Questions for Tomorrow’s Live Event / Or Anytime:

We’re testing the certificate updates on our servers within our vSphere environment. We seem to have a functioning certificate update process? However, we are not clear on some things and have some questions – especially when it comes to Broadcom/VMware.

For reference, we’re on vSphere 8 U3 with virtual hardware level at 21 (the current release). Our VMTools versions are also fully up to date (if that matters). We’re running Server 2019, Server 2022, and Server 2025. Here is the process we are testing right now:

1 - We rename the VM’s NVRAM file in vSphere. (Note that we have some important vSphere questions about this below).

2 - After that, we configure the AvailableUpdates = 0x5944 key, per the various forms of Microsoft documentation.

3 -We then manually run the Secure Boot Update scheduled task to start the update process using this command:

         Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

         We then wait about 30 seconds and reboot.

4 - After the reboot, we manually run the above-mentioned scheduled task again.

5 - We wait a few minutes, and then when looking in the Secure Boot registry keys, we most often see the UEFICA2023Status return as “Updated” and WindowsUEFICA2023Capable returns 2.

HOWEVER - on the Server 2019 OS, while UEFICA2023Status shows “Updated”, the WindowsUEFICA2023Capable value comes back as 0. Despite that, when we run the verification command - ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).Bytes)) -match "Windows UEFI CA 2023" - it still returns “True”.

Should we be concerned about the WindowsUEFICA2023Capable = 0 result on server 2019 if the above-mentioned database check command allegedly confirms that the device is currently using the 2023 Secure Boot certificate?

Also, VMware has not yet released an updated virtual hardware/BIOS package for this issue (only manual steps). We are not sure it matters. Do we need to worry about the virtual hardware/Bios update offered by VMware if we’re already seeing the “Updated”/WindowsUEFICA2023Capable =2 results we’re getting now within the registry? From a compliance perspective, does this mean we’re covered? For that matter, do we even need to rename the NVRAM File?

Finally, we’ve noticed that on some of our Server 2025 systems, even when the certificates updates itself successfully, the Secure Boot scheduled task fails with a “file not found” error. Is there a way to correct this? It appears to be a built‑in, “solid‑state” task. We are not sure how to address this.

Thanks

Hi Arden_White​ 
today i updated an tested Hyper-V VM (Version 9) Server 2022 DC. 0x5944->0x4004

i checked "C:\Windows\System32\SecureBootUpdates\BucketConfidenceData.cab" and then the Microsoft.json which lists my VMs BucketHash in the Section:
"Under Observation - More Data Needed": [

Any Info Regarding Servers, would like to hear more about it (tomorrow) last month it was said it should be fixed in March.

Just updated my HyperV host, only seeing preview updates available for Windows 11 24H2, I updated to 25H2, and do not see any updates from March showing up yet, checking in my SCCM Lab environment and still only see February updates so far... forcing a synch to see what else shows up.

1. In a situation where the KEK certificate does expire can we get a clearer idea as to the actual impact? It’s stated that new binaries will not be accepted into the authorized signature database however older previously signed binaries will still be trusted. This confuses me, because the wording of the boot process in regards to secure boot certificates implies that the signatures of trusted binaries is checked every single time.
2. Products that use kernel level drivers rely on WHQL microsoft signed drivers that appear to be reliant on the secure boot certificate chain. What is the impact to these tools if the primary KEK certificate is expired?
3. What is the status from Microsofts perspective on ongoing efforts with OEMs (i.e. VMWare) to figure out automation of PK certificate rollouts?

I've done all of the same procedures on my Hyper-V guest Windows 2022 servers I did to my workstations but the certificates are not updating fully.  I get a 1799 but no 1808.

Are we still awaiting patches for this from Microsoft?

EDIT:  March cumulative on the host and working on guests now.   All of them are getting certs now.

If we're doing baremetal OS deployment using ConfigMgr or other solutions, what needs to be done so newly imaged workstations immediately contain the new secure boot certificates? I'm using the Windows 11 25H2 Enterprise image from the Microsoft VLSC updated with the 2026-02 updates (KB5077181) and no other modifications. I'm imaging a Dell system running the latest BIOS version. After imaging, I still get event ID 1801 indicating "Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware."

Hello,

I'm looking for some additional clarity regarding the HighConfidenceOptOut registry key. Specifically, if I want to fully manage the Secure Boot certificate rollout in my environment, do I need to ensure that both the AvailableUpdates and HighConfidenceOptOut registry keys are configured (0 and 1, respectively) to prevent automatic certificate deployment?

Note: Our environment leverages SCCM/WSUS for device management and patching, we do not leverage Windows Update/Autopatch for patch deployments

My understanding is based on the documentation:

AvailableUpdates

0 or not set - No Secure Boot key update are performed.

We already have AvailableUpdates configured with a value of 0. However, we currently do not have the HighConfidenceOptOut key configured.

HighConfidenceOptOut

An opt-out option for enterprises that want to prevent automatic application of high-confidence buckets delivered as part of the LCU.

0 or key does not exist – Opt in
1 – Opt out

After installing the February Cumulative Update (KB5075941), a subset of devices in my environment automatically installed the updated certificates, even though AvailableUpdates is set to 0. My assumption was that this key alone would prevent any automatic certificate updates, regardless of the HighConfidenceOptOut setting. Given what I'm seeing, I may be mistaken.

I also saw in the KB5075941 release notes that new Secure Boot changes were introduced, but again, my expectation was that configuring AvailableUpdates = 0 would block any automatic updates.

Could you clarify whether both keys are required to fully prevent automatic certificate deployment?

Thank you.

Let's say I have a 2024 HP ProBook Laptop with 2026 latest BIOS update, AD DS joined, with Windows Update activated with basic GPO settings (drivers and quality included).

No telemetry , no diagnostics sent to MS, no Intune.

If I let things go without interfering, when does this laptop will get certificates update from Windows Update ?

Will the update sent from Windows Update will create the scheduled task and run it every 12h ?

Thanks

​ ​ Arden_White​ 

Can you please let us know when the Intune Error Code 65000 issue is expected to be fixed? I've seen this still across multiple tenants but there's been no update to guidance around resolution date. If there's been a delay, can you please let us know? The official doc says "this issue will be resolved for all devices by February 27, 2026." Thanks! 

Will Microsoft and/or Broadcom provide a solution to automatically update ESXi VMs with missing KEK/PK?

The solution from the article https://knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html is unfortunately no longer available (upgrading the hardware version and deleting/renaming the .nvram file).

This article https://knowledge.broadcom.com/external/article?articleNumber=423893 states:
"There is no automated resolution available at this time. In coordination with Microsoft, Broadcom Engineering Team is actively working towards implementing an automated solution in a future release to update the Platform Key (PK) on the affected VMs, which will facilitate the certificate rollout as outlined in the Microsoft Guideline."