Event details
Q1. Is there a known bug for the GPO setting "Enable Secure Boot certificate deployment" on Windows Server 2025 servers? The registry key AvailableUpdatesPolicy is applied, but the value is never transferred to the AvailableUpdates key. No problem on Windows Server 2022, and servers are updated with the January 2026 cumulative update.
Q2. According to this link: https://github.com/microsoft/secureboot_objects/issues/318#issuecomment-3662004435 applying March 2026 cumulative updates would fix so that the "Microsoft Corporation KEK 2K CA 2023" certificate would be able to apply on HyperV. Is that fix for the Host or the Virtualized VMs with the issue?
Q3. Would the same update in Q2, also help on the Azure VMs, that also have issues with applying the "Microsoft Corporation KEK 2K CA 2023" certificate. Random VMs in Azure has problem with the KEK certificate.
For Q2, you'd need to apply it to the host. (By the way, that they target March update will not necessarily mean that it will make it). Apart from that, the known workarounds work without any host updates (if the host is on recent patchlevel):
- Create a new VM and attach the virtual disks to it. That new VM will have the new KEK by default. Be careful with suspending Bitlocker etc. if you use a TPM
- Change the Secure Boot Template in the VM settings twice (back to original) while the VM is powered off. This will not work (raise an error message) if you ever had a TPM attached to the VM
