Hello Microsoft Team,

We are reviewing Microsoft guidance regarding the expiration and replacement of older Secure Boot certificates and the updates required to maintain boot trust for Windows systems.

Our environment consists of Windows Server 2016, 2019, 2022, and planned 2025 virtual machines running on VMware vSphere 8 (ESXi 8). Some of these VMs were originally created many years ago and are still configured with very old VMware virtual hardware versions (for example, virtual hardware version 6), even though they are now hosted on modern ESXi hosts.

We would like clarification on how Microsoft’s Secure Boot certificate updates may affect this scenario.

Specifically:

1. Could Windows Server VMs running on legacy VMware virtual hardware versions (e.g., vHW6) encounter Secure Boot or boot trust issues as Microsoft retires older Secure Boot certificates?
2. Does Microsoft require any minimum virtual firmware or UEFI capabilities from the hypervisor or VM hardware version to properly support the updated Secure Boot trust chain?
3. From Microsoft’s standpoint, is upgrading the VMware virtual hardware version or changing the virtual firmware from BIOS to UEFI necessary to avoid potential boot failures after these certificate changes?
4. Are there known risks for older-generation VMs on VMware when applying future Windows updates related to Secure Boot trust, such as DB or DBX updates?

Our goal is to ensure our Windows Server VMs remain fully supported and do not encounter unexpected boot issues due to Secure Boot certificate lifecycle changes.

Thank you for your guidance.

Are there any reports in CM or Intune to find the certificates status as of today for all my computers?

You might have already covered this, but is there a way to update the wks if the deadline to update the certificate on host is missed? 

If a device's firmware is not updated before the expiration date, will we still be able to update the BIOS to get the new certificate?

Will the registry ever auto update to 0x5944? It currently is not an automatic update.

Do i Understand this correctly.  Event ID 1801 means that my device has the new Certs, but only at the OS level.    So that technically means my device has and is using the new Certs?  

BUT if i want the EXTRA peace of mind and avoidance of accidentally losing those certs due to someone changing something in BIOS, i need to fully bake them into BIOS via a Firmware update.  And that would give me an 1808 ID?  

So both IDs mean i have, and am using, the new Certs.  But one is more robust than the other?

Is it mandatory to get the BIOS updated to latest version on HPs we maintain? Will the policy still act on those devices though it has n-1 or lower version than the latest?

https://support.hp.com/us-en/document/ish_13070353-13070429-16

Is there an option to update to the new the Secureboot certificate before imaging a device manually (in WinPE), if its not yet there? Or do we have to image the device and wait for LCU to do the update?

Why system event ID 1808 getting generated every time while rebooting the servers if the CA 2023 applied to firmware already ? is this excepted behavior ? 

If I only set Configure Microsoft Update Managed Opt In to Enabled, is that enough for my managed devices to install the cert updates when Microsoft deems it safe to do or do I also need to set Enable Secure Boot Certificate Updates to Enabled simultaneously? It seems like the Enable Secure Boot Certificate Updates setting will start the process immediately.