Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Feb 12, 2026
AMA
MoazzemHossain-TBBD's avatar
MoazzemHossain-TBBD
Copper Contributor
Jan 28, 2026

On my Azure Gen2 VM, Secure Boot reports True and the dbx entry is present with non‑volatile attributes:

  • Secure Boot enabled: Confirm‑SecureBootUEFI → True
  • DBX present: Get‑SecureBootUEFI -Name dbx showing active firmware data

Does this confirm that Secure Boot and the updated Secure Boot revocation list (DBX) have already been applied automatically through Windows Update or the underlying Azure platform firmware?

  • Arden_White's avatar
    Arden_White
    Icon for Microsoft rankMicrosoft
    Feb 06, 2026

    For newly created VMs, the virtualized firmware should already have the new certificates in the DB and KEK. The DBX is the disallow list. I don't know what comes in the DBX on a new VM. For long running VMs (multiple years), the VM may not have the new certificates.

    If you want to know if the VM is running with the new certificates and the 2023 signed boot manager, you can look at the UEFICA2023Status registry key. It should say Updated.