Event details
198 Comments
Are there any Updates regarding my Question: "Will Microsoft and/or Broadcom provide a solution to automatically update ESXi VMs with missing KEK/PK?"
The last Answer from PrabhakarMSFT was: "...we are coordinating with Broadcom to bring support in Windows to update KEK on the ESXI VMs. If new VMs are created on latest versions on ESXI, VMs get created with new certificates. For pre-existing VMs, Microsoft is coordinating with Broadcom and will be enabled in the future update."FWIW I'm trying to get a conversation going over here on this: VMware by Broadcom Missing PK-signed KEK · Issue #369 · microsoft/secureboot_objects
I don't know who to bring into the conversation.
Intune's "Secure Boot Status" report has six columns. Five columns are sortable. The one column that can NOT be sorted is "Certificate Status". That seems like the most important column. I understand that we can export the data and sort within Excel, but it would be nice if we could sort by "Certificate Status" directly in Intune.
yes, at min sortable, preference would be also option to filter.
I have a large number of devices in storage, which are unlikely to be powered on before the end of June 2026. Once the devices are back on line after June 2026, will we still be able to update the certs after the appropriate bios and windows updates are installed?
Yes, the secure boot certificates will be updated when you (or the new device owner) install the next cumulative updates, or re-install a Windows version that has the updates included.
See The Secure Boot FAQ: https://support.microsoft.com/en-us/topic/frequently-asked-questions-about-the-secure-boot-update-process-b34bf675-b03a-4d34-b689-98ec117c7818
Section 1 Q1: What happens if my device doesn’t get the new Secure Boot certificates before the old ones expire?
Section 2 Q8: If the Secure Boot certificates on my device are already expired, can I still receive updated certificates?
We have several devices without 2023 cert in default db where we expect to reset secure boot and reinstall past June 2026. I understand it's possible to install 2023 cert post June 2026, but will Windows Update automatically install 2023 cert past June 2026 since you won't get security updates for boot manager and secure boot via Windows Update past that date?
When performing the reinstall, make sure that you use an ISO that still uses the old boot manager (or it won't boot). As of now, all publicly available ISOs do that, so it depends on how many months/years after June 2026 it will be. As a result, the installed Windows version will also use the old boot manager, but will boot and get LCU without issues.
Once you have done so, the machine will not be different from a machine that has been installed in the past and has not been booted for months/years. So, the next available LCU update will run the Secure Boot scheduled task again and apply the certs. (Just like it will apply any pending Secure Boot DBX updates even if the updates came out mid-2025 and you did the reinstall in 2026)
