Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playbook, but need more details or have a specific question, join us to get the answers you need to prepare for this milestone. No question is too big or too small. Update scenarios, inventorying your estate, formulating the right deployment plan for your organization -- we're here to help!

How do I participate?

Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast

Get started with these helpful resources

Pearl-Angeles
Updated Apr 21, 2026
AMA

275 Comments

Show More
  • JamesEpp's avatar
    JamesEpp
    Iron Contributor
    Feb 25, 2026

    I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

    I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

    ---

    The trust anchor for secure boot is the PK. Do PKs expire? Has a PK's private key ever been leaked (do we have precedence for such a horrifying possibility)? How do vendors update their PKs (if that's possible)? Can you have multiple PKs (to service replacements with minimal disruption)?

     

  • Sugmuffen's avatar
    Sugmuffen
    Copper Contributor
    Feb 25, 2026

    So we have 2500 VMware VMs, where we have checked with this code:

    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

    We also have a similar line of code that checks the KEK, they both are returning true.
    But we have NOT flipped the registry key specified by Microsoft to 0x5944 and hence the status says NotStarted. In our case above, with the VMware VMs, do we need to actually flip that registry key, that iniates the process or are we good to go as it is?

    /Patrick

    • Prabhakar_MSFT's avatar
      Prabhakar_MSFT
      Icon for Microsoft rankMicrosoft
      Mar 12, 2026

      If devices have both Windows UEFI CA 2023 and KEK CA 2023, then certificates are already updated.  Likely the VM was created on latest version of VSphere software that creates VMs with updated certificates.   UEFICAStatus shows Not Started because Boot manager is not yet updated.  To update Windows Boot manager to new 2023 certificate signed version, Set AvailableUpdtes registry key to 0x5944 and execute "Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update".  This should change the status to either updated or In Progress.   If status shows "InProgress", reboot the server and rerun the task to get the update completed.

    • JamesEpp's avatar
      JamesEpp
      Iron Contributor
      Feb 25, 2026

      IMO your question (and it's a good one) is not unique to vSphere. There's no good way (that I'm aware of) via registry or TPM-WMI event IDs to tell whether a machine already installed the latest UEFI/SB keys successfully xor always had the 2023 keys and hence never needed to take any action.

      To not risk getting shadowed for posting a link, you may want to look up Broadcom knowledge base article 421593.

      • Sugmuffen's avatar
        Sugmuffen
        Copper Contributor
        Feb 25, 2026

        We have taken exactly that approach (deleting the .nvram file and rebooting, which in Vcenters with version 8.0.2 or higher has provided us with the "true" results mentioned. The registry key and it's associated scheduled task is somewhat doubtful if it is needed at all in the case of our VMs.