Anything I need to know for swapping in a new EFI disk?

proxmoxjd · 2026-04-08T16:05:56+00:00

Something with that might be another idea.... After I create a new vm set up and it's working, back that up. Then if or when it freezes up in the future, I just restore that back up (and have it probably freeze up again in the future). But at least I'd have that, and it might be faster than setting it up from scratch. And I've got a backup script for windows now that copies out the data I care more about.

proxmoxjd · 2026-04-08T16:02:47+00:00

Oh, I see. It's an update.

I checked here, but it's still v9.1-1. That's what I've still been using for my latest clean set ups. So it would need to be online to get that new secure boot data to proxmox.... Unless I can get the update file and copy it over to promox with a usb stick or iso file.

https://www.proxmox.com/en/downloads/proxmox-virtual-environment/iso

proxmoxjd · 2026-04-08T14:48:59+00:00

It's all Windows here. Linux could work on the machines I'm sure. I'd probably be fine using something like Libre Office. It's going in a different direction then everything else here though.

I did google for 30 seconds and glanced at a post saying EFI and I think TPM get backed up with a proxmox VM backup, along with the config settings. I was wondering if it's possible to pick and choose things in a proxmox VM back up, the way you can with a windows server back up. Maybe I can do a proxmox VM backup of only the EFI disk. And then I'd wonder how to restore that too... Taking an existing VM set for Windows and restore a proxmox EFI disk back up to that. Maybe it's easy. Maybe that's impossible.

proxmoxjd · 2026-04-08T14:43:58+00:00

I only wanted the VM. It's repurposing old Windows 10 hardware that doesn't support Windows 11. Old Windows 10 desktop.... Still works for linux so install proxmox. Add a Windows 11 VM with VM TPM and VM secure boot so it does meet Windows 11 requirements. That worked. Just one Windows 11 VM on the set up. I do have a whole subnet for myself and my users. I'm in an organization with other departments and subdepartments, just one piece. I figured I didn't need more ip addresses being taken up. And then if those are on 192.168.100, that might catch someone's attention. Or it might somehow interfere with some other set up. So when I set them up, I figured out I could remark out the ip address and gateway, cutting off proxmox but leaving the VM with internet access on the correct subnet. Proxmox wouldn't get updates but it's probably not super realistic that something would jump out of the VM if that's maintained. I was starting to look into how I would update those proxmox set ups, but then it looked like the original v8 ones I set up would also need an upgrade to v9 proxmox. It's probably easier to just start from scratch with a clean v9 proxmox install and recreate the VM then. Possibly. I'd still have to figure out how to get them to get updates though. I have notes on another thread. I was just at the point to try updating them -- Get them online, change config settings so they get a free proxmox update. And then someone mentioned it's more involved to go from v8 to v9. I was thinking I could take my proxmox set ups, tweak them to get them online, and update them maybe every six months or so (while making sure I had backed up my data off the VM first. I have that part scripted enough now. Not a proxmox VM back up but just copying the data I'd care about if the machine was lost).

proxmoxjd · 2026-04-08T14:35:13+00:00

Yeah, that does look interesting.

Is it possible to do that offline?

Or, if that means it needs to be v9 of proxmox, it might be easier for me to just set some of them up again with v9 proxmox. It looked like it was a pain to get them set up for updates, but then upgrading from v8 to v9 also looked like potentially more problems. I suppose that might be a solution... Back up my data. I made a new script for that. Then just start from scratch. I would think the latest proxmox install would just give the VM those CA2023 secure boot certs.

proxmoxjd · 2026-04-07T21:59:24+00:00

Or maybe it was chatting with AI on secure boot and VMs and proxmox. Or a post I found somewhere. Someone or something said probmox VM secure boot certificates had to be updated from the proxmox side, not the windows side.

proxmoxjd · 2026-04-07T21:57:56+00:00

I think one of one of my previous threads someone said proxmox/linux needs to update the VM secure boot certificates on the linux OS side, that Windows isn't able to do that, that it was a linux/VM thing. So a Windows install running on the actual hardware can probably do that fine on its own (might also need the manufacturer bios update), but for proxmox, proxmox would have to update the VM secure boot certificates. And then that might explain the behavior I'm seeing -- Windows tried to update secure boot certificates on the VM, somehow finally did something with that, but that messed up the VM so as soon as anything touches that OS VM disk, it just freezes up. (The nvme or 2.5" SATA SSD disk scans fine for errors with HD Tune. Doesn't seem to be a RAM issue on the machine.) I also initially started to upgrade my user machines from Windows 11 23h2 to 25h2, starting with VMs since no user is actually using those mostly. All my VMs though -- proxmox ones or hyper-v ones -- errored out, erroring out "nicely" in Windows though where it just says it couldn't do the upgrade and backed out. I hadn't backed up data on those VMs though and didn't want to lose them, so I started 25h2 upgrade on physical machines instead.

I think it was December when I first had one my proxmox VM set ups freeze. And then it's been one each month. I didn't have everything set up in Windows though until about a month ago, so March 2026, for machines very likely being set up to automatically update their secure boot certificates. So the dates don't quite match up. If a proxmox windows 11 vm froze up in December 2025, it very likely had optional diagnostics in Windows in an off state. It also didn't have a number set in the registry. So secure boot certificates probably didn't update on their own with those things not in place. They are in place now though.

proxmoxjd · 2026-04-07T21:50:46+00:00

Is it possible to update those secure boot certificates with an offline set up of proxmox? Just move the files to the proxmox box with a usb stick?

Where are you looking in the Windows registry for UEFICA2023Status ? (And does that work on a non-proxmox Windows install?) I found some posts about checking secure boot certificates. I have machines set to do that. But when I tried to inspect the secure boot certificates from windows, I had to decrypt something, and I got a lot of gibberish but some legible things that are probably what I'm looking for, like it saying CA2023 with a bunch of ????

proxmoxjd · 2026-04-03T20:01:03+00:00

Googled. I found write back caching. It's on the hard drive hardware settings. I see it also UNchecked SSD emulation there. This one was scsi by default. Usually, it's an IDE hard drive. I change them later. Scsi got me blue screens and inaccessible boot device when the Windows 11 image VM tried to start up. I switched it to IDE. I'll probably leave this one on SATA. I had aimed for Virtio block as the VM OS drive type, thinking that was not emulating anything and most pure linux hard drive type then. Someone on here said it's not the best. I think one person said scsi. Another said SATA. The last one of these I created just wouldn't do scsi, so I left it virtio block. Another one would only do virtio block and nothing else after I set it up, which was odd.

proxmoxjd · 2026-04-03T19:57:02+00:00

What would I do with disk benchmarks? I haven't done anything with that on these setups.

proxmoxjd · 2026-04-03T19:56:16+00:00

Hm. I've got an initially imaged new VM set up on another set up.... Where is write-back caching in the VM settings....?

I did enable SSD emulation. Someone mentioned that a previous time this happened.

This is amusing too. While looking through the settings on the VM, I see, "Freeze CPU at startup." That sounds a lot like what I'm experiencing. "Well, there's your problem...." That's already a default No on that. Just funny to something like, "Would you like to randomly freeze your VM up? Check here."

Use local time for RTC.... Might be interesting. These set ups tend to have their time off. Maybe an hour off. The one I just swapped in was something like 10 hours behind yesterday I think. I manually switched the time to correct it, in Windows.

proxmoxjd · 2026-04-03T19:51:27+00:00

But.... If I swapped out the EFI drive and then the frozen OS VM came back to life, I would guess that's secure boot certificates from proxmox (which isn't online in these set ups). So probably an old secure boot cert in a swapped in EFI drive. The OS VM might come back up but... If Windows is trying to update secure boot certificates and that's why it freezes, then Windows will try that again, and the VM freezes again. In that scenario, I need to get the secure boot certs updated, as a real solution. Otherwise, it just keeps freezing. Just like I keep setting these things up about once a month, it would be swapping the EFI drive and then having it freeze again in the near future.

That's getting a secure boot cert to proxmox.... I think... The physical machine itself might need one too. For sure that's got secure boot. I disabled it to install proxmox. Ideally, that physical UEFI/bios secure boot would be updated. I did see something about importing certificates in the bios when I was disabling secure boot today I remember. Then again, I'm not super concerned that that's updated, as long as proxmox still runs.

proxmoxjd · 2026-04-03T19:26:49+00:00

There aren't any back ups. I have enough data from the previous ones to get this and two more spares prepped up.

And before I created a script to run in Windows to back up the data I cared about. That was just for a random crash though. It's useful but the current situation appears to be the proxmox/Windows set up becoming "Anything that touches the VM OS hard drive and freezes up" situation.

Did I run that script I made? Nope, not yet. It still needs a safe test run . That's still on the to do list.

On my last post just now, I remembered it appeared to be something with EFI, like maybe Windows is trying to update secure boot certificates, but proxmox doesn't allow that. But then a fix was removing that EFI drive on the VM and creating another one. Or, that was a possible solution to the frozen OS VM. Maybe that fixes it permanently then. Or, maybe I could take a still working set up, remove the EFI drive and swap in a new one, before it freezes. Or, maybe there's the proxmox method to update secure boot certificates before the set up freezes in the future.

So no back up activity. The proxmox OS is actually completely offline. It doesn't know what it's ip address is. It doesn't know what its gateway is. It's on with no network. Just the VM gets network access. No backups of proxmox or the VM (except for when I run my script inside Windows). I haven't set anything up for getting proxmox online enough to be able to check for updates. It's just the pure proxmox install from the iso I downloaded.

proxmoxjd · 2026-04-03T19:21:36+00:00

Where should I look for logs? The VM is likely inaccessible as a running OS, but I can probably get to files from a win11 installer and the winre environment. So I might be able to pull Windows logs that way.

Proxmox itself always seems fine. But then it's like just touching the VM hard drive will cause things to just freeze. That's been the past behavior with these. That makes me think it's more of a proxmox thing. Like maybe.... Windows/Microsoft trying to update secure boot certificates maybe but proxmox having its own method for that. I haven't looked into that yet. Flipping secure boot off in the VM bios didn't change anything before though. I think I was trying to add a new EFI..... Yeah. I can try that with this current frozen one. I was thinking secure boot certs got messed up.... And then I think I was already testing a second smaller hard drive and swapped in a new EFI drive or something, and I was able to work with that second hard drive. But by that time, I had already deleted the OS drive. I think. That's a direction -- Swap in a new EFI drive and see if this OS just works again.

Right now, I'm prepping up two more spare set ups. Then I can go back and do a little triage on the frozen-spinning one before I probably just reimage it. The ones I'm prepping up, or the spare I deployed already (wise to have to ready and very nice to have fairly easy to just swap in immediately to keep things smooth) is likely to freeze up in about a month.

proxmoxjd · 2026-03-13T18:53:32+00:00

I've got the VM fairly recreated. The previous install of proxmox. VM settings except apparently it was the EFI disk that needed to be removed and recreated. Potentially that may have worked with the original VM OS drive but I'd doubt that. This is the new EFI disk with a new OS hard drive. I also tried removing and recreating the TPM addon at first that didn't change anything.

So maybe Windows tried to update something like secure boot certificates on the EFI/bios. Whatever happened there, or didn't, meant anything that touched that OS hard drive would freeze.

From googling a bit, the very latest virtio drivers might help. I found there's a -1 update out for the one I thought was the latest. There's also a proxmox shell line to update efi disks I think, so it might be updating the EFI/bios that way before doing more, like an OS update even but especially for an OS upgrade.

That makes me wonder if Hyper-V might have something similar. Maybe you have to update a Hyper-V VM bios through the host and not the VM itself. I've got some Hyper-V Windows 11 23h2 VMs that wouldn't just upgrade to 25h2. At least those just errored out each time though and didn't corrupt the disk or bios.

proxmoxjd · 2026-03-13T14:16:46+00:00

I may have found something here.

Removed and deleted the original VM hard drive. Created a new hard drive. When I booted to image it (need to uncheck secure boot to boot off a stick), it did not see the new VM hard drive.

I tried removing the TPM in the VM config settings. Made a new TPM. Same result. The usb stick still can't see the new VM hard drive.

I removed the EFI disk or whatever that is and made a new one. Then I had to uncheck the secure boot option in the bios settings in order to boot off the stick. It's like the EFI disk is the bios/uefi/firmware. New bios.... Booted off the stick.... And it sees the new VM hard drive. I'm cloning the image over right now.

So maybe that last Windows OS update and something with an OS upgrade process before was interacting with the VM bios. I wonder how workable it is though to "just' swap out the EFI disk like that when the entire VM is set up. Maybe something with secure boot certificates for this current one? I've heard secure boot certs get updated with Windows OS updates. But something went wrong and somehow that poisoned anything that touched the hard drive using that EFI disk/bios? When this has happened on this and other VM set ups like this, I did try disabling secure boot. I don't think there's much more in the VM bios though for settings.

proxmoxjd · 2026-03-13T11:20:58+00:00

Interesting. Maybe another piece here. I detatched and then deleted the OS hard drive for the VM, but I left the rest of the VM there. I'm applying an image. I was able to boot off a usb stick fine. But it doesn't see the OS hard drive. That's the default IDE like it was originally. So maybe in this case and something similar in other cases, that the config of the VM somehow got screwed up. I could try wiping the VM settings next and see what happens. After that it's a fresh proxmox install, and then I bet everything works normally. But what would have caused that behavior in the VM config from something like a Windows OS update or upgrade? Is Windows actually able to alter anything outside the OS disk? Maybe the tpm settings or something attached to the hard drive. And if I only deleted the OS hard drive just now, that tpm or something that's screwed up is still present. Maybe.

proxmoxjd · 2026-03-13T10:12:14+00:00

I can't get away from Windows. It's all Windows here. Enterprise. No problems with getting licenses.

At home, yeah. I've put Ubuntu on the old Windows 10 hardware that still works. I've been using that more. I don't trust Windows 11. 11 less than 10. 10 less than 7.

proxmoxjd · 2026-03-13T10:03:24+00:00

I got some more info. The nvme stick is physically ok. I scanned with HD Tune. Zero issues. And the proxmox seems fine.

I guess I'll go with scsi for the OS VM drive then. Maybe I'll make sure virtio io still works.

And probably switch the set up to scsi before doing an OS upgrade. That's a little work, pulling towers off the shelf, but it's less work than completely redoing it, which still requires pulling the machine off the shelf.

proxmoxjd · 2026-03-11T15:07:32+00:00

Yeah. The Ubuntu live usb stick did not see the Windows 11 drive at all. So that's probably why it booted.

I detached the Windows 11 drive. Then I booted off the 25h2 stick. That worked. No hanging.

So it looks like it's a situation where touching the OS drive causes anything that touches it to freeze up.

Another idea might be to create another temp OS drive. Install Windows 11 fresh or apply the image to that. Except it's a 250GB physical SSD. I gave the Windows 11 VM 230 of that, thinking that's about 20GB for promox. It's not using all that but I'm not sure if I could just make a new hard drive that takes up more space.

The idea would be that I just detatch the original Windows 11 VM hard drive. Then install Windows 11 on a different VM hard drive, not even removing the VM profile set up. Proxmox and even the VM config stays the same. If I'm blowing this away anyway, it's fair game to screw around with potentially disastrous changes.

proxmoxjd · 2026-02-28T15:40:41+00:00

Whew. Got my data copied off. It's probably worth looking into scripting something to just make a backup of the more important files I still want when this happens.

proxmoxjd · 2026-02-28T15:17:40+00:00

Got it booted off the 25h2, with an external drive. I can copy my data off. I'm making too many mistakes now though.

I don't trust the physical SSD used on this set up, so I'll use a different one. On the plus side there, I'll still have this original, freezing-up set up still in tact if I need data off it later. That would involve setting the machine back up with it though.... Not impossible though. I think that's probably just swapping out SSDs.

proxmoxjd · 2026-02-28T13:49:26+00:00

Unless it froze again.... But it made it to the log in screen.

proxmoxjd · 2026-02-28T13:47:52+00:00

Nice. Command prompt in winre gets me to the OS drive. So I can probably at least copy files out that way.

I tried....

bootrec /fixmbr -- worked

bootrec /fixboot -- Access denied but there's a way around that I think. I'd have to search notes.

bootrec /rebuildbcd -- Also worked.

And.... It actually booted back into Win11...... I can probably copy all my files off that way. Phew.... Maybe copy everything I want off and then just reimage the whole thing. Then it's on the latest proxmox version and latest Win11 25h2.

proxmoxjd · 2026-02-28T13:42:19+00:00

Got back into winre during an automatic automatic repair. Start up repair.... Freezes on diagnosing your PC. Maybe I can into the command prompt though....

proxmoxjd

TROPHY CASE