Is there a plan for Microsoft or OEM to only ship hardware with new 2023 certs ? Assuming that when option ROM expire it will not be possible to certify new devices after this date? I.e. Dell release new laptop model in Jan 2027 will only ship with 2023 certs?  Does this mean not compatible with old 2011 bootloaders (Operating Systems)

What about virtual environments like HyperV and VMware? They follow the same process as physical hardwares? I read somewhere cert deployments are not yet ready for virtuals.

what is happening with consumer hardware? For example someone's grandma who doesn't know what secure boot is but has a 5 year old windows 11 laptop

What is the timeline for MicrosoftUpdateManagedOptIn Reg_DWORD =1 managed (CFR) rollout? 

Is it same models as HighConfidence model bunches included to LCU but just machines receive Ready signal faster than with LCUs? 

Are the lists of currently enabled models for both published anywhere?

Have you discussed the error 65000 using the Intune solution - with enterprise licensed devices that were pro to enterprise that are kicking out this error?   Microsoft Support suggests this is a known issue that is being worked on.  

Can Microsoft provide clarity on when the 2011 Secure Boot certificates will actually be revoked in the UEFI dbx? Am I correct that revocation—not expiration—is what will prevent systems from booting if they don’t already have the updated 2023 certificates applied?

Can I update the systems easily through Windows Update?

You mentioned that as long as a device doesn’t log a specific Event ID indicating it’s blocked from receiving the Secure Boot update, the update will be delivered in the coming months. Which Event ID are you referring to 1801?

Hello Microsoft Team,

We are reviewing Microsoft guidance regarding the expiration and replacement of older Secure Boot certificates and the updates required to maintain boot trust for Windows systems.

Our environment consists of Windows Server 2016, 2019, 2022, and planned 2025 virtual machines running on VMware vSphere 8 (ESXi 8). Some of these VMs were originally created many years ago and are still configured with very old VMware virtual hardware versions (for example, virtual hardware version 6), even though they are now hosted on modern ESXi hosts.

We would like clarification on how Microsoft’s Secure Boot certificate updates may affect this scenario.

Specifically:

1. Could Windows Server VMs running on legacy VMware virtual hardware versions (e.g., vHW6) encounter Secure Boot or boot trust issues as Microsoft retires older Secure Boot certificates?
2. Does Microsoft require any minimum virtual firmware or UEFI capabilities from the hypervisor or VM hardware version to properly support the updated Secure Boot trust chain?
3. From Microsoft’s standpoint, is upgrading the VMware virtual hardware version or changing the virtual firmware from BIOS to UEFI necessary to avoid potential boot failures after these certificate changes?
4. Are there known risks for older-generation VMs on VMware when applying future Windows updates related to Secure Boot trust, such as DB or DBX updates?

Our goal is to ensure our Windows Server VMs remain fully supported and do not encounter unexpected boot issues due to Secure Boot certificate lifecycle changes.

Thank you for your guidance.

Are there any reports in CM or Intune to find the certificates status as of today for all my computers?