 'dbDefault' for cert 'Windows UEFI CA
2023'
WARNING: Failed to query UEFI variable 'dbDefault' for cert 'Microsoft UEFI CA
2023'
WARNING: Failed to query UEFI variable 'dbDefault' for cert 'Microsoft Option
ROM UEFI CA 2023'
WARNING: Failed to query UEFI variable 'DBDefault'
Current UEFI DBX
2025-10-14 (v1.6.0) : ERROR: An exception has occurred while checking DBX
Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At C:\Check-UEFISecureBootVariables-main\ps\Check UEFI PK, KEK, DB and
DBX.ps1:234 char:15
- $dbx_bytes = (Get-SecureBootUEFI dbx).Bytes
-
~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : ResourceUnavailable: (Microsoft.Secur...BootUefi
Command:GetSecureBootUefiCommand) [Get-SecureBootUEFI], StatusException - FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.Get
SecureBootUefiCommand
- CategoryInfo : ResourceUnavailable: (Microsoft.Secur...BootUefi
Windows Bootmgr SVN : None
Windows cdboot SVN : None
Windows wdsmgfw SVN : None
Press any key to continue . . .
How can we reproduce this?
This issue currently exists in this release of the software.
Did you upload all of your necessary log files, screenshots, etc.?
- Yes, I've uploaded all pertinent files to this issue.