Event details
177 Comments
Hi, and thank you for your time and expertise. I use the MS Inventory/Dashboard for the update process. The Microsoft scripts for detection and aggregation currently work during initialization for a large number of devices. However, I have noticed that changes made to the device itself—such as enabling Secure-Boot or updating the firmware—are not recorded in the new device files (even after 2-3 days and multiple reboots). Are there any specific limitations from Microsoft that prevent the device files or dashboard from updating?
Is Secure Boot strictly needed on VMs? What happens with VMs with Secure Boot set as True and PK = null if nothing is done? And what about the case of TPM without secure boot over Windows 11?
What is the WinCS key and what is its exact purpose? What value triggers the updates?
Answered at 47::20
Is revoking the old 2011 certificate an action we would need to take, or would that be handled entirely by Microsoft? If Microsoft will handle it, do you know when that is expected to happen, 2026 or 2027?
In a vmware 8.x environment we can see null PKs and empty DBX from guest VMs with secure boot enabled. KEK and DB contain 2011 MS CA certificates.
What should I expect in this scenario?
Is the empty DBX correct?
Will this VMs automatically update the certificates?
With a null PK, the certificates cannot be automatically updated by the guest OS. If TPM is used, the certificates cannot be automatically updated by the firmware / virtualization solution.
For the empty DBX, you can push the DBX update via AvailableUpdates 0x0002 and check event log if it sticks.
In general, ask VmWare not Microsoft :)
When does Windows Boot Manager get swapped from 2011‑signed to 2023‑signed
On machines that have either Secure Boot disabled or already have 2023 certs, it got swapped when they installed Febuary 2026 LCU.
In other cases when the certs get applied by High Confidence or registry settings after that, the boot manager will get swapped after the next reboot after successful installation of the certificates.
We have very large Windows server environment and most of them are VM's running on vmWare platform. does this applicable to vm's also?
If the VMs are using Secure Boot, yes.
Are there any updates regarding ESXi VMs failing to install the KEK certificate? From research Broadcom and Microsoft were looking into this
Would there be any changes required in the WDAC policies since we have policy updated with anything to be allowed signed by the cert Microsoft Windows Production PCA 2011. So when this is going to be replaced with new PCA 2023 cert, should we update our WDAC policy with the new cert?
Answered at 54:45
If the devices don't have updated certificates after June 2026, will there be need to disable secure boot, so they to be able to boot?
