Event details

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Pearl-Angeles
Updated Apr 15, 2026
AMA
iokdeda's avatar
iokdeda
Occasional Reader
Apr 24, 2026

Yesterday I had a test in a similar scenario. Windows 2025 fully up to date and VMware 8.0.2.
Setting the AvailableUpdates registry value to 0x5944 and running manually the Secure-Boot-Update scheduled task, after two run and two reboots I could see the DB updated with the new 2023 certificates. After these reboots I had AvailableUpdates=0x4004 and running the scheduled task again and rebooting the VM again did not change it anymore, the KEK could not be updated (I can see only event id 1801 in the registry, no other errors).
So I guess that if the VM finds the PK null, as is common in VMware environments today, the automatic process could not be completed (https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html). PK and KEK must be updated manually as described in the Broadcom KB https://knowledge.broadcom.com/external/article/423919. Only after PK and KEK are up to date the automatic process can be completed and DB and Bootloader can be updated by the Microsoft scheduled task.

Prabhakar_MSFT's avatar
Prabhakar_MSFT
Icon for Microsoft rankMicrosoft
Apr 27, 2026

Hello iokdeda​  We are coordinating with Broadcom to introduce support in Windows for updating the PK if the Windows OEM Devices PK is missing on Secure Boot- and vTPM-enabled vSphere VMs, thereby facilitating KEK updates.

For VMs created on ESX 9.x hosts, the Windows OEM Devices PK is already present. However, for VMs created on earlier ESX versions, this PK is missing. We are actively working with Broadcom on a solution, which will be enabled through future Windows updates and corresponding Broadcom patches. 

  • iokdeda's avatar
    iokdeda
    Occasional Reader
    Apr 27, 2026

    This is really good news!

    Do you have any idea when we'll be able to get this support? It absolutely must arrive before the 2011 certificates expire, otherwise the automatic update process will fail, right?

    • mihi's avatar
      mihi
      Brass Contributor
      Apr 27, 2026

      It does not matter much when the fix is arriving. As long as it is unfixed, future LCUs will not be able to install DBX revocations (or add more certs to DB, but that will likely not happen before 2037). But as soon as it is remediated, the next installed LCU will again detect that the DBX is out of date and apply it again. You can also manually trigger DBX update by setting AvailableUpdates to 0x0002 once you know that the issue is fixed and DBX updates are missing.

    • Prabhakar_MSFT's avatar
      Prabhakar_MSFT
      Icon for Microsoft rankMicrosoft
      Apr 27, 2026

      We are working with Broadcom jointly to ensure the VMWare VMs are unblocked with priority in the future windows update.  Note that, certificate expiration does not impact updates to certificates.  Failing to update KEK before expiry will prevent future Secure Boot revocation updates.  This does not prevent OS updates or does not affect installation of the certificates after expiry.