Event details

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Pearl-Angeles
Updated Apr 15, 2026
AMA
arch1279's avatar
arch1279
Copper Contributor
Apr 20, 2026

I am running legacy hyper V machine on Windows server 2012 R2 and guest VMs on server 2016 and 2019. DO i need to install  secureboot 2023 cert on both hyper V and  VMs? what happen if I dont update the secureboot cert to both ?

  • mihi's avatar
    mihi
    Brass Contributor
    Apr 20, 2026

    I assume all those machines have Secure Boot enabled? If not, there is no option nor need to update the secure boot certs.

    If Secure Boot is enabled, not updating them (on both) will have the same effect as on any other (physical or virtual) machine: The bootloader will remain stuck on the June 2026 version and Secure boot blacklist will not get updated. So an attacker who gets admin access on either the host or the guests could install a bootkit on the (host or guest) machine they had access to once there is any public exploit for that bootloader or any other blacklisted bootloader. In any case the system will continue working and will still receive security updates for all other Windows components.

    • arch1279's avatar
      arch1279
      Copper Contributor
      Apr 20, 2026

      thanks for the reply ,  yes its secure boot is enabled on however Hyper-V is still on unsupported OS server 2012 r2. is there way I can manually /offline install the new secureboot certificate without going to Windows update?

      • dwqdda's avatar
        dwqdda
        Copper Contributor
        Apr 21, 2026

        For server not HyperV, resetting secureboot to default even with latest firmware may not provide 2023 certificates; 2011 certificates may still be in default db depending on OEM.

         

        You can update to 2023 certificates without Windows update with a recovery efi utility

        https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d (EFI utility at the bottom of "Updating Windows install media") but it won't update bootloader/other relevant regions in filesystem via windows mechanism, just in UEFI).

         

        You can force updates via registry in Windows using below guide, but you need ESU for 2012R2 to get the security update that adds the functionality: 

        https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d