How to update Secure Boot certificates on BitLocker-enabled virtual machines in Enterprise and Business Editions

0 users found this article helpful

Applies to:
- Parallels Desktop for Mac Enterprise Edition
- Parallels Desktop for Mac Business Edition
Last Review: May 28, 2026
Available Translations:
Get updates

The article is intended for IT administrators in charge of a Parallels Desktop deployment.

If you are an individual user, or an IT administrator with only a few copies of Parallels Desktop in management, then you can manually update Secure Boot certificates on BitLocker-enabled VMs by following instructions in this article: Knowledge Base

If BitLocker is disabled on Windows VMs, then ensuring that your users are up to date with Parallels Desktop 26.3.3 or later is enough. Parallels Desktop will update Secure Boot certificates after the latest Parallels Tools are installed in Windows and the virtual machine is rebooted. It happens automatically as users use Windows applications.

If you have BitLocker enabled on Windows VMs, then you will need to take action. Updating Secure Boot certificates without suspending BitLocker will most likely require providing the BitLocker recovery key, which end users are unlikely to handle. Follow these instructions to seamlessly update your users and monitor progress.

(optional) How to check the BitLocker status

If you know that you are using BitLocker, feel free to skip this step.

You can use the following instructions to check if you have BitLocker enabled:

Jamf extension attribute (get-bitlocker-status...) by Parallels:
prlctl-scripts/jamf/extensions at main · Parallels/prlctl-scripts
Script (get-bitlocker-status...) for other Mac Device Management Solutions:
prlctl-scripts/scripts at main · Parallels/prlctl-scripts
Microsoft Intune-managed VMs report their BitLocker encryption status in Intune portal:
Endpoint Security → Disk Encryption → Reports

If you don’t have BitLocker enabled on any of the VMs, then Parallels Desktop 26.3.3 or later will update the Secure Boot firmware, and Windows will update its certificates.

If BitLocker is enabled, please follow the instructions below.

Checking Secure Boot certificates

Jamf extension attribute (get-secureboot-pk-status...) by Parallels:
prlctl-scripts/jamf/extensions at main · Parallels/prlctl-scripts
Script (get-secureboot-pk-status...) for other Mac Device Management Solutions:
prlctl-scripts/scripts at main · Parallels/prlctl-scripts
Microsoft Intune-managed VMs report their Secure Boot status in Intune:
[Reports] > [Windows Autopatch] > [Windows Quality Updates] → [ Reports ] → [ Secure Boot Status]

Common states and what they mean

Status	Action
All VMs have updated certificates	None
One or more VMs have outdated certificates	Run `update-secureboot-certificates.sh` (see instructions below)
Waiting for Parallels Tools to be updated on one or more VMs	Run `update-secureboot-certificates.sh` (see instructions below)
Parallels Desktop must be updated to 26.3.3 or later	Update Parallels Desktop first, then re-check
No Windows 11 VM's found	No action needed

(optional) Certificate expiration monitoring: check-secureboot-certificates.sh and its Jamf extension attribute (get-secureboot-certificates.xml) report PK and KEK expiration dates. This is useful for ongoing compliance monitoring after the update rollout is complete, and as a cross-check that the correct certificates were applied.

Updating Secure Boot certificates with a script

You can find the script update-secureboot-certificates.sh at
prlctl-scripts/scripts at main · Parallels/prlctl-scripts

The script handles BitLocker suspension with RebootCount 1, which means BitLocker re-enables automatically after the reboot and users are never prompted for a recovery key. The script also starts VMs and forces Parallels Tools update if necessary. Running update-secureboot-certificates.sh repeatedly is safe: VMs already reporting an up-to-date hash are skipped immediately with no changes made.

It is not recommended to use Microsoft Intune (that manages Windows in VMs) to suspend BitLocker, as Intune doesn’t check for Secure Boot prerequisites (Parallels Desktop and Parallels Tools being up-to-date) and thus doesn’t minimize the time the BitLocker stays suspended.

Deploy the update script

Deploy update-secureboot-certificates.sh via Jamf Pro policy or your Mac Management Solution.

You can monitor the policy run logs. Success per VM is indicated by Certificate updated successfully.

Verify rollout with the status attribute

After the policy has run across the fleet, re-run inventory (get-secureboot-pk-status) in your Mac Management Solution. When all machines report All VMs have updated certificates, the rollout is complete. At that point you can retire the update-secureboot-certificates.sh policy.

(optional) Confirm BitLocker is not left suspended

After the update, spot-check a sample of machines with get-bitlocker-status.sh. All VMs that had BitLocker enabled should show Protection Status: Protection On. A suspended BitLocker (Protection Off (1 reboot left)) indicates the VM did not complete its reboot cycle and should be investigated. IT admins with Intune-managed VMs can check BitLocker status in the Intune portal.

Was this article helpful?

Tell us how we can improve it.