With the June 2026 Secure Boot certificate expiration/change, could Microsoft clarify how Azure IaaS VMs differ from other virtualized platforms such as VMware or Nutanix from an operational responsibility perspective?

Specifically for Windows Server and Linux Server guest OS workloads (not Windows 10/11 clients):

• Since the Azure hypervisor/host layer is fully managed by Microsoft, what actions are customers still expected to take inside the guest OS to prepare for June 2026?
• Are normal OS patching processes sufficient, or are there additional manual steps required for Azure Gen1/Gen2 VMs?
• Will Azure automatically handle any UEFI/firmware-level certificate updates on the platform side, or is all certificate preparation expected to occur within the guest OS boot chain?
• Are there differences in expectations between Trusted Launch / Secure Boot enabled VMs and VMs where Secure Boot is currently disabled?

We are particularly interested in best practices for enterprise server workloads such as SAP, infrastructure servers, and other long-lived Azure VMs.