Event details
I assume all those machines have Secure Boot enabled? If not, there is no option nor need to update the secure boot certs.
If Secure Boot is enabled, not updating them (on both) will have the same effect as on any other (physical or virtual) machine: The bootloader will remain stuck on the June 2026 version and Secure boot blacklist will not get updated. So an attacker who gets admin access on either the host or the guests could install a bootkit on the (host or guest) machine they had access to once there is any public exploit for that bootloader or any other blacklisted bootloader. In any case the system will continue working and will still receive security updates for all other Windows components.
thanks for the reply , yes its secure boot is enabled on however Hyper-V is still on unsupported OS server 2012 r2. is there way I can manually /offline install the new secureboot certificate without going to Windows update?
For server not HyperV, resetting secureboot to default even with latest firmware may not provide 2023 certificates; 2011 certificates may still be in default db depending on OEM.
You can update to 2023 certificates without Windows update with a recovery efi utility
https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d (EFI utility at the bottom of "Updating Windows install media") but it won't update bootloader/other relevant regions in filesystem via windows mechanism, just in UEFI).
You can force updates via registry in Windows using below guide, but you need ESU for 2012R2 to get the security update that adds the functionality:
https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d
For server not HyperV, resetting secureboot to default even with latest firmware may not provide 2023 certificates; 2011 certificates may still be in default db depending on OEM.
Correct, I was assuming the vendor pushing updates specifically for Secure Boot compatibility. And I've not seen any of those that do not also update the default db to include 2023 certs.
You can update to 2023 certificates without Windows update with a recovery efi utility
This will only update one of the DB certificates (Windows Windows UEFI CA 2023) to make media with new bootloaders able to boot on that machine, and as long as there is no such bootloader (and you do not plan to boot external media that need it) it won't provide any (security or other) benefits to have that one installed.
If you are on 2012R2 without ESU, you won't need the Secure Boot certificate updates since you won't get any new bootloaders for it any more anyway...
thanks, will Dell Edge Server OEM firmware update help?
Help with what? With not having any need for secure boot updates? Or with ticking a compliance tick mark that has absolutely no meaning?
When updating the firmware and resetting Secure Boot keys to default, it will give you the new Secure Boot certificates. Which you do not need for anything as long as you stay on 2012R2 without ESU.
