We have Windows Server VMs running on ESXi that are stuck in progressl available updates registry value  is 4004. 

VMs are fully patched, we've run through the Broadcom documented process to update the Platform Key which allows the KEK db to be updated, and the Dell host server has had the latest BIOS applied, which specifically references the secure boot certificate firmware update. 

The VM event logs state Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware; we've confirmed the hosts are running the latest BIOS/firmware version. 

2023 certificates are showing in the active DB but not in the default DB. How do we get this process to complete?

Q1. Is there a known bug for the GPO setting "Enable Secure Boot certificate deployment" on Windows Server 2025 servers? The registry key AvailableUpdatesPolicy is applied, but the value is never transferred to the AvailableUpdates key. No problem on Windows Server 2022, and servers are updated with the January 2026 cumulative update.

Q2. According to this link: https://github.com/microsoft/secureboot_objects/issues/318#issuecomment-3662004435 applying March 2026 cumulative updates would fix so that the "Microsoft Corporation KEK 2K CA 2023" certificate would be able to apply on HyperV. Is that fix for the Host or the Virtualized VMs with the issue?

Q3. Would the same update in Q2, also help on the Azure VMs, that also have issues with applying the "Microsoft Corporation KEK 2K CA 2023" certificate. Random VMs in Azure has problem with the KEK certificate.

Im testing the Intune policy to enable Enable Secureboot Certificate Updates and Configure Microsoft Update Managed Opt In, but I can see an error on both: 

The test device is a Windows 11 24h2 Enterprise.

I made a post earlier with a bunch of questions but seems the post is deleted (annoying because it took a lot of time)? Can someone pm me to tell me why? Maybe links to external sites (trusted partners I believe), PatchMyPC want to be clear before I post again what the issue is. 

Thank you. 

For devices that specifically require a firmware update, should we expect Windows Update to provide that firmware, or should we proactively start pushing firmware to those devices?  

We have a fleet of HP EliteBook 600 series, G9/G10/G11, and initial testing has all of them throwing Event ID 1802 in the System event log - 'The Secure Boot update Option ROM CA 2023 (DB) was blocked due to a known firmware issue on the device. Check with your device vendor for a firmware update that addresses the issue.'

Updating the firmware on the devices in question allows the certificate update to complete, and we eventually get Event ID 1808 in the System event log.

tl;dr -Who is handling firmware updates?  Microsoft or individual customers?  If it's Microsoft, will these updates install as part of a monthly LCU?  Our organization currently blocks driver updates via Windows Update.

Hi, 

Question 1

I'd like to know when the report in Intune will be complete? You've got something in the works but no announcement on it or when it will be ready. Currently the report is not working properly (as can be expected by it not being complete), but time is moving closer to the deadline.

Info

https://patchmypc.com/blog/the-secure-boot-status-report-coming-soon-to-intune/

Link to report 

https://intune.microsoft.com/#view/Microsoft_EMM_ModernWorkplace/securebootreport.reactview

Question 2

Will the report have more useful information than what is in their currently? I don't want to just see if it has the new cert or not, I want to see the steps I need to take, such as if a device does not have the certificate, is the bios up to date? This can be done to varying degrees via a custom compliance policy, but it is not easy for a few reasons.

1. Intune only allows you to use a custom compliance script for one policy, we have 30+ laptop models out there, all with different minimum bios versions. Can be done anyway by making duplicated scripts, but it is messy.
2. Different vendors report their bios versions into windows differently, Dell, Surface it is easy to make a version check because they report for example, Dell 5420 needs a minimum bios version of 1.31.0, so I can do a version check greater than or equal to against that, easy. Lenovo however name their firmware back like R1TET46W (v1.25), I can't do a version check against that and a string check would also not be helpful as the text characters change from version to version not just the version number.

Ideally, we want something that has the following in the report.

1. Is the device compliant fully, i.e. has a bios version that is current enough and has the keys / Intune policy set to start using them for windows.
2. If not, why not?
   1. Is it that the bios version is not up to date? If so, what is on the device, and what is the minimum version required from the vendor, something like "meets minimum bios revision, compliant or not compliant".
   2. If the bios is current, is it just that the keys are not set correctly so Windows knows to set the new secure boot certificate?
   3. What about devices that will never get bios updates because they are out of support? Can that information be presented in the report. 

Question 3

What are the actual impacts of devices which do not have everything completed by the time the deadline rolls around. 

Will they be unable to boot? Will we be unable to install fresh Windows, will it continue ticking away but be insecure i.e. someone could bypass secure boot if they had physical access to the device?

Question 4

This seems important enough that it should have a built in compliance policy in intune to check going forward if the certificate is valid and current. 

Thank you! :)

Three questions related to Secure Boot:

• When updating Secure Boot variables (like this db update but also on some older dbx updates), some older firmware has problems due to maximum variable size or size of variable store. UEFI exposes this information via RT:QueryVariableInfo, and when booting Linux, you can see by querying free space of efivarfs. Is there a way from Windows userspace (e.g. Powershell or a NTDLL exported function) to get this information? Max variable length, max variable store, remaining variable store.
• When applying the hardening measures for Black Lotus and adding SVN values to dbx, some older versions of bootmgfw.efi deny booting due to SVN mismatch. This is by design. BUT: When you boot from some recovery media that comes with its own loader that sets its own security protocol file authentication callback (like shim does), to use a fixed set of hashes, and bypasses DBX that way, and chainload this (whitelisted) bootmgfw.efi, the SVN values are still checked in DBX and deny booting. Is this by design? If yes, what is the preferred way to set up such media? Try to remove the signature from bootmgfw and patch the check out? Or use an old version of bootmgfw that does not check SVN yet (like one from 2017 I found on an old Win10 install disk)? Always having the latest bootmgfw on these media is not an option for us, and we'd like to apply the SVN hardenings for "normal" boots (not via this recovery media) if possible.
• The current certificate update will install the replacements for the Third Party EFI CA to DB only if the old Third Party EFI CA is included in DB. However, as Microsoft published signed variable updates for adding them to DB on every system that has the old KEK, nothing prevents an adversary from doing so. Is this taken into account when evaluating security implications of adding anything to DBX which is signed by these keys (nothing revoked yet, but in the future?). E.g. by applying these DBX updates when old KEK is in DB, even when new Third party EFI CA replacements are not there? Or by adding those replacements to DBX at a later stage if not present in DB?

I am aware you probably cannot answer them  by heart, therefore I'll give you a week advance notice :)

How dependent are we on FW updates by vendors? Does Microsoft expect most devices to need updates before cert updates can occur? Or do y'all anticipate most Tier 1 and 2 OEM devices to "just work"?

On my Azure Gen2 VM, Secure Boot reports True and the dbx entry is present with non‑volatile attributes:

• Secure Boot enabled: Confirm‑SecureBootUEFI → True
• DBX present: Get‑SecureBootUEFI -Name dbx showing active firmware data

Does this confirm that Secure Boot and the updated Secure Boot revocation list (DBX) have already been applied automatically through Windows Update or the underlying Azure platform firmware?

GOOD news:

It looks like all Windows 11 virtual machines running on Hyper-V in our environment successfully updated their certificates already back in early December. This, independently of their hosts, who have NOT (yet).

Karl-WE​ Does this apply to Windows Server VMs on Hyper-V as well?