Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Feb 19, 2026
AMA
remco van der Lee's avatar
remco van der Lee
Copper Contributor
Apr 02, 2026

Can anybody confirm if its expected that i still get eventid 1795 for all our virtual machines in Azure?
I have dozens of VM's in Azure that have 1795 and none of them where updated succesfully. 

In my opinion the VM needs to retrieve the KEK from the host just like on onprem Hyperv. On hyperv its fixed in March with the latest CU. But how does does this translate to Azure. 

P.S.
The lack of proper communication and guidance for the whole secure boot update proces is infuriating. We were warned more then a year ago, we started everything on time from our side we but even in March/April 2026  there are still things missing with only 2 months to go. 

  • Arden_White's avatar
    Arden_White
    Icon for Microsoft rankMicrosoft
    Apr 03, 2026

    Hi Remco,

    There was a known issue in Hyper‑V where Secure Boot certificate updates could fail with Event ID 1795 when attempting to update KEK.

    This issue was resolved in Windows updates released on or after March 10, 2026, and is documented here:
    Known issues and resolutions for Secure Boot certificates updates

    In virtualized environments such as Hyper‑V Gen2 VMs and Azure VMs, Secure Boot variables are maintained by virtual firmware provided by the host platform. As a result, successful KEK enrollment depends on both:

    • guest OS support for authenticated updates, and
    • host platform support for accepting those updates

    Until both components are updated, Secure Boot KEK enrollment may fail, and Event 1795 may continue to be logged.

    Arden

    • remco van der Lee's avatar
      remco van der Lee
      Copper Contributor
      Apr 09, 2026

      Hi Arden,

      Thanks for the answer and the explanation. But what i'm really asking is... is there any information/timeline to verifiy when the hostservers in Azure are fully updated? Its out of my control.

      Now i constantly keep asking myself "Is the issue on my side or Microsoft side?" I think i've done everything correcty  on my side but if there isn't a place or timeline on your side,  where there is a message "All hosts on Azure are updated and can rollout the KEK cert" then i'm still crossing my fingers and hope everything works on time. Hope is not good guidance. 

      Where is the place that i can verifiy if the hosts in Azure are fully updated and can rollout secure boot updates succesfully? 

      • DennisJorgensen's avatar
        DennisJorgensen
        Copper Contributor
        Apr 09, 2026

        We have 1/3 of our Azure Server with the KEK problem, even after the March cumulative update. So we created a support case, and the response was this is a known issue, and a patch will be released in April. I also addressed more visibility about this, but can't see any documentation about this yet.