Event details

Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. We recently published the first version of the Secure Boot playbook, o...
Heather_Poulsen
Updated Dec 09, 2025
AMA
stephc_msft's avatar
stephc_msft
Icon for Microsoft rankMicrosoft
Dec 10, 2025

One of the biggest 'grey areas' is how to handle EXISTING  aka long running gen2 Hyper-V VM's.
There are many reports that updating the OS inside the VM  cant do the uefi related aspect 
(sorry dont have the details to hand)
ANd is that important 

Fresh VM's created on an updated HV host will be ok and will have the correct firmware.


Ditto about updating uefi boot VM's on other virtualization plaforms  (if using secure boot for the VM)
eg in VMWare

  • mikehartstein's avatar
    mikehartstein
    Copper Contributor
    Dec 10, 2025

    Yes, that has been our experience as well. Hyper-V VMs created before a certain date will not take the 2023 KEK cert (the Windows UEFI CA 2023 cert gets added fine, and the boot manager replaced with the 2023-signed one). It would be nice to know that this will be fixed soon.