What do I need to do for physical servers, VMware VM's, AWS EC2's ? Is it all the same set of hoops to jump through or are there specific things needed dependant on environment?

What can you do, if the clients are in the "InProgress" State in the SecBootCert Info?

MS usually pushes firmware updates via windows updates. why not in this scenario?

How to achieve "UEFICA2023Status=Updated" for OS (re)deployment/re-image scenarios? I've tested on a device with latest firmware, all 2023 certs are reflected in active/default secure boot DBs but boot manager is still PCA2011 signed and registry reflects 0x0/NotStarted. Same with OS media updated per 5053484 (Updating Windows bootable media to use the PCA2023 signed boot manager).

Can I ask when in June I need to update by? There doesn't seem to be a specified date. Thanks

So if the DB shows the following (Dell machines in our enviroment) - 

SecureBootDB=Dell Bios DB Key; Dell Bios FW Aux Authority 2018; Microsoft Windows Production PCA 2011; Windows UEFI CA 2023

SecureBootKEK=Dell Inc. Key Exchange Key; Microsoft Corporation KEK CA 2011; Microsoft Corporation KEK 2K CA 2023

Does that mean its successful and we don't need to do anything more? 

Just a couple of questions: 

On the question on AVD machines, we have hosts showing as non-compliant for the Secure Boot 2023 certificate update. The machines are Gen 2 VMs with Secure Boot disabled, no TPM, running on Hyper-V UEFI.

For AVD hosts where Secure Boot is disabled and there is no TPM (i.e. not using Trusted Launch), do we actually need to take any action before June 2026, or are these machines effectively out of scope for this update?

Thanks! 

Windows Server 2019 VM: DB entries (Windows & Microsoft UEFI CA 2023) updated successfully, but KEK still shows Microsoft KEK CA 2011. In VM (ESXi), should KEK be updated at hypervisor/firmware level or from inside Windows OS?
Could you please clarify ?

I noticed that on some devices, if I am receiving FALSE when running "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023', that if I download the UEFIv2 powershell module and run Get-UEFISecureBootCerts that then I can see the 2023 certs. I assume that the firmware on most of those devices should switch the certificate, and 90% chance that those devices need no action even though the default query does not show those certificates?

What is the 'source of truth' logic to confirm update is final? UEFICA2023Status = Updated AND WindowsUEFICA2023Capable = 2, Or can one be that value or another not? Or is there whole other value somewhere we should be checking? 

Will machines fail to boot entirely or enter weakened security posture if updates are not applied? What will end users experience if the whole process isn't completed in time for the expiration?  Errors/warnings?

What is the procedure for Hyper-V VMs? Do they have different indicators than physical machines or is the process similar?