It appears that Azure VMs need to be updated by customers. However, according to the “Secure Boot playbook for certificates expiring in 2026 - Windows IT Pro Blog.” I cannot find any solution for performing mass updates on Azure Windows VMs. 

Where can we find the Microsoft high-confidence device list, so we know which makes/models are marked as high confidence please?

Hello everyone!
To make it predictable, measurable, and safe, I published an Intune Remediation to help the community handle Microsoft’s Secure Boot certificate update in a clean, repeatable way. 🚀 

You can also adapt it for SCCM.

What you get (ready to use):
✅ Detection + Remediation scripts
✅ Idempotent + guarded logic (no pointless re-triggers)
✅ Clear outputs for easier reporting/troubleshooting
✅ A short README with usage notes + operational tips
✅ Can handle “In Progress” and pending reboot (AvailableUpdates = 0x4100) states

Secure Boot remediation (README) 👉 https://github.com/SimoneTermine/MicrosoftIntune/tree/main/scripts/00-Devices/Remediations/SecureBoot_UpdateCerts

For PC DIY market, the motherboards build after June 2026 will only be able to sing with 2023 CA? If yes, if a user installs an older device (dGPU) that only has 2011 CA, they will not be able to secure boot?

Thank you everyone for your participation in today's AMA! Below is a list of the questions the panelists answered live, along with links to the original question (if listed below) and associated timestamps: 

Question – We have diagnostic data turned on in our Intune environment, but I'm not seeing the registry key "MicrosoftUpdateManagedOptIn". Should I be worried about this? If this key does not exist, MS will not push the certificates down, correct? – answered at 1:31.

Question – If we apply the 0x5944 registry value on updateable systems, are we still able to network boot them with our existing WinPE to image them with SCCM? – answered at 4:28.

Question – When you say "future security updates cannot be applied," do you mean monthly cumulative updates will fail to install entirely, or will just the potentially bundled updates to Secure Boot / Boot Manager be skipped? – answered at 6:01.

Question – Will the Windows Install process update the Certs if the Windows Install source media has been updated and the device has not? – answered at 7:42.

Question – Is it true that Hyper-V Gen 1 VMs are not affected by this issue? – answered at 10:10.

Question – What is the easiest way to tell if our devices will need to be updated? – answered at 11:10.

Question – Does this have any relation with Defender ASR rule 'Block rebooting machine in Safe Mode'? – answered at 12:50.

Question – Am I right to say if the "HighConfidenceOptOut" registry key does not exist, this means we have opted in? – answered at 13:31.

Question – If we miss the June 2026 deadline, how would we go about bringing a device back to a compliant state? – answered at 18:16.

Question – We have 70k Win11 23H2 devices patched using Autopatch every month. All managed by Intune. Is the right behavior to simply put the registry down to the device and they will update certs via the schedule task on the box and then we are fine? We don’t have to think of it anymore? – answered at 20:26.

Question – Towards the bottom of the guidance at aka.ms/GetSecureBoot, it states that the WindowsUEFICA2023Capable is not recommended for general use. However, can it be used to query devices in my environment to get an accurate picture of how many devices have the certificate in the DB already? – answered at 25:36.

Question – How about Azure VMs? Do we have to take action on them as well? – answered at 27:06.

Question – You mentioned “assists” – how do we access those? Are they a service we need to sign up for? – answered at 29:14.

• To stay up to date on additional help mechanisms, go to https://aka.ms/GetSecureBoot

Question – Does the rollout from MSFT include adding the old cert to the Exclusion DB (dbX)? – answered at 31:27.

Question – When I look at my environment, even brand-new devices are showing that registry the UEFICA2023Status regkey is NotStarted. Even on brand new devices we've deployed. Does NotStarted also mean the device may not need it? Or was i querying the wrong registry key? – answered at 34:45.  

Question – When will the certificates come down with Windows Updates? Is there an expected month they will be delivered? – answered at 36:00.

Question – Question about Autopatch: if I have devices in Autopatch & diagnostics being sent. Do I need to implement any other configuration policies or registry keys or is it all automatically completed? Or do we need a settings catalog policy as well? – answered at 39:39.

Question – How will the WinPE boot image (from the ADK) be affected by these changes? If it will be updated, will it continue to work on systems that have not yet installed the updated certificates? – answered at 42:25.

Question – How are you working with OEMs to ensure that they are updating their firmware in advance? – answered at 44:37.

Question – If the key "WindowsUEFICA2023Capable" is set to 1 instead of 2, this means the device is still not in a "secure state". The key needs to be set to 2? – answered at 45:58.

Question – Does applying the 0x5944 registry key apply the Secure Boot revocations or does this only apply the new cert, but leaves the old cert in place? And is Microsoft planning on revoking the old cert at some point in the future? – answered at 47:33.

Question – What about my device at home? Do I need to take steps there as well? – answered at 49:04.

Cant find my previous comment asking about updating EXISTING (aka long running) Hyper-v gen2 VM's
and it failing to update the uefi side of things  (for the KEK)

Error 1795 on Test VM – “Medium is write protected”

• Meaning: Event ID 1795 indicates that Windows attempted to update a Secure Boot variable (DB, DBX, or KEK) in the firmware, but the firmware returned an error. In your case, the error text suggests the UEFI firmware reported the storage medium as write-protected.
• Why it happens: This typically occurs in virtualized environments where Secure Boot variables are emulated and may not allow OS-initiated writes. It can also happen if the VM configuration does not support Secure Boot updates or if the virtual firmware is locked down.

Thanks guys for taking the time to do this session online and giving helpful insight into the Secure Boot update process. Also thanks for all the people asking good questions.

Thank you for joining today’s AMA! We’re putting together a recap of the topics covered by our panelists and will post it shortly. Stay tuned!

Does this affect devices running "alternate" Windows versions such has HoloLens/HoloLens 2/SurfaceHub, etc.?

With the new Windows events being generated, for Windows Server SKUs (primarily VMs) without Secure Boot enabled, why are Microsoft-Windows-TPM-WMI events - specifically event 1801 - being generated?  The device with secure boot disabled at the hyper visor layer doesn't update nor meet the requirements.