Windows Server 2019 VM: DB entries (Windows & Microsoft UEFI CA 2023) updated successfully, but KEK still shows Microsoft KEK CA 2011. In VM (ESXi), should KEK be updated at hypervisor/firmware level or from inside Windows OS?
Could you please clarify ?

I noticed that on some devices, if I am receiving FALSE when running "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023', that if I download the UEFIv2 powershell module and run Get-UEFISecureBootCerts that then I can see the 2023 certs. I assume that the firmware on most of those devices should switch the certificate, and 90% chance that those devices need no action even though the default query does not show those certificates?

What is the 'source of truth' logic to confirm update is final? UEFICA2023Status = Updated AND WindowsUEFICA2023Capable = 2, Or can one be that value or another not? Or is there whole other value somewhere we should be checking? 

Will machines fail to boot entirely or enter weakened security posture if updates are not applied? What will end users experience if the whole process isn't completed in time for the expiration?  Errors/warnings?

What is the procedure for Hyper-V VMs? Do they have different indicators than physical machines or is the process similar?

 

Microsoft Secureboot FAQs mention that secureboot devices that do not get updated, should continue to start and run normally after June 25th, 2026, but do you guys have any ideas if the UEFI in some servers will start prompting for certificate expiration, etc. after reboots? I am not sure if that UEFI behavior is known, but it would cause us issues.

AVD Session Hosts in Azure, have done all the relevant registry settings and UEFICA2023Status is in progress. WindowsUEFICA2023Capable is 2.

UEFICA2023Error = 0x80070005 (Access Denied)

Does not complete fully, AvailableUpdates is 4004, states KEKLastUpdateErrorReason:Firmware_Unknown. It is doing this for quite a few clients. Is there further steps to follow?  ConfidenceLevel is still Under Observation. We have set ManagedOptIn to 1. Been set for the last couple of months. 

Will Microsoft Surface Go 2 devices be getting firmware and 2023 certificates updates? 

I think Microsoft should have held some joint sessions with HP, Dell and Lenovo for example so enterprises could ask questions from the hardware manufacturer side also.

We have Microsoft cloud pcs and over 100 of those are still showing as in progress and they have been rebooted several times and have the April CU patch already installed. 
What troubleshooting steps do we need to take to look at these in the event log ?

We are also seeing cloud pcs as unknown as if no information is being sent Microsoft 

As indicated by our OEM, we're updating firmware on all devices that have an older version not including 2023 certs, before to assign the Intune Secure Boot CSP. 
But the firmware update process is complex, long and it can't be done by June 2026. 
from different sources, it's suggested to DO NOT proceed adding to CSP configuration devices with older firmware, without 2023 Certs. Is this true? 
Also, the majority of devices, even with updated firmware, are still in the "Under observation" confidence level bucket. We haven't seen it changing with latest CUs. Since this is May CU, we can expect that confidence levels will continue to be updated during the rest of the year, even after June ? 
In general, what are the guideline before June ? Use the Intune CSP only on devices with updated firmware - or add as much devices as possible and trust the Confidence Level check? 

In Japan, there are PCs all over the country, so if all the PCs could not start up, the survival of the business would be in jeopardy. There are currently 11 devices that have adopted ESU. I haven't applied the recent QU yet, but wouldn't it be a good idea to apply only the monthly cumulative updates from now on?